Message ID | 20211124044124.998170-12-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Enroll kernel keys thru MOK | expand |
On Tuesday, 2021-11-23 at 23:41:18 -05, Eric Snowberg wrote: > Introduce a new link restriction that includes the trusted builtin, > secondary and machine keys. The restriction is based on the key to be > added being vouched for by a key in any of these three keyrings. > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> > --- > v3: Initial version > v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING > v5: Rename to machine keyring > v6: Change subject name (suggested by Mimi) > Rename restrict_link_by_builtin_secondary_and_ca_trusted > to restrict_link_by_builtin_secondary_and_machine (suggested by > Mimi) > v7: Unmodified from v6 > v8: Add missing parameter definitions (suggested by Mimi) > --- > certs/system_keyring.c | 27 +++++++++++++++++++++++++++ > include/keys/system_keyring.h | 6 ++++++ > 2 files changed, 33 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index bc7e44fc82c2..8a2fd1dc15db 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -99,6 +99,33 @@ void __init set_machine_trusted_keys(struct key *keyring) > { > machine_trusted_keys = keyring; > } > + > +/** > + * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition. > + * @dest_keyring: Keyring being linked to. > + * @type: The type of key being added. > + * @payload: The payload of the new key. > + * @restrict_key: A ring of keys that can be used to vouch for the new cert. > + * > + * Restrict the addition of keys into a keyring based on the key-to-be-added > + * being vouched for by a key in either the built-in, the secondary, or > + * the machine keyrings. > + */ > +int restrict_link_by_builtin_secondary_and_machine( > + struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *restrict_key) > +{ > + if (machine_trusted_keys && type == &key_type_keyring && > + dest_keyring == secondary_trusted_keys && > + payload == &machine_trusted_keys->payload) > + /* Allow the machine keyring to be added to the secondary */ > + return 0; > + > + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, > + payload, restrict_key); > +} > #endif > > /* > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index 98c9b10cdc17..2419a735420f 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( > #endif > > #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING > +extern int restrict_link_by_builtin_secondary_and_machine( > + struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *restrict_key); > extern void __init set_machine_trusted_keys(struct key *keyring); > #else > +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted > static inline void __init set_machine_trusted_keys(struct key *keyring) > { > } > -- > 2.18.4
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index bc7e44fc82c2..8a2fd1dc15db 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -99,6 +99,33 @@ void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; } + +/** + * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the machine keyrings. + */ +int restrict_link_by_builtin_secondary_and_machine( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (machine_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &machine_trusted_keys->payload) + /* Allow the machine keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 98c9b10cdc17..2419a735420f 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +extern int restrict_link_by_builtin_secondary_and_machine( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_machine_trusted_keys(struct key *keyring); #else +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted static inline void __init set_machine_trusted_keys(struct key *keyring) { }
Introduce a new link restriction that includes the trusted builtin, secondary and machine keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v3: Initial version v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING v5: Rename to machine keyring v6: Change subject name (suggested by Mimi) Rename restrict_link_by_builtin_secondary_and_ca_trusted to restrict_link_by_builtin_secondary_and_machine (suggested by Mimi) v7: Unmodified from v6 v8: Add missing parameter definitions (suggested by Mimi) --- certs/system_keyring.c | 27 +++++++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 33 insertions(+)