diff mbox series

[v2,2/3] integrity: Enforce digitalSignature usage in the ima and evm keyrings

Message ID 20230522230944.180389-3-eric.snowberg@oracle.com (mailing list archive)
State Not Applicable
Delegated to: Herbert Xu
Headers show
Series Add digitalSignature enforcement keyring restrictions | expand

Commit Message

Eric Snowberg May 22, 2023, 11:09 p.m. UTC
After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.

Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/digsig.c    | 4 ++--
 security/integrity/evm/Kconfig | 3 ++-
 security/integrity/ima/Kconfig | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

Comments

Mimi Zohar May 23, 2023, 10:01 p.m. UTC | #1
On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote:
> After being vouched for by a system keyring, only allow keys into the .ima
> and .evm keyrings that have the digitalSignature usage field set.
> 
> Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> Acked-by: Mimi Zohar <zohar@linux.ibm.com>

Jarrko, similarly please update the above tag to Acked-and-test-by.
Jarkko Sakkinen May 24, 2023, 1:22 a.m. UTC | #2
On Wed May 24, 2023 at 1:01 AM EEST, Mimi Zohar wrote:
> On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote:
> > After being vouched for by a system keyring, only allow keys into the .ima
> > and .evm keyrings that have the digitalSignature usage field set.
> > 
> > Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
> > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> > Acked-by: Mimi Zohar <zohar@linux.ibm.com>
>
> Jarrko, similarly please update the above tag to Acked-and-test-by.

OK, cool, I'll pick this series, thanks.

BR, Jarkko
Jarkko Sakkinen May 24, 2023, 1:27 a.m. UTC | #3
On Wed May 24, 2023 at 4:22 AM EEST, Jarkko Sakkinen wrote:
> On Wed May 24, 2023 at 1:01 AM EEST, Mimi Zohar wrote:
> > On Mon, 2023-05-22 at 19:09 -0400, Eric Snowberg wrote:
> > > After being vouched for by a system keyring, only allow keys into the .ima
> > > and .evm keyrings that have the digitalSignature usage field set.
> > > 
> > > Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
> > > Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> > > Acked-by: Mimi Zohar <zohar@linux.ibm.com>
> >
> > Jarrko, similarly please update the above tag to Acked-and-test-by.
>
> OK, cool, I'll pick this series, thanks.

Please check https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

BR, Jarkko
diff mbox series

Patch

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f31ffe23c48..d0704b1597d4 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,9 +34,9 @@  static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
 };
 
 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
+#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary
 #else
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
+#define restrict_link_to_ima restrict_link_by_digsig_builtin
 #endif
 
 static struct key *integrity_keyring_from_id(const unsigned int id)
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index a6e19d23e700..fba9ee359bc9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -64,7 +64,8 @@  config EVM_LOAD_X509
 
 	   This option enables X509 certificate loading from the kernel
 	   onto the '.evm' trusted keyring.  A public key can be used to
-	   verify EVM integrity starting from the 'init' process.
+	   verify EVM integrity starting from the 'init' process. The
+	   key must have digitalSignature usage set.
 
 config EVM_X509_PATH
 	string "EVM X509 certificate path"
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 60a511c6b583..684425936c53 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -270,7 +270,8 @@  config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	help
 	  Keys may be added to the IMA or IMA blacklist keyrings, if the
 	  key is validly signed by a CA cert in the system built-in or
-	  secondary trusted keyrings.
+	  secondary trusted keyrings. The key must also have the
+	  digitalSignature usage set.
 
 	  Intermediate keys between those the kernel has compiled in and the
 	  IMA keys to be added may be added to the system secondary keyring,