Message ID | 20230302164652.83571-6-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | Add CA enforcement keyring restrictions | expand |
On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > Add a new link restriction. Restrict the addition of keys in a keyring > based on the key to be added being a CA. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > include/crypto/public_key.h | 15 ++++++++++++ > 2 files changed, 53 insertions(+) > > diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > index 6b1ac5f5896a..48457c6f33f9 100644 > --- a/crypto/asymmetric_keys/restrict.c > +++ b/crypto/asymmetric_keys/restrict.c > @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > return ret; > } > > +/** > + * restrict_link_by_ca - Restrict additions to a ring of CA keys > + * @dest_keyring: Keyring being linked to. > + * @type: The type of key being added. > + * @payload: The payload of the new key. > + * @trust_keyring: Unused. > + * > + * Check if the new certificate is a CA. If it is a CA, then mark the new > + * certificate as being ok to link. > + * > + * Returns 0 if the new certificate was accepted, -ENOKEY if the > + * certificate is not a CA. -ENOPKG if the signature uses unsupported > + * crypto, or some other error if there is a matching certificate but > + * the signature check cannot be performed. > + */ > +int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring) > +{ > + const struct public_key *pkey; > + > + if (type != &key_type_asymmetric) > + return -EOPNOTSUPP; > + > + pkey = payload->data[asym_crypto]; > + if (!pkey) > + return -ENOPKG; > + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > + return -ENOKEY; > + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > + return -ENOKEY; > + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > + return -ENOKEY; nit: would be more readable, if conditions were separated by empty lines. > + > + return 0; > +} > + > static bool match_either_id(const struct asymmetric_key_id **pair, > const struct asymmetric_key_id *single) > { > diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h > index 03c3fb990d59..653992a6e941 100644 > --- a/include/crypto/public_key.h > +++ b/include/crypto/public_key.h > @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, > const union key_payload *payload, > struct key *trusted); > > +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) > +extern int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring); > +#else > +static inline int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring) > +{ > + return 0; > +} > +#endif > + > extern int query_asymmetric_key(const struct kernel_pkey_params *, > struct kernel_pkey_query *); > > -- > 2.27.0 > BR, Jarkko
> On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: >> Add a new link restriction. Restrict the addition of keys in a keyring >> based on the key to be added being a CA. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> --- >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ >> include/crypto/public_key.h | 15 ++++++++++++ >> 2 files changed, 53 insertions(+) >> >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c >> index 6b1ac5f5896a..48457c6f33f9 100644 >> --- a/crypto/asymmetric_keys/restrict.c >> +++ b/crypto/asymmetric_keys/restrict.c >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, >> return ret; >> } >> >> +/** >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys >> + * @dest_keyring: Keyring being linked to. >> + * @type: The type of key being added. >> + * @payload: The payload of the new key. >> + * @trust_keyring: Unused. >> + * >> + * Check if the new certificate is a CA. If it is a CA, then mark the new >> + * certificate as being ok to link. >> + * >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported >> + * crypto, or some other error if there is a matching certificate but >> + * the signature check cannot be performed. >> + */ >> +int restrict_link_by_ca(struct key *dest_keyring, >> + const struct key_type *type, >> + const union key_payload *payload, >> + struct key *trust_keyring) >> +{ >> + const struct public_key *pkey; >> + >> + if (type != &key_type_asymmetric) >> + return -EOPNOTSUPP; >> + >> + pkey = payload->data[asym_crypto]; >> + if (!pkey) >> + return -ENOPKG; >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) >> + return -ENOKEY; >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) >> + return -ENOKEY; >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) >> + return -ENOKEY; > > nit: would be more readable, if conditions were separated by > empty lines. Ok, I will make this change in the next round. Thanks.
