From patchwork Thu Aug 12 02:18:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432245 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B125C4320A for ; Thu, 12 Aug 2021 02:20:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 064CF60FC3 for ; Thu, 12 Aug 2021 02:20:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233777AbhHLCUl (ORCPT ); Wed, 11 Aug 2021 22:20:41 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:41526 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233555AbhHLCU2 (ORCPT ); Wed, 11 Aug 2021 22:20:28 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2B9VU031678; Thu, 12 Aug 2021 02:19:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=gHciKJpVaJme2urkgbJZhf0RezJc3FCdNI0ljZFoXvE=; b=PpdoCwu8KxbJQHcJAxCNGu1cHBvf2nalqG4GHTBmUWJ3pQAbwlb+H5WJJAaiYKOyo1zF UWebN9t/v7KlIMLpOXo8bPr8piPkx9C8DchsX4DTceRxRnEIsczzSjyhxDq0fQZ7urAy 19J/x/mwM7ZtkGC98InmQ7usZo/J7B3p/o0eEQYIz1aF9yOFmt+jOW0+CPGX/cwbbFk5 FEFLjqjYkvTt2bSiGV5+L8ctP5mq+9U6/WYOovJoPaclnU4ubnHSGLmO2SuurZuPLrTg AFlDhBmMkgt/4TXg0VPev5TOJeFSu/ZLAZ8Ez7l0WUpwb0KBQCg2eHQ0yFyKBhkf6P/L gw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=gHciKJpVaJme2urkgbJZhf0RezJc3FCdNI0ljZFoXvE=; b=TOTu7ifD7gM3CDtmG/8f4ggZQwtCx2yF9xtpmy9Fi+xmFRbTlc11cd7r7ai6gZvvJUbO +d5X8UcMOYa9gqLjYgpxwbhDE51fB8HDIrvCdTZMP0vkyJtUpdz1Z3iLQCtSNzP2/vR+ lijK/ugvMP6Y0mucnLM2hdjspJRvY9rr5qbU/aEShkBOvhUS6zaCsGsz7zZciVrXQUV5 LD9WWzNpP6WLnKlmcbP3n4aPWpkUdcTYEgXUGhfDESCmzoVNFl336JG/r2lVPj20GPbB /eI4q19Bmmvv72YUL2yBdxS6gNJKVNZ0WKVldCgNV7uN1f5kiZyp7taWmCarumulp6Bl Ew== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3acd649v0t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:22 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GG35143063; Thu, 12 Aug 2021 02:19:21 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by userp3030.oracle.com with ESMTP id 3abjw7j7jr-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:21 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PBiA0MF0TnkiD9JGRNvu/+g1F9mlySmYkhXdHBvGIzvwbxJ7ZJ9mh8c6E3HRFPtjznMl3artIam8LSRGH7//XnKfftcP+KjPnR9JLWoU0ZORTjskavC7qhaN1sZp7EINqS9nZQI011cix1Tu+Q80N5yUL9qwrH6DNTfQMPWOZCfnGoJ3kKYjn1YkLE2Ie4wylmSxS/BGkK42vxXQyUFrOye5xhefPT8+tJGqAONyKVyCp0R/5CRH08WugD6tjDX4lhRHdUlVD5koX4wCmtatku7qlY3LV90Ci01mK3dv08TCzccD0J5Io2eTHidFXyyrfRsP/Infi7SlRTHZZaH6eQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gHciKJpVaJme2urkgbJZhf0RezJc3FCdNI0ljZFoXvE=; b=MELzt5y5I7qVxLghpMXg8l08FfcuC4CQZvUMjh3lK5UNiJW96upV4Z9pscXiuOJu4G77HaShb/QLYyfhz2hhrSaJZBlmudbY9MjlW8tLUrUcBTSIBBJfPhkdKFcLAx8lG4sWSP0KqlvkPZOqcntn41v5ojSPGo/oVLRPTuVP9o7/LWq0Ix782SIbC7AcA/0IN1FVM4Et/GscUK9t1l2AalodwdOKIXpZ3Eu8U9mCR49fK6VDqIkc2oBt7rJo0ZKHnPU1GcGomKnIkqWyYVDvjd6vnDZHR4zJ9r37DxUFgpKAqZKdkwLDyR6ygbejWUjh/ODQ9kH/Pyy+BerhXSI1ag== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gHciKJpVaJme2urkgbJZhf0RezJc3FCdNI0ljZFoXvE=; b=hP9c743F3wg74dTzV7PUGTDJs7HjQeOANSzhKkMcVpZbfbsFKzyj2Hng6ELs0JFi1Y0lXOw9o1aRkGib6nZ86sNm1U9DsDpkpYBZ4EKoU7B65wWzKcAT2ycIXVml/5P5Jz9W28N4BAmcvY/qUawABzKyKWsDVFpUtNqjIjworTI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4168.namprd10.prod.outlook.com (2603:10b6:610:79::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 12 Aug 2021 02:19:18 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:17 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 01/14] integrity: Introduce a Linux keyring for the Machine Owner Key (MOK) Date: Wed, 11 Aug 2021 22:18:42 -0400 Message-Id: <20210812021855.3083178-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:15 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: be75fc25-55d1-47fd-c9b9-08d95d37965c X-MS-TrafficTypeDiagnostic: CH2PR10MB4168: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DBC/ctFDWgzApvb0Xcw7Jqi3vObrkB6nXvXWk5dSxEw5ttbBqqpsLEMzg1MonORHXwApXddZLMEdqy423Poe2dXCORbkLS0lHbn+BphE+/jnwrJvLDWzKLrYIcHbNO3LYsH8sG6b/X2Q5vmaQRmmCrCFCiqHKdF78VF5kwbKVwu/y+6nFAu8NMJ16T33R8FxFIRh78KVgcK1X8FPPtr8TvyKQHCRaCtFLVc5mcPWd4tNq/6V9KNrW65IFhv+GSObZkzMqia/DDzcxZveNvukrInQF0lE8jamXH4JxZZ7bqX7ts7QI+zpZGonheDdKAaFcLDwWujhHMgkDgHqsTWTJQgvNNa12zTMQoU4eXUKbFYNwUgU1/1cqrQX666TrZk7DLZxgViCHKnvePPJn/F1//CKbk3NEn2RWAZFLP1y6Ho+vdrgpZ6jrlxPGg/2HaSyGSM26DZj6OIretxZeJPhq/uwmYgeZdCcIlwhOKwUjBJ3h320CljRej0hzKdjEZD6F93neFJf2eROmJI7RaS3N8CMM7BxWcTB5un5g8vOqcv9lWqYnHXA9xqGhITf3xRBnli6JeIgXnhImJ2RCqIpC/goSPSs2SOAj7aqOA3O2/GuuvyLKrWJh54z2LJgG+qYzcT2nNE+YnbdmVSAFiy6uI8FTX8edGhzp5Oxgpg4hndDjaTzF8Tt3D/F6DaqR9j0BSVcMT4qJQyVhDnVKP3Cc0mKFyLFQk0Ld8xWp3Jozuw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(4326008)(44832011)(38350700002)(38100700002)(316002)(83380400001)(66556008)(36756003)(6666004)(2906002)(66946007)(52116002)(66476007)(921005)(7696005)(8936002)(1076003)(186003)(107886003)(86362001)(26005)(2616005)(5660300002)(478600001)(8676002)(6486002)(956004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: DkiiBLpyZVrmtLOcVhACDNuLq4f1sOrr65LRmOctyCP5wv+4V+2y4XbGkPkm2TUDDr5t1ZIFqBu0NqWSRq4KHtj7m7AJ9KWAM+gjGArXrrQVfoRUStBSwKuSj/Ykcn5znVkEBtV3swQydmIbrd1eeR+GE1gSql4LioFbkLwDcxKfKtcfG5qvTj8vxeAD+QlvsU8WSSmYWNBdOuC9PNr4g/hIv4dpA7VzLGxvOZ7q0bjDQy85kVsT5oy5ZD2jkyHnAtwnLADVFZqwcKlYPTU7ldaOETluhu5e42CHCHQip+8XbD/aHZ09ppibQz5N7l3TVqGJuGS1CLUTkj6X/O32U/kjqfDWcKku1+pGDIXPktaVV0PCSSyf+zhcaMy2zjMRpHJMrI0mIR/ur9PeC6xVYs01bP04TYRZNAtNcDyC2DC+3etcq0Y645Ox63DsIaPWaNUmIi5SfurdlTH8UqGJMb6UYkxwEUc6+A4WUPHXGFu9o2GGjZhkzCr3vyoTMBQqIyQkuif1QoBjauRzUVOe702ybyuABA1VKeGzoK4udAPY0LYIP2A3Xx+C+qymWDD3sK+ztgQGLQ00pW4a9MEtGCi5KHYhuE7CZEJtRxXu/d4dFjj0zfGs3bFbDZwT8LVnZXOJglfee/oQOxKEYukHdZf4QPicVecGkcYhzuhZCh1LSTiWrpAw4E3VLPy9BWfTHOVIRDjLrp2TpS65jXJf1OvRJDP/LoU6cWaBuucu7RE6arWvgBxwjTIi8aApld7PyVmKrOctji2fUdbh2ARDSEzFNPTTEMIkscKQ+f8CBDEv0iRVKM2bWy7tSW7pyHRU7595ME3qffMHSt7htRzNIDUERxR3jaFM6Isn21k/LeNFGUkcFZdIXnKP24443UjBQ0ztppPDpllZGX7tuM+sdEHnnejb1+E9nCeHOCW50WvGYCUxDHut7A822tWcsJGgqckdm8Cv4EIod4ItGy3ZA+H3W72k49wzXBizq5h7RkQwoGyXePGNRHrdU52aNXH