@@ -327,3 +327,38 @@ Functions are provided to register and unregister parsers:
Parsers may not have the same name. The names are otherwise only used for
displaying in debugging messages.
+
+
+=========================
+KEYRING LINK RESTRICTIONS
+=========================
+
+Keyrings created from userspace using add_key can be configured to check the
+signature of the key being linked.
+
+Several restriction methods are available:
+
+ (1) Restrict using the kernel builtin trusted keyring
+
+ - Options used when creating the keyring:
+ - restrict=asymmetric:builtin_trusted
+
+ The kernel builtin trusted keyring will be searched for the signing
+ key. The ca_keys kernel parameter also affects which keys are used for
+ signature verification.
+
+ (2) Restrict using the kernel builtin and secondary trusted keyrings
+
+ - Options used when creating the keyring:
+ - restrict=asymmetric:builtin_and_secondary_trusted
+
+ The kernel builtin and secondary trusted keyrings will be searched for the
+ signing key. The ca_keys kernel parameter also affects which keys are used
+ for signature verification.
+
+In all of these cases, if the signing key is found the signature of the key to
+be linked will be verified using the signing key. The requested key is added
+to the keyring only if the signature is successfully verified. -ENOKEY is
+returned if the parent certificate could not be found, or -EKEYREJECTED is
+returned if the signature check fails or the key is blacklisted. Other errors
+may be returned if the signature check could not be performed.
@@ -18,6 +18,7 @@
#include <linux/slab.h>
#include <linux/ctype.h>
#include <keys/user-type.h>
+#include <keys/system_keyring.h>
#include "asymmetric_keys.h"
MODULE_LICENSE("GPL");
@@ -491,6 +492,46 @@ static int asymmetric_key_verify_signature(struct kernel_pkey_params *params,
return verify_signature(params->key, &sig);
}
+static struct key_restriction *asymmetric_restriction_alloc(
+ restrict_link_func_t check,
+ void (*free_data)(void *),
+ void *data)
+{
+ struct key_restriction *keyres = kzalloc(sizeof(struct key_restriction),
+ GFP_KERNEL);
+ if (!keyres) {
+ if (free_data)
+ free_data(data);
+
+ return ERR_PTR(-ENOMEM);
+ }
+
+ keyres->check = check;
+ keyres->free_data = free_data;
+ keyres->data = data;
+
+ return keyres;
+}
+
+/*
+ * look up keyring restrict functions for asymmetric keys
+ */
+static struct key_restriction *asymmetric_lookup_restrict(char *restriction)
+{
+ const char *restrict_method;
+
+ if (strcmp("builtin_trusted", restriction) == 0)
+ return asymmetric_restriction_alloc(
+ restrict_link_by_builtin_trusted, NULL, NULL);
+
+ if (strcmp("builtin_and_secondary_trusted", restriction) == 0)
+ return asymmetric_restriction_alloc(
+ restrict_link_by_builtin_and_secondary_trusted,
+ NULL, NULL);
+
+ return ERR_PTR(-EINVAL);
+}
+
struct key_type key_type_asymmetric = {
.name = "asymmetric",
.preparse = asymmetric_key_preparse,
@@ -503,6 +544,7 @@ struct key_type key_type_asymmetric = {
.asym_query = query_asymmetric_key,
.asym_eds_op = asymmetric_key_eds_op,
.asym_verify_signature = asymmetric_key_verify_signature,
+ .lookup_restrict = asymmetric_lookup_restrict,
};
EXPORT_SYMBOL_GPL(key_type_asymmetric);
Look up asymmetric keyring restriction information using the key-type lookup_restrict hook. Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> --- Documentation/crypto/asymmetric-keys.txt | 35 ++++++++++++++++++++++++++ crypto/asymmetric_keys/asymmetric_type.c | 42 ++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+)