From patchwork Fri Jan 22 18:10:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12040259 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42092C433E0 for ; Fri, 22 Jan 2021 18:37:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ED86C23AAC for ; Fri, 22 Jan 2021 18:37:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728586AbhAVShb (ORCPT ); Fri, 22 Jan 2021 13:37:31 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:48548 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729478AbhAVSNO (ORCPT ); Fri, 22 Jan 2021 13:13:14 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MIAYHh038664; Fri, 22 Jan 2021 18:11:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=DMKcsxiE+hz4KSFJzcEn4Oe/oEfcG+vxodo42Whu5q0=; b=oVCj1M5y3CjLrRT6pWeSuF6et28/j/W98PrwIxYnV6pN56KtjXVdLLOntOTnCxotN3HB Iy+SNNlvbzSGsLo9Yf2zN6hG8yVDaWSqmS7e208/Idl9K+lJLlL1FNislQho3SglKV9n ArwCerTOFAu2IXzJ5BqJH38PEcD/ira0Q6Tj6oGluP79jsLzq0x3BTQOrq4p/+Sup1mP AgkyokvJm5pWlox9l4kFnTLAdWHNSO0ofaQVJsiR1tqu5adq0xXqDHl3fkcverQRS/Of OVDl0DJji5OWwE3OAVbGZYZrAKWUWGTurD9ddkNR3dNXgEd6QwheFFY/DZguI2RD0cNI eA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 3668qn5cg4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:36 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MI4xS6149933; Fri, 22 Jan 2021 18:11:35 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by userp3020.oracle.com with ESMTP id 3668r1dq72-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:35 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RBwDLrvdGZfkuW2N4yQdIQmmbom+UIoULyOPYOOq5N7/kHGyHdQVvQE16LDuDugCAbqu5tv+Z0xbOdds782k28UFSiHb7WcCb7kq/qL/JTcfCKmuLudYLGWr1ovA9HLCcr4DKlTMQ/u0EcXgXiTE7FBKqbqRlwsY0FGydcno8uBhyqB0nBvjtB/weoPbIUXAo9oqFc9TZuyOVkHIlxCx5N4Cg7duifZzW5k4hwSm46l0W0XpDIRhJpBEIv4KLXiv3j/u6hLQ03HWNQCeFCW2UYyAeMxVU73G5jfD4vofoTvJ6XmgLXTn1XmJBgqAxEJ0/gASB9lu212j0Fea0UQo6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DMKcsxiE+hz4KSFJzcEn4Oe/oEfcG+vxodo42Whu5q0=; b=QdZi/x0PLbMK5zEJzoRN0wgCV+YrZQCBxkVrhrnpUck8eyw4oGMVD74sODAgOQAGiQqIoy0N9gvdJP0DHX+1MZggOfQGwgIm8UemYF41j5mjN5TCf9+7iHyV88+Kh2VsnshTW/rJ7lXPZUe6/0CQ7Dv75qk6ebBn/hkzN6kVkHTh3O0dU1rut/pb0QP1BV5rZ/IB7HtaYsZD6scf8qEdtjHdFVhQ6M7uUYfRg0L9kp0UxMiKUTxeMcOSXChcquWF8/7D6eGQtcY+IjLKH18xdxxIUrEGvFEDyW7S+NSOKOOKSiQQB96ZV3Mla8dyr1AYkf/AYZ6Qrcl70NoEpH4psQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DMKcsxiE+hz4KSFJzcEn4Oe/oEfcG+vxodo42Whu5q0=; b=bTSNTzHhuy2/xzGfB4J2JhPPpyvLb/WzpVyy6GJT0LOCTEQDBbqzd7zctHfxx9AiFgt7gNzP1/IxmsP7gmm7J3Py2cU3g39tsT+/yP9Goon17Wlzu6BfYDUrnymYAOmvxksA2SGIT96u10Y5D+wkA/4vNXoxCQP/C+4jUZ8tDjQ= Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=oracle.com; Received: from DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) by DM5PR10MB1673.namprd10.prod.outlook.com (2603:10b6:4:6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Fri, 22 Jan 2021 18:11:34 +0000 Received: from DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4]) by DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4%7]) with mapi id 15.20.3763.017; Fri, 22 Jan 2021 18:11:34 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, James.Bottomley@HansenPartnership.com Cc: masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, ardb@kernel.org, zohar@linux.ibm.com, lszubowi@redhat.com, javierm@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 1/4] certs: Add EFI_CERT_X509_GUID support for dbx entries Date: Fri, 22 Jan 2021 13:10:51 -0500 Message-Id: <20210122181054.32635-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210122181054.32635-1-eric.snowberg@oracle.com> References: <20210122181054.32635-1-eric.snowberg@oracle.com> X-Originating-IP: [138.3.200.2] X-ClientProxiedBy: CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) To DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (138.3.200.2) by CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11 via Frontend Transport; Fri, 22 Jan 2021 18:11:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d7e26343-5667-419c-167c-08d8bf0126a9 X-MS-TrafficTypeDiagnostic: DM5PR10MB1673: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yDOgBED2KAxt72Q9wD6PqTRbEo4BkjpuhCjMwcWvjIKFN+AzHIGiTHYVEdkD6dU6mHmrYmNsnsC54wZZ92YsMnjnMaLvPgvqPdYUyxEmpFiyOD/MCSyn6ZR5LSgQa8hiSox0jC8kxYmq+9hFVJS5+PPZtLQoGTxfLvw7jdcpUkHqnYVMeJcaJpWdG2XaFO8gV9Y6iYi11+MSqwelZa+hXOnNtNjlZoEI8bfrlREHcvW3ZlN25geDGUoHOU9I3YTggnXp6Pmc2zZQ03uO6JxcIVxkh+uZGnolzC7HRfzNt/gdp1rqnsLGpSRbjvZshVSCF7/QCr0TbV0GL7P/dI8n0hH2KyFzCsLAAuKqLD09+t2qHM8NliLnaQsGVK1z2Weq6J8EJSzQcrq1bbFMdZw12210ZznxYeInLoQJxLDwacsgMHuTYlu/X+5k2Px1ytbb4gMIOv5Zg4vBqK4OUKFdVhIY9SIAtgMQenpHxINXhec6u1vXZUJWBPpDj7+ykYfdpgobJpSvaENjtFB5q4YrEA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR10MB3099.