On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > >> Add a new link restriction. Restrict the addition of keys in a keyring > >> based on the key to be added being a CA. > >> > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > >> --- > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > >> include/crypto/public_key.h | 15 ++++++++++++ > >> 2 files changed, 53 insertions(+) > >> > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > >> index 6b1ac5f5896a..48457c6f33f9 100644 > >> --- a/crypto/asymmetric_keys/restrict.c > >> +++ b/crypto/asymmetric_keys/restrict.c > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > >> return ret; > >> } > >> > >> +/** > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > >> + * @dest_keyring: Keyring being linked to. > >> + * @type: The type of key being added. > >> + * @payload: The payload of the new key. > >> + * @trust_keyring: Unused. > >> + * > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > >> + * certificate as being ok to link. > >> + * > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > >> + * crypto, or some other error if there is a matching certificate but > >> + * the signature check cannot be performed. > >> + */ > >> +int restrict_link_by_ca(struct key *dest_keyring, > >> + const struct key_type *type, > >> + const union key_payload *payload, > >> + struct key *trust_keyring) > >> +{ > >> + const struct public_key *pkey; > >> + > >> + if (type != &key_type_asymmetric) > >> + return -EOPNOTSUPP; > >> + > >> + pkey = payload->data[asym_crypto]; > >> + if (!pkey) > >> + return -ENOPKG; > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > >> + return -ENOKEY; > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > >> + return -ENOKEY; > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > >> + return -ENOKEY; > > > > nit: would be more readable, if conditions were separated by > > empty lines. > > Ok, I will make this change in the next round. Thanks. Cool! Mimi have you tested these patches with IMA applied? BR, Jarkko
On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > >> based on the key to be added being a CA. > > >> > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > >> --- > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > >> include/crypto/public_key.h | 15 ++++++++++++ > > >> 2 files changed, 53 insertions(+) > > >> > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > >> --- a/crypto/asymmetric_keys/restrict.c > > >> +++ b/crypto/asymmetric_keys/restrict.c > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > >> return ret; > > >> } > > >> > > >> +/** > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > >> + * @dest_keyring: Keyring being linked to. > > >> + * @type: The type of key being added. > > >> + * @payload: The payload of the new key. > > >> + * @trust_keyring: Unused. > > >> + * > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > >> + * certificate as being ok to link. > > >> + * > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > >> + * crypto, or some other error if there is a matching certificate but > > >> + * the signature check cannot be performed. > > >> + */ > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > >> + const struct key_type *type, > > >> + const union key_payload *payload, > > >> + struct key *trust_keyring) > > >> +{ > > >> + const struct public_key *pkey; > > >> + > > >> + if (type != &key_type_asymmetric) > > >> + return -EOPNOTSUPP; > > >> + > > >> + pkey = payload->data[asym_crypto]; > > >> + if (!pkey) > > >> + return -ENOPKG; > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > >> + return -ENOKEY; > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > >> + return -ENOKEY; > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > >> + return -ENOKEY; > > > > > > nit: would be more readable, if conditions were separated by > > > empty lines. > > > > Ok, I will make this change in the next round. Thanks. > > Cool! Mimi have you tested these patches with IMA applied? Yes, it's working as expected.
On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > >> based on the key to be added being a CA. > > > >> > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > >> --- > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > >> 2 files changed, 53 insertions(+) > > > >> > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > >> return ret; > > > >> } > > > >> > > > >> +/** > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > >> + * @dest_keyring: Keyring being linked to. > > > >> + * @type: The type of key being added. > > > >> + * @payload: The payload of the new key. > > > >> + * @trust_keyring: Unused. > > > >> + * > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > >> + * certificate as being ok to link. > > > >> + * > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > >> + * crypto, or some other error if there is a matching certificate but > > > >> + * the signature check cannot be performed. > > > >> + */ > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > >> + const struct key_type *type, > > > >> + const union key_payload *payload, > > > >> + struct key *trust_keyring) > > > >> +{ > > > >> + const struct public_key *pkey; > > > >> + > > > >> + if (type != &key_type_asymmetric) > > > >> + return -EOPNOTSUPP; > > > >> + > > > >> + pkey = payload->data[asym_crypto]; > > > >> + if (!pkey) > > > >> + return -ENOPKG; > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > > > > > > nit: would be more readable, if conditions were separated by > > > > empty lines. > > > > > > Ok, I will make this change in the next round. Thanks. > > > > Cool! Mimi have you tested these patches with IMA applied? > > Yes, it's working as expected. OK, I will pick these. BR, Jarkko
On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > >> based on the key to be added being a CA. > > > >> > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > >> --- > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > >> 2 files changed, 53 insertions(+) > > > >> > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > >> return ret; > > > >> } > > > >> > > > >> +/** > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > >> + * @dest_keyring: Keyring being linked to. > > > >> + * @type: The type of key being added. > > > >> + * @payload: The payload of the new key. > > > >> + * @trust_keyring: Unused. > > > >> + * > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > >> + * certificate as being ok to link. > > > >> + * > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > >> + * crypto, or some other error if there is a matching certificate but > > > >> + * the signature check cannot be performed. > > > >> + */ > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > >> + const struct key_type *type, > > > >> + const union key_payload *payload, > > > >> + struct key *trust_keyring) > > > >> +{ > > > >> + const struct public_key *pkey; > > > >> + > > > >> + if (type != &key_type_asymmetric) > > > >> + return -EOPNOTSUPP; > > > >> + > > > >> + pkey = payload->data[asym_crypto]; > > > >> + if (!pkey) > > > >> + return -ENOPKG; > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > >> + return -ENOKEY; > > > > > > > > nit: would be more readable, if conditions were separated by > > > > empty lines. > > > > > > Ok, I will make this change in the next round. Thanks. > > > > Cool! Mimi have you tested these patches with IMA applied? > > Yes, it's working as expected. Thank you. Please check that I filled additional tags correctly: https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ I will then put these also to my 'next' branch and they will get mirrored to linux-next. BR, Jarkko
