Message ID | 20221214003401.4086781-6-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | Add CA enforcement keyring restrictions | expand |
On Tue, Dec 13, 2022 at 07:33:56PM -0500, Eric Snowberg wrote: > Some subsystems are interested in knowing if a key has been endorsed > as or by a Certificate Authority (CA). From the data contained in struct > key, it is not possible to make this determination after the key > parsing is complete. Introduce a new Endorsed Certificate Authority > flag called KEY_FLAG_ECA. > > The first type of key to use this is X.509. When a X.509 certificate > has the keyCertSign Key Usage set and contains the CA bit set, this new > flag is set. In the future, other usage fields could be added as flags, > i.e. digitialSignature. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > crypto/asymmetric_keys/x509_public_key.c | 3 +++ > include/linux/key-type.h | 2 ++ > include/linux/key.h | 2 ++ > security/keys/key.c | 8 ++++++++ > 4 files changed, 15 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c > index 0b4943a4592b..fd1d7d6e68e7 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) > goto error_free_kids; > } > A comment here? > + if (cert->kcs_set && cert->root_ca) > + prep->payload_flags |= KEY_ALLOC_PECA; > + > /* We're pinning the module by being linked against it */ > __module_get(public_key_subtype.owner); > prep->payload.data[asym_subtype] = &public_key_subtype; > diff --git a/include/linux/key-type.h b/include/linux/key-type.h > index 7d985a1dfe4a..0b500578441c 100644 > --- a/include/linux/key-type.h > +++ b/include/linux/key-type.h > @@ -36,6 +36,8 @@ struct key_preparsed_payload { > size_t datalen; /* Raw datalen */ > size_t quotalen; /* Quota length for proposed payload */ > time64_t expiry; /* Expiry time of key */ > + unsigned int payload_flags; /* Proposed payload flags */ > +#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ > } __randomize_layout; > > typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); > diff --git a/include/linux/key.h b/include/linux/key.h > index d27477faf00d..21d5a13ee4a9 100644 > --- a/include/linux/key.h > +++ b/include/linux/key.h > @@ -236,6 +236,7 @@ struct key { > #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ > #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ > #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ > +#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */ > > /* the key type and key description string > * - the desc is used to match a key against search criteria > @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type, > #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ > #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ > #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ > +#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */ > > extern void key_revoke(struct key *key); > extern void key_invalidate(struct key *key); > diff --git a/security/keys/key.c b/security/keys/key.c > index c45afdd1dfbb..e6b4946aca70 100644 > --- a/security/keys/key.c > +++ b/security/keys/key.c > @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, > key->flags |= 1 << KEY_FLAG_UID_KEYRING; > if (flags & KEY_ALLOC_SET_KEEP) > key->flags |= 1 << KEY_FLAG_KEEP; > + if (flags & KEY_ALLOC_ECA) > + key->flags |= 1 << KEY_FLAG_ECA; > > #ifdef KEY_DEBUGGING > key->magic = KEY_DEBUG_MAGIC; > @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, > perm |= KEY_POS_WRITE; > } > > + /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */ > + if (prep.payload_flags & KEY_ALLOC_PECA) > + flags |= KEY_ALLOC_ECA; > + else > + flags &= ~KEY_ALLOC_ECA; > + > /* allocate a new key */ > key = key_alloc(index_key.type, index_key.description, > cred->fsuid, cred->fsgid, cred, perm, flags, NULL); > -- > 2.27.0 > BR, Jarkko
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 0b4943a4592b..fd1d7d6e68e7 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) goto error_free_kids; } + if (cert->kcs_set && cert->root_ca) + prep->payload_flags |= KEY_ALLOC_PECA; + /* We're pinning the module by being linked against it */ __module_get(public_key_subtype.owner); prep->payload.data[asym_subtype] = &public_key_subtype; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..0b500578441c 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..21d5a13ee4a9 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -236,6 +236,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..e6b4946aca70 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_ECA) + key->flags |= 1 << KEY_FLAG_ECA; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_PECA) + flags |= KEY_ALLOC_ECA; + else + flags &= ~KEY_ALLOC_ECA; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
Some subsystems are interested in knowing if a key has been endorsed as or by a Certificate Authority (CA). From the data contained in struct key, it is not possible to make this determination after the key parsing is complete. Introduce a new Endorsed Certificate Authority flag called KEY_FLAG_ECA. The first type of key to use this is X.509. When a X.509 certificate has the keyCertSign Key Usage set and contains the CA bit set, this new flag is set. In the future, other usage fields could be added as flags, i.e. digitialSignature. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_public_key.c | 3 +++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 15 insertions(+)