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(396003)(39860400002)(366004)(136003)(346002)(316002)(7416002)(6486002)(7696005)(2616005)(1076003)(52116002)(5660300002)(4326008)(44832011)(2906002)(8676002)(16526019)(26005)(66946007)(478600001)(186003)(956004)(36756003)(83380400001)(66556008)(66476007)(8936002)(86362001)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 5KOF73UHLP0s3YAsZrgomBGJNeWg6NSRNyOaDVz/Q6k11dlGpmRVAC/LAMG0LGFSZBj5ELM7w7nZvD1E6pRi4nXtrtXVG6H3STuAyaDvqgIC2LmI6KW0er4WTWFBXBLGZIz0nm93krCHBnD+Cr2KRsfC2F7s+9Q/emrB6Eb7N5lsfhg6T4pR/4Nyl9B5tkFpjyVmNPZ6ds+ATiFN4ugPhvcZs02AMd3J6Lo1FwCu0HVzOu3dUk5uU/pk8Kxyg92RAuCY4GV2wFSOJ6NDy+LjqBveOYBRkWoMo+l5TUSw024Idb8V96puUvqju1Rf0ZSdiQ2+4Ys3pdZXSi+/lv7s6uC6LhBk7ROo+SzZFj4v/zr2CoW0n7HoTcpJXp90hqDugW4aINnUOcF7ty+rNWSRys04NQntte2h1attfo//X36AdkTXFZbU4gLd9GeFsywh6dr/ZU/j9pb2divKybmGPboIWJx7+ZSuI+1sS+KDf+zmSAYWeoFdaQRiwAuG3Fmgl/jMEux4eCENUD5i3y42lik4iKZGZ9U/vhcu4eUt6OhzOIj7ctixEZWPIYNPxM7l8aNwuzTvxsbm91JsTJAOKUfu0w+LW2tISnFgeDFO1gX2iusMArjNz7S4U+S4Qg8OEl16sm1Bsuq2yv0NDnEG2ZEQkY9+X4sMnbN69PSk+w4fd9NugcUnMrD61aVZA4u6+lQYmYNcPYfcEdOc0mEhVmcrEUiWcf+MF7UIuXDci5guUckm+HpG/T+bUIL+gZOO/Hsp6srzKjVw2dni3nCvJ3eRqMaZbcQ4mzkIT/uSX6b/mNbgL7kMdIEH/95A7unuS/mnKxxSRMUHbaqcXXGLfeYjAf+X5d9Tu9vlj3XEobZcLoXReknKuV0MfRJAHpxuBniW/Ql259XNLouvWr1jG6+SlGvGGX++8fxNiMRfy+buLgIXUJtbKX9TCeixS/ZcqNbmcd12PAZyTX6BIIhAR8siAuddPABtVfE14kR/hnY= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d7e26343-5667-419c-167c-08d8bf0126a9 X-MS-Exchange-CrossTenant-AuthSource: DM6PR10MB3099.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2021 18:11:33.9192 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: URb1nKsiZTdCThTkPt7Q+fD1OE0QrBQ/qHxqtB4v+/+VMTL7w1GUo+8yt64U4y20ac1X6699pvIX5BRjf0oQAVVTvf9rn5kxyAQR7/vHhNA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR10MB1673 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 priorityscore=1501 adultscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 phishscore=0 clxscore=1015 bulkscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 Precedence: bulk List-ID: This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. Signed-off-by: Eric Snowberg Reviewed-by: Jarkko Sakkinen Signed-off-by: David Howells --- v5: Function name changes done by David Howells --- certs/blacklist.c | 32 +++++++++++++++++++ certs/blacklist.h | 12 +++++++ certs/system_keyring.c | 6 ++++ include/keys/system_keyring.h | 11 +++++++ .../platform_certs/keyring_handler.c | 11 +++++++ 5 files changed, 72 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index 6514f9ebc943..a7f021878a4b 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -100,6 +100,38 @@ int mark_hash_blacklisted(const char *hash) return 0; } +int add_key_to_revocation_list(const char *data, size_t size) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(blacklist_keyring, true), + "asymmetric", + NULL, + data, + size, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) { + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + + return 0; +} + +int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + int ret; + + ret = validate_trust(pkcs7, blacklist_keyring); + + if (ret == 0) + return -EKEYREJECTED; + + return -ENOKEY; +} + /** * is_hash_blacklisted - Determine if a hash is blacklisted * @hash: The hash to be checked as a binary blob diff --git a/certs/blacklist.h b/certs/blacklist.h index 1efd6fa0dc60..420bb7c86e07 100644 --- a/certs/blacklist.h +++ b/certs/blacklist.h @@ -1,3 +1,15 @@ #include +#include +#include extern const char __initconst *const blacklist_hashes[]; + +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +#define validate_trust pkcs7_validate_trust +#else +static inline int validate_trust(struct pkcs7_message *pkcs7, + struct key *trust_keyring) +{ + return -ENOKEY; +} +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 798291177186..cc165b359ea3 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, pr_devel("PKCS#7 platform keyring is not available\n"); goto error; } + + ret = is_key_on_revocation_list(pkcs7); + if (ret != -ENOKEY) { + pr_devel("PKCS#7 platform key is on revocation list\n"); + goto error; + } } ret = pkcs7_validate_trust(pkcs7, trusted_keys); if (ret < 0) { diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9d1..61f98739e8b1 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -31,11 +31,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); +extern int add_key_to_revocation_list(const char *data, size_t size); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type); extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) @@ -47,6 +50,14 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) { return 0; } +static inline int add_key_to_revocation_list(const char *data, size_t size) +{ + return 0; +} +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + return -ENOKEY; +} #endif #ifdef CONFIG_IMA_BLACKLIST_KEYRING diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index c5ba695c10e3..5604bd57c990 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source, uefi_blacklist_hash(source, data, len, "bin:", 4); } +/* + * Add an X509 cert to the revocation list. + */ +static __init void uefi_revocation_list_x509(const char *source, + const void *data, size_t len) +{ + add_key_to_revocation_list(data, len); +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI db and MokListRT tables. @@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) return uefi_blacklist_x509_tbs; if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) return uefi_blacklist_binary; + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return uefi_revocation_list_x509; return 0; } From patchwork Fri Jan 22 18:10:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12040255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FC28C4332B for ; Fri, 22 Jan 2021 18:36:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2D28523AC0 for ; Fri, 22 Jan 2021 18:36:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729253AbhAVSRs (ORCPT ); Fri, 22 Jan 2021 13:17:48 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:48542 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729475AbhAVSNP (ORCPT ); Fri, 22 Jan 2021 13:13:15 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MIAM4h038529; Fri, 22 Jan 2021 18:11:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=3b8lD2qRJBa8+iwVl54AGxLANggDdJ9IkUlAdmRCMIc=; b=lzdYbj9TPrL9x/7MKfeIjiuc/sf5ItQMcdNbPhmV+maJ8JFmgAyWCToocc33KA6CBrfM jwxwNGS495f4/ASaNQ8T1hAbTck3k95iS/psw87UKIo84uVOEyBA6XSmBtlvIE3hFiO0 xCGvalcjxWuYB1EB/Y9VB5OvGuHw+pGR6AltBZV0H1QO8O/FgOa+kp3J9DIq9qcVV27F Rh0njb2aRzytR9Nri0ctfGjcdjX8qH3y7JovmhFVHbz0iGKAPk3ewW3Y6oY84YAHpY+4 4hXkpf6RCntcl7V8lY31qYus2/hAT3J8suJaJKb5zeHnLNLjR1QaK2C11jRIiEFMa00K YA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 3668qn5cgb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:38 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MI4xMp149816; Fri, 22 Jan 2021 18:11:38 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by userp3020.oracle.com with ESMTP id 3668r1dqa5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c0gv8ar1iCE89h5XOkZfzr0/8gbUGCkYQwI3TZ2JNMd3jQisRziffWLDHFtFDa+DSkWl3tLgoiCZ/l1X4YNIQGftnLkq+Lw9wAIS7lyf/8Mmp1y0iJcml27ibEYJzkEYoAq/Am32GZu9ex20uMk0i0R9DEKEvAjvNLUbvkpNEs5IVc5RSLv8Za51J9s3mst1yeE9awhEEUF7srou8lZPhzJhEU1hKwXcfmiCB509z5S51L4AjzkUbITezUIy1+01Jc4L6tyHOj8Kl8SAZQ009MENh9fYnCLTOGA25lk8vVNXr6HJWf9ISM4oStx0Jt4O+awGQ6rq/y0XgrIeJ7oRtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3b8lD2qRJBa8+iwVl54AGxLANggDdJ9IkUlAdmRCMIc=; b=FaFA6D15MZhwWlR9q7XnW5vcuZFFTIF504wf2R/wjhmz2msl7ynTYWkhs2C2Kj5/D7xY8a/prOCZ+4mo0QtW9gKGYg/444aN1xWB6KbfK9aO6ok/YXxOzW9nkJlXAr0BK1rZBacPVrBpuWdJjpgpfM2A/gdLQYawap+17x7Yg7wRMELUEb5mN55Nb8i4VTLCZibl8PHck6tarbu4BgNjNMV7ngmS1CQKg/5+ZrGOHDEXF9wDYVQhJSflbdjoWXb0/INwbN3Xs2jkGfC1QAeAP4OciXYUPcymmMpdWrwb8O8QInBMuNi2SnEJ3wJAn8krBW6cg4Yg4e1uvYAILEcL8g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3b8lD2qRJBa8+iwVl54AGxLANggDdJ9IkUlAdmRCMIc=; b=u3FhwZA4U3JJDcboxUsPdu2LMgdXfwmQJWtpBAUavQY6PwBXGLrCVjpilgq9lPcIm9YGPUv1LCqgc8jQGVdPs319/EK4J7yigq/0mnnEl3sAs6XlaiQeeofY54OsExJfthGu40AJqLg/5WKRkVb0E+vMl+e7IW6Mmy2fsVqd8to= Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=oracle.com; Received: from DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) by DM5PR10MB1673.namprd10.prod.outlook.com (2603:10b6:4:6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Fri, 22 Jan 2021 18:11:35 +0000 Received: from DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4]) by DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4%7]) with mapi id 15.20.3763.017; Fri, 22 Jan 2021 18:11:35 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, James.Bottomley@HansenPartnership.com Cc: masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, ardb@kernel.org, zohar@linux.ibm.com, lszubowi@redhat.com, javierm@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 2/4] certs: Move load_system_certificate_list to a common function Date: Fri, 22 Jan 2021 13:10:52 -0500 Message-Id: <20210122181054.32635-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210122181054.32635-1-eric.snowberg@oracle.com> References: <20210122181054.32635-1-eric.snowberg@oracle.com> X-Originating-IP: [138.3.200.2] X-ClientProxiedBy: CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) To DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (138.3.200.2) by CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11 via Frontend Transport; Fri, 22 Jan 2021 18:11:34 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a731e564-36f6-4766-4d65-08d8bf0127b0 X-MS-TrafficTypeDiagnostic: DM5PR10MB1673: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:529; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Vf4SJY5rDOfdb9NgznqU/NDLLYJPAL009rOd8s7J+ybL3jCULJimLouf8EFq/HoXHHWbo2SNrR4z+L3iSTeLxlNGWPgpuNiC0SbbOyoX59uVE9+6aIr9M1ETvr9I5BhdMCCzGMRA1ZgM5cOCBhR+Yg/s+qC4IEJhAEnjGjBTo/qb+bEtG6WaFKHm8hJaJ8Ks8CTkG/m8xyIOLKkqba8/EimD09Hk/F2rTgAFk9CaZzv3jNwGhr5G/9vjM5b/zsWlxk1aCSerfaP9ZOdMo3NNMVrI3r2ZZGahXAwkriTpC+zAHMT64opc0A4hnR6MPQn3ny7Z/lGrW4lD062CRKkMsjY0Ms/glhZ73Y5IpHf9q75QaLZbHuP48bXpNB5bcvzOZeqlelhaQLA5svt25r+3KwBd0WoJweA/Y/VPDAswOJJBIeHoi8XtsteklIsCCIyYORY4tgCxhtmVjZlet5xpuUWkwOUgQFeHekvoYyzbk0Wk8zAYKSd/76TTjs+jOpNz53uIYfTCVw/RpT1HvkiNkA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR10MB3099.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(396003)(39860400002)(366004)(136003)(346002)(316002)(7416002)(6486002)(7696005)(2616005)(1076003)(52116002)(5660300002)(4326008)(44832011)(2906002)(8676002)(16526019)(26005)(66946007)(478600001)(186003)(956004)(36756003)(83380400001)(66556008)(66476007)(8936002)(86362001)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: uz5Ua0WYYfovWjw2zxBJJeTaUUGh2CelHGw+36RJxvrYBVIW/DFKdq8s6ngIzQXxp7UCxY08LMxtQ2wozGk8YqatZXbY6Bwo/HZGIWy0dUe/J3SlOHg9djIPUFEaD7NTlBPmbBfJxqx1f4OG72XSy4ORut/BTN93+eIzIV0BqxZrREZ+pceTVVv489Pqqwze3ylnWs0ArnLS3zdpEPX+3YdepDsqHFqksafoILWrDuEmITmOi3dZ0oL3+Gp+CpRrQj/mECYMq0TV5SQxcngpsWNTIiMqy3exr29BEYkSk8SCwt9PsDsd2xLgFoVe7MSNoaBJBY/M8qpLUENqT4AaNPZB37rdayv0TGUAJeufeAToeNTed/aDbCgVREy6kTqcZXaT8jSQ6Ol6PSH6K9t2cMdmP02I6Z1AEThdVZF1ZcHkhlyLJi6NSeQGtVUdoAHyN/GHqge/yb0HoPk5XmdWCGBe8qA126m/bOZtCO7yjzKp64ibVox7tqr4/ThKCTv4qOaOv0jWxvbPHNK5r37YcZOfX43Yw9rnJFvufFozx2ZU+z4wRvwoXQ2OW6xKyC6g54fg+b6hGaFLTBlxfcQya6fvppkyUYh5Ud025xRMVgNs2V6Ish6C27HmPxQ51GgcLmSFMC0m4WndJdeAym0dXZ/ovmRGb2CCyppJfT/VWqAbWW/oHhQqlPfDAXn3kuDwnJrq73gArSTPRuf+y+KtqdcjHHSLWQB0yjL46Pi8LtTIVEQrNwGRtc6FRtEqazpwJWHgdwj7d9ACNYpZ8RabEo1Y1exkjN6ZTllHyq2/hGFlC/PbZOGBXyt/AjFVP+L5RlQ/b/R/0jzvB9HBnyLN6XnbVe4/rFkPalUWX1eJY5ICFDghb1MPNFCURxM4sDwqs+Z3ONPec0BqovXPXTDDNv6c1QEgzZTXMXE9ZqhwkPY+TiKNDRjiajvhdwM5bMReeASop+BWSGCL5Q8ZMKztzGUHNUBZven1x8Q1ILzzIjw= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a731e564-36f6-4766-4d65-08d8bf0127b0 X-MS-Exchange-CrossTenant-AuthSource: DM6PR10MB3099.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2021 18:11:35.8051 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oiGVAnp+FBtDJIpiyvqQlQYH/bxIkIs7dn6nisNIsT5g17IcxkQZMPqQsNfH36Ve76ymnx1QCJFJpO64iyWm3TN8z3jCe4JInBsMHeALrLI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR10MB1673 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 priorityscore=1501 adultscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 phishscore=0 clxscore=1015 bulkscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 Precedence: bulk List-ID: Move functionality within load_system_certificate_list to a common function, so it can be reused in the future. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen --- certs/Makefile | 2 +- certs/common.c | 56 ++++++++++++++++++++++++++++++++++++++++++ certs/common.h | 9 +++++++ certs/system_keyring.c | 49 +++--------------------------------- 4 files changed, 69 insertions(+), 47 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..f4b90bad8690 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,7 +3,7 @@ # Makefile for the linux kernel signature checking certificates. # -obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/common.c b/certs/common.c new file mode 100644 index 000000000000..83800f51a1a1 --- /dev/null +++ b/certs/common.c @@ -0,0 +1,56 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include + +int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + p = cert_list; + end = p + list_size; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(keyring, 1), + "asymmetric", + NULL, + p, + plen, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} diff --git a/certs/common.h b/certs/common.h new file mode 100644 index 000000000000..abdb5795936b --- /dev/null +++ b/certs/common.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _CERT_COMMON_H +#define _CERT_COMMON_H + +int load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index cc165b359ea3..a44a8915c94c 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -15,6 +15,7 @@ #include #include #include +#include "common.h" static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init); */ static __init int load_system_certificate_list(void) { - key_ref_t key; - const u8 *p, *end; - size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - p = system_certificate_list; - end = p + system_certificate_list_size; - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - -dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; + return load_certificate_list(system_certificate_list, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list); From patchwork Fri Jan 22 18:10:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12040331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CABE4C43381 for ; Fri, 22 Jan 2021 19:37:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9DCFC23B1B for ; Fri, 22 Jan 2021 19:37:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728785AbhAVSgp (ORCPT ); Fri, 22 Jan 2021 13:36:45 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:49848 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729633AbhAVSOd (ORCPT ); Fri, 22 Jan 2021 13:14:33 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MIAcum038714; Fri, 22 Jan 2021 18:13:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=jFhaaN6+2ClnE90wSGul6o1qszCGh3uNfMkXhhYxoVg=; b=wWbDmRxG0chyVCBcyXyVpgbmDjlbj0td1kFllhlBhZmBfn6qikVRbJWzGkjOvxqdHU9w puWE/aCiiYBzLU6cpxTruTonGvM5wS8q9yvdN0As961AtXDCIBGFT3lKHqFTTIpA0WD5 oRc3tvy2RbSPFR2LNG6/LCY+4SL9+phGmvajwv4RQo6fhWg4hNAwW3qZNQM+mtJzCn3O ByTdBpurYnOm744A91gLJ8DsqhsndZX6bIF4MPZ7EnaKqRVWa8iPya2JFMC43AHksd1H UtQJG2u+glZlnovZxsTpPke4sGjUjIkuey3QN2HFs4F22flyBd0K3OJKbhIAAIwj5Ko6 nA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 3668qn5csb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:13:39 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MI4xMq149816; Fri, 22 Jan 2021 18:11:39 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by userp3020.oracle.com with ESMTP id 3668r1dqa5-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gqID+BVfeqBo/NSyAWPM1WQvze5C8NDku6rvfKI06vxd2UchfqRhI0z43vcaml+Uzot+j5wga1ku2VVPT+xxQ3fW4nWjAynJDL4wyk6FfV34fhxzZNQkGDDLMerhKIx+d7JRKl6W4M+LGGSIqpC2pcGZPVl+76FhvwLO3pl+XuIzDOfL2/G8+l+kmrWI7ul1Ru3UiISzLyXDzJvytWLrgKAyehRGTFNTDmKpOb92FsGKeqnA76EYeYxCg0UTCaUJMZqONBVTRXnlEaXGQkm4m5DcOIpInr/Za1aCsYoz79pMuI65AinrGp3/QYO7gKMO715KkZETbtUs5WwBEZLsOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jFhaaN6+2ClnE90wSGul6o1qszCGh3uNfMkXhhYxoVg=; b=VW15JNLK/Wdwu4kDv4SQQ3NE02xjPbNJl6P+YojSm3NFU6/8+8Oy/cia+BxS5o91cqYLAOutuQJTg9hqphHQL07oxymDA/YqCuoX/K8jN2I7RN/Qrf27k+2dbjI65tIauuhdgysktUjn84K+iaNVqU5n0r6XZ16o4ujRKa7LaNjMtjnvinj+nGiLN+KOqoum0GWDITaqIH1BhTgpLcLLZeTYYreSS3jouTL5X/YI3sTykS7pPCBGzOxVyKq8QKgGBbM7qjeeBWt+1YWMxprLTGUbRuhDJ+A5EHGDiEooDSaplEQiYMD2udjGuf3jpFu95w70jRM5TyUc4/4JRjOMzA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jFhaaN6+2ClnE90wSGul6o1qszCGh3uNfMkXhhYxoVg=; b=f6SZq2WKa9jR4nEb/4zHCkxnJaIjAdSxKS0P+VqnFgp9jDtx05iVxtVOlrwNCRv0HyM9N7tYdFaFgLIJHNYvQ5fMyuA3Yio0jDpNuu5sVESAP6Vf43npfkh+foRwrs6aHYkj8s76KHm+uXU3cwLrN+TYcJcgkerEqQf3R4//f1Q= Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=oracle.com; Received: from DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) by DM5PR10MB1673.namprd10.prod.outlook.com (2603:10b6:4:6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Fri, 22 Jan 2021 18:11:37 +0000 Received: from DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4]) by DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4%7]) with mapi id 15.20.3763.017; Fri, 22 Jan 2021 18:11:37 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, James.Bottomley@HansenPartnership.com Cc: masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, ardb@kernel.org, zohar@linux.ibm.com, lszubowi@redhat.com, javierm@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 3/4] certs: Add ability to preload revocation certs Date: Fri, 22 Jan 2021 13:10:53 -0500 Message-Id: <20210122181054.32635-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210122181054.32635-1-eric.snowberg@oracle.com> References: <20210122181054.32635-1-eric.snowberg@oracle.com> X-Originating-IP: [138.3.200.2] X-ClientProxiedBy: CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) To DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (138.3.200.2) by CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11 via Frontend Transport; Fri, 22 Jan 2021 18:11:35 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ee3b9d6a-9cfa-4c6f-a11a-08d8bf0128cd X-MS-TrafficTypeDiagnostic: DM5PR10MB1673: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ICjMV494sOVeqs5schre05cS1fZW4FJVrj0Dmb5sOVlKtAmpmNUkZ+GAu3xvMHlgizi2DqlqMGvoxJESb+ujpHDwSgPQ3Fe/vFsgvVELc3kUnMwWdM4MKTKoGjRGNdeug23qUVmqDb/Ep2uRpp3U7DHU1iGL5OpwRzpJmtljZofq/gH4cJJKUmBzgmIg3dD67oiCcp7VeTYQ4qc42zCRs8LOZYnlf3dd8zNTLXRnz0juXfXxmZWUrF9OwxjQyCB0ZlhFsLI8JD3InZZdeKpzYkFiPojOk3pF1OyYX4kV6IY2VqTNxtSGRW0TtjzuhKhFTLf12ihBERs6wx+75Otei6273krexKYgpVD0NfKVfVCFNTvcZs1NhUTFencW/toXd+CHNWayfqKyIC6MhhzUrmsk2BtAHvm3enwauoY+xS5b43zUom67pF7WWorHVw0qlrEqPtw+feRBI/j+kSU0qhODi1iJ+I2u7NqUMvJ2OPDYLRMQQpsHRKDwA/70L2E94lW+WqETAug6E7UsXX94Lg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR10MB3099.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(396003)(39860400002)(366004)(136003)(346002)(316002)(7416002)(6486002)(7696005)(2616005)(1076003)(52116002)(5660300002)(4326008)(44832011)(2906002)(8676002)(16526019)(26005)(66946007)(478600001)(186003)(956004)(36756003)(83380400001)(66556008)(66476007)(8936002)(86362001)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: XuxvA+S1EFyUl4eBDa/H234r3fLh8N2TkTbKNo0XCGnY51+y82+xN07FkzQEQ7eisD96lYL4C6CcJu3bd7ZVKlTmH0CUsnk9xkE90KJK927/1uYwLg4cJmva7026mJYkHSYdcRbMkKiCiEim7Pc/Ne8JvfXu4da1qfq7FKSu+f7uwI7w4PQ66/wd5rjUN0GrXel3AwR7KoDfE6URFYMO3lVQvOQp/UXORW0n+XX1YSEvePmaaXYdIiX2MtOHtVBJN+RkZcliROeLCpeKWeuG74clQxyS/zBlkRs6exnhWwANScc0Wr+LYiSYXciCZBy1J7IIMYRqeMZjn5xbAcJ7kPj300pjRU3w9eLCpb+k/hXtunCAs1RvFcwoHtaKhEZD+trPnH00TwXlGfpBq1gfFXZi5Nx/iEgY4hKQpPUuY9BTCbaIT5PMsiwsYTSYAP4SFIYjEknoql+LTtnObWM3QfoAmhivRI0Z8nxhz1OVBfIO0ChXyfLbwPbXAZzoQ+fmnnXcS1uq2CZWneOVSCpNDNwMCamylttj8qCU+iiFyr8Via005zYX55zidt51I65eeP7CSAzGRyqdMXuDU9RJO4kNT4l9178egM7rF7EYbiN76+HLMxRNAB33BjsFKsDyZvdoqIHW0WVZRiiKq11L3cRFHg9YJLCTHR2jEQAiRVg22dnf+qi5DzXQ3SEOOO+8QZ8CqDIm83VkhKXaqRwyNo2PQdkb6tQQ5MDQqDzDI4qcKnepWfQiOc6l9qbn6oWFeCWGHfnXSK0GeooY9axrhHAIip/QC1l2lIIBR7RxIf15FNJR1Hd3W9uIcgwvdUjMHa0ZcJmocpZ7pI1Ah0GwClHHduXEuqhJtV3/1RWiwPopEhBW8v96S+PqzhHEnAF0NpVEIEFUiSUl4cbhuZ+5Di0DxpntbU010o3A/iI/Ys60MeJcxhYGhcBv+0bhGFH/0xbEpkeUhC87SwTCH7QqHnPjdDsMumsKc+ljxex5Jn0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: ee3b9d6a-9cfa-4c6f-a11a-08d8bf0128cd X-MS-Exchange-CrossTenant-AuthSource: DM6PR10MB3099.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2021 18:11:37.5251 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MhcFnNCfGQKWZvaiWT7GotTI2YPNYZW6H5m8XsjsWuo2gXTjHZ44GBZCp/BGGEFvJ+IzY8NAJgeXVyHSSld4xDBMsWcE2MBBaJ7tsiDMTAc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR10MB1673 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 priorityscore=1501 adultscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 phishscore=0 clxscore=1015 bulkscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 Precedence: bulk List-ID: Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set, this option should be the filename of a PEM-formated file containing X.509 certificates to be included in the default blacklist keyring. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen --- certs/Kconfig | 8 ++++++++ certs/Makefile | 18 ++++++++++++++++-- certs/blacklist.c | 17 +++++++++++++++++ certs/revocation_certificates.S | 21 +++++++++++++++++++++ scripts/Makefile | 1 + 5 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 certs/revocation_certificates.S diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..379a6e198459 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each should be a string of hex digits. +config SYSTEM_REVOCATION_KEYS + string "X.509 certificates to be preloaded into the system blacklist keyring" + depends on SYSTEM_BLACKLIST_KEYRING + help + If set, this option should be the filename of a PEM-formatted file + containing X.509 certificates to be included in the default blacklist + keyring. + endmenu diff --git a/certs/Makefile b/certs/Makefile index f4b90bad8690..e3f4926fd21e 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,7 +4,7 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o revocation_certificates.o common.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else @@ -29,7 +29,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list +clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) ############################################################################### @@ -104,3 +104,17 @@ targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG + +ifeq ($(CONFIG_SYSTEM_BLACKLIST_KEYRING),y) + +$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) + +$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list + +quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) + cmd_extract_certs = scripts/extract-cert $(2) $@ + +targets += x509_revocation_list +$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE + $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) +endif diff --git a/certs/blacklist.c b/certs/blacklist.c index a7f021878a4b..4e8a1068adb2 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -16,9 +16,13 @@ #include #include #include "blacklist.h" +#include "common.h" static struct key *blacklist_keyring; +extern __initconst const u8 revocation_certificate_list[]; +extern __initconst const unsigned long revocation_certificate_list_size; + /* * The description must be a type prefix, a colon and then an even number of * hex digits. The hash is kept in the description. @@ -209,3 +213,16 @@ static int __init blacklist_init(void) * Must be initialised before we try and load the keys into the keyring. */ device_initcall(blacklist_init); + +/* + * Load the compiled-in list of revocation X.509 certificates. + */ +static __init int load_revocation_certificate_list(void) +{ + if (revocation_certificate_list_size) + pr_notice("Loading compiled-in revocation X.509 certificates\n"); + + return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, + blacklist_keyring); +} +late_initcall(load_revocation_certificate_list); diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S new file mode 100644 index 000000000000..f21aae8a8f0e --- /dev/null +++ b/certs/revocation_certificates.S @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include +#include + + __INITRODATA + + .align 8 + .globl revocation_certificate_list +revocation_certificate_list: +__revocation_list_start: + .incbin "certs/x509_revocation_list" +__revocation_list_end: + + .align 8 + .globl revocation_certificate_list_size +revocation_certificate_list_size: +#ifdef CONFIG_64BIT + .quad __revocation_list_end - __revocation_list_start +#else + .long __revocation_list_end - __revocation_list_start +#endif diff --git a/scripts/Makefile b/scripts/Makefile index b5418ec587fb..983b785f13cb 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -11,6 +11,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert + hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include From patchwork Fri Jan 22 18:10:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12040261 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5E2AC433DB for ; Fri, 22 Jan 2021 18:38:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7F0F723AAC for ; Fri, 22 Jan 2021 18:38:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729313AbhAVShh (ORCPT ); Fri, 22 Jan 2021 13:37:37 -0500 Received: from aserp2120.oracle.com ([141.146.126.78]:48544 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729466AbhAVSNP (ORCPT ); Fri, 22 Jan 2021 13:13:15 -0500 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MIAM4j038529; Fri, 22 Jan 2021 18:11:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=SBIqqNMVfgCrGHElLt/6J7rn2y9r30+5dVX0+nKWBwA=; b=P9H/yO+hlmKHyTUwUItpsnNfmmlp4k/pNHeTLECc/RAWF5tZ9uSwsyQs8g7+Hx680Qkq +dY8R61Bb2LOtCAXHxaWYB5FK59y7G0yNSB6erBgM+HQY4e1q8/mDwz86Sc7Px6oKQoH Gj5JEKc0vQ+CwSCskEvDRHJT64f0DUhBqg+YAqbwpFrD8AQQBy1ibpYsUxzoOLfJBuBU xvSxIQPn68MTtc7F8MpXLoj03tfv/l7CgGdEfd9XKhydlkTlNhn07asDlxnTEosvw7c5 Gf8HnSCG5RVXsFTUBzGUN/Ed6HKbYwgiP1hXMpgSLXilsKWrQvgg633WdckY3IW/oXyL Jg== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by aserp2120.oracle.com with ESMTP id 3668qn5cgq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:42 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 10MI4xTr149772; Fri, 22 Jan 2021 18:11:41 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2101.outbound.protection.outlook.com [104.47.70.101]) by userp3020.oracle.com with ESMTP id 3668r1dqcr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Jan 2021 18:11:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kdjxgADP1oMSMc6L8ot6WsvgCy39kFo2IDpjk+JwlQrcfc5plix/2JqJiheSibQh+nW5EWVii13nIH0MdNlqtuQhJdvzhT5IYhOuJGM9oq6nZ2OzQVFoqrMHZ+iBFj0HdnArlMnUvT7oHjkNz6eZuYLRLauzNJcl8s2NkSXxbEkP9JWtPyjVjuS61VjMHa9m0zFvymwCdWSPrNmAIZaWP4jOyT8aMjYlVT/X/PcAbEYNs+vS7yq/9iYpVrTHBenb4ZOQ07E1vx9RRxHeab+kEwWAAt1Pze/PotZiDagyhNS8UuEhn/l+JlY8tkCR0OlicYH1YadqfJJw/PtD3blFYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SBIqqNMVfgCrGHElLt/6J7rn2y9r30+5dVX0+nKWBwA=; b=bqL50em82eutkv6K/e4tQw0mNJlrJNp9mvrWp5Qe5cKjiSfJK0BsuNEtVhOqCWMoZH2R8fqIXR/DeJy8doDPIVgnKtOtVmZlPSLVG6k27SjJBS8eFB8ar2z+M4rcF7+9BuJjjNwq5W0Y58fIWXb+mlDbJwqyAT7zvxP5MCSrJqP24S625BJtgTLtq99shN4gsZ432ibuZf2j+Tj2lcjxQWinlqZSFgvNKagtmFPe4oH2BgDquCjkysQXH91UNuLEMX95fqZaygVShEUUQAabq2hUPp8StJ+ZyYm7IZkzmEHefT+DgtqECJ32jjN5PH254b45CsOkFaUdLL4Ek54ueA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SBIqqNMVfgCrGHElLt/6J7rn2y9r30+5dVX0+nKWBwA=; b=GzrGzI0eVoqFu9CgDLF7WxdnqJ+Rk98PjivU4XHGZnmD9LZNOzSEDunEHVkFS08KxfkJIdu9z9KaNSwaiI3i46VVEs03pZNYYB1tXAyUXlVI6OZlf/zvSUASSy8p0089OzeRlPupC2XIjpzIod/UHnY/PWxpV9qiCqX+WQ7BJlA= Authentication-Results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=oracle.com; Received: from DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) by DM5PR10MB1673.namprd10.prod.outlook.com (2603:10b6:4:6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Fri, 22 Jan 2021 18:11:39 +0000 Received: from DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4]) by DM6PR10MB3099.namprd10.prod.outlook.com ([fe80::70bf:d626:5218:70e4%7]) with mapi id 15.20.3763.017; Fri, 22 Jan 2021 18:11:39 +0000 From: Eric Snowberg To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org, James.Bottomley@HansenPartnership.com Cc: masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, ardb@kernel.org, zohar@linux.ibm.com, lszubowi@redhat.com, javierm@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 4/4] integrity: Load mokx variables into the blacklist keyring Date: Fri, 22 Jan 2021 13:10:54 -0500 Message-Id: <20210122181054.32635-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210122181054.32635-1-eric.snowberg@oracle.com> References: <20210122181054.32635-1-eric.snowberg@oracle.com> X-Originating-IP: [138.3.200.2] X-ClientProxiedBy: CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) To DM6PR10MB3099.namprd10.prod.outlook.com (2603:10b6:5:1ad::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (138.3.200.2) by CH2PR10CA0006.namprd10.prod.outlook.com (2603:10b6:610:4c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11 via Frontend Transport; Fri, 22 Jan 2021 18:11:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: afe170df-7858-4b64-4bdd-08d8bf0129e7 X-MS-TrafficTypeDiagnostic: DM5PR10MB1673: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4303; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ohlqo4oKdiLdox+rg3UzrmLVTc2aslScdD0yfJFMGOVyJ5iNy686SvWJoHgcXyP+1Pa8+GZoFRkSaXJsgWnerFg5KlAiHIPT0E2t8O9Xr9PB2Vokci6upIBKNWxBx3X0OrWX/Y8c9Hs0J25oQFbM3KGW+Yrek3IWlqLK3cZTMuRwSXBPeLdBgwItuhAnMWvcQDyMV08xCNF2SBHMtfgyPvajmERHBOufVA8gixHfRl1wa9HCxElQPZluhOr6nWEdoXqwtTcqEz77u8jWj+LhmRlc9hwKQioALOxq/ZzrSk8EFzDuVmhIRtJTMc2FQBsXZfTTFlxZFUAxcoDdv3v8p4Gew5by4SZUB6atTsI5HTDViI0Y2z/eO0ocLReHqFVw8UIdWAa+rfzhVtUw/UMzZoH3UIppCVbRdVujp1IwLD7ljW6wL3B+0NW84NMOswhJrdbMvAdILBFnwHqxw3N6IcnMDBiVOFCn2Y5hF0T2bN0RnTgwUSfrXedYG9XJ/yw8hw/fmIyEZxd1l0J6NlUByQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR10MB3099.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(376002)(396003)(39860400002)(366004)(136003)(346002)(316002)(7416002)(6486002)(7696005)(2616005)(1076003)(52116002)(5660300002)(4326008)(44832011)(2906002)(8676002)(16526019)(26005)(66946007)(478600001)(186003)(956004)(36756003)(83380400001)(66556008)(66476007)(8936002)(86362001)(6666004);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: VICHSTGD7xid4aDoZKDlbbr8IThvuQoI1uv0jYo6TMiI0DeIpWgLzTA3lb2HKIPncFGMz3ncZsTnMbOTxxDi2Mq8MYv23MC5HHk763oXhv6j9Soefl4rSa/SGFSScKoiW6zOXn3aKeu7qhyVJD7ftzCNthl6iDsYHr847DYhIQ8bz6t9wG5Hl6Z188a2yXj/51/AWpb/GGJjLl+V3FobvlqeDFgvQ1VIrtf/sQHGpbxJ5gI+7viC01YmayjGVXO5Oguem88PL0H9A/mXiqGM985mKs5Nn2JDKf+epPBbSPQwwYufof7nieXJpdEEOLCLwPejjtKK9aB+QZlnEJXtu6q5MxGgElhx1mWB41LEjbTMAvUCOwzh3EtozWqzVDmIGbFxvU8+igu70ZMQHZ321JWbfqg/R1nholofcRwziY2DlN3pS684BCUa5LKETcUrIrT7TRpYEx9q9cntBs5SiXMHiNFmARjhim2oc/A4qP81MwvwKf3V5a33hEJT8/NAhRv460x2MMYz/m+p1pHwMy1n1kEVIghrS8QxZcN7vLaQUbI2YRY2QbB9U3Rc66BBAnAoqvoqow99hOKyK4U/VfwgkAp3aBjAqIyxym4ak6IgcMoIvB9x0TvssFexjjM3IfjfpjpAxUqhBH5Mo5txL6ijRdTUPkJPOx1ZWyVgWPk/pLYl0WfAfCC9lLxoyk3uNfOjkS4hq+8PhQA/zM3YJHh6TYbkTGIBWdiGrcA33JC93k37JS+m9nCdudcYestAXqc3UXQf+YptEe/w9szG+EmYQummNqJgbj+8jjVCFkXwFkrNwTUUcNvA+nX/uyYHUlzXQk30XjDOGRQSFFjJUI00aSiCaMvCMoEBwQduIGDqxQv4WhaBFlUbGNOdDl4WHxk5Iu3/qMGqlulWfHh21iUf9Q13eY5mXYz8SBvz1tv27LCwIVDQf8bcQsq1XtHa3vz0VDQnGffuiPQA6qxuER1qJ71YT8nViup25rIrJLE= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: afe170df-7858-4b64-4bdd-08d8bf0129e7 X-MS-Exchange-CrossTenant-AuthSource: DM6PR10MB3099.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2021 18:11:39.4130 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: J2p/ANLCZcNVSGCthhdhO44jOjzUYMRRO/09oNO8fFNhO0lrBulzy7QczwJvhQVKzbTxswn7vz29ywVrFKhsJkDusDZ28ZA2GrvZSPzQegc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR10MB1673 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 adultscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=9872 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 priorityscore=1501 adultscore=0 impostorscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 phishscore=0 clxscore=1015 bulkscore=0 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2101220093 Precedence: bulk List-ID: During boot the Secure Boot Forbidden Signature Database, dbx, is loaded into the blacklist keyring. Systems booted with shim have an equivalent Forbidden Signature Database called mokx. Currently mokx is only used by shim and grub, the contents are ignored by the kernel. Add the ability to load mokx into the blacklist keyring during boot. Signed-off-by: Eric Snowberg Suggested-by: James Bottomley --- security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index ee4b4c666854..f290f78c3f30 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -132,8 +132,9 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - void *db = NULL, *dbx = NULL; - unsigned long dbsize = 0, dbxsize = 0; + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mokx = NULL; + unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; efi_status_t status; int rc = 0; @@ -175,6 +176,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); + if (!mokx) { + if (status == EFI_NOT_FOUND) + pr_debug("mokx variable wasn't found\n"); + else + pr_info("Couldn't get mokx list\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListXRT", + mokx, mokxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse mokx signatures %d\n", rc); + kfree(mokx); + } + /* Load the MokListRT certs */ rc = load_moklist_certs();