On Thu, 2023-03-30 at 02:27 +0300, Jarkko Sakkinen wrote: > On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > > >> based on the key to be added being a CA. > > > > >> > > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > >> --- > > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > > >> 2 files changed, 53 insertions(+) > > > > >> > > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > > >> return ret; > > > > >> } > > > > >> > > > > >> +/** > > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > > >> + * @dest_keyring: Keyring being linked to. > > > > >> + * @type: The type of key being added. > > > > >> + * @payload: The payload of the new key. > > > > >> + * @trust_keyring: Unused. > > > > >> + * > > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > > >> + * certificate as being ok to link. > > > > >> + * > > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > > >> + * crypto, or some other error if there is a matching certificate but > > > > >> + * the signature check cannot be performed. > > > > >> + */ > > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > > >> + const struct key_type *type, > > > > >> + const union key_payload *payload, > > > > >> + struct key *trust_keyring) > > > > >> +{ > > > > >> + const struct public_key *pkey; > > > > >> + > > > > >> + if (type != &key_type_asymmetric) > > > > >> + return -EOPNOTSUPP; > > > > >> + > > > > >> + pkey = payload->data[asym_crypto]; > > > > >> + if (!pkey) > > > > >> + return -ENOPKG; > > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > > >> + return -ENOKEY; > > > > > > > > > > nit: would be more readable, if conditions were separated by > > > > > empty lines. > > > > > > > > Ok, I will make this change in the next round. Thanks. > > > > > > Cool! Mimi have you tested these patches with IMA applied? > > > > Yes, it's working as expected. > > Thank you. Please check that I filled additional tags correctly: > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ > > I will then put these also to my 'next' branch and they will get mirrored > to linux-next. Thanks, Jarkko. The tags look good.
On Thu, Mar 30, 2023 at 02:01:52AM -0400, Mimi Zohar wrote: > On Thu, 2023-03-30 at 02:27 +0300, Jarkko Sakkinen wrote: > > On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote: > > > On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote: > > > > On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote: > > > > > > > > > > > > > > > > On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote: > > > > > > > > > > > > On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote: > > > > > >> Add a new link restriction. Restrict the addition of keys in a keyring > > > > > >> based on the key to be added being a CA. > > > > > >> > > > > > >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > > > > > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > > > > >> --- > > > > > >> crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ > > > > > >> include/crypto/public_key.h | 15 ++++++++++++ > > > > > >> 2 files changed, 53 insertions(+) > > > > > >> > > > > > >> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c > > > > > >> index 6b1ac5f5896a..48457c6f33f9 100644 > > > > > >> --- a/crypto/asymmetric_keys/restrict.c > > > > > >> +++ b/crypto/asymmetric_keys/restrict.c > > > > > >> @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, > > > > > >> return ret; > > > > > >> } > > > > > >> > > > > > >> +/** > > > > > >> + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > > > > >> + * @dest_keyring: Keyring being linked to. > > > > > >> + * @type: The type of key being added. > > > > > >> + * @payload: The payload of the new key. > > > > > >> + * @trust_keyring: Unused. > > > > > >> + * > > > > > >> + * Check if the new certificate is a CA. If it is a CA, then mark the new > > > > > >> + * certificate as being ok to link. > > > > > >> + * > > > > > >> + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > > > > >> + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > > > > >> + * crypto, or some other error if there is a matching certificate but > > > > > >> + * the signature check cannot be performed. > > > > > >> + */ > > > > > >> +int restrict_link_by_ca(struct key *dest_keyring, > > > > > >> + const struct key_type *type, > > > > > >> + const union key_payload *payload, > > > > > >> + struct key *trust_keyring) > > > > > >> +{ > > > > > >> + const struct public_key *pkey; > > > > > >> + > > > > > >> + if (type != &key_type_asymmetric) > > > > > >> + return -EOPNOTSUPP; > > > > > >> + > > > > > >> + pkey = payload->data[asym_crypto]; > > > > > >> + if (!pkey) > > > > > >> + return -ENOPKG; > > > > > >> + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > >> + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > >> + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) > > > > > >> + return -ENOKEY; > > > > > > > > > > > > nit: would be more readable, if conditions were separated by > > > > > > empty lines. > > > > > > > > > > Ok, I will make this change in the next round. Thanks. > > > > > > > > Cool! Mimi have you tested these patches with IMA applied? > > > > > > Yes, it's working as expected. > > > > Thank you. Please check that I filled additional tags correctly: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/log/ > > > > I will then put these also to my 'next' branch and they will get mirrored > > to linux-next. > > Thanks, Jarkko. The tags look good. Hi, sorry for radio silence. I've been transitioning to a new job. Commits are in my next branch, and I will include them to my PR. BR, Jarkko
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..48457c6f33f9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + return 0; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 03c3fb990d59..653992a6e941 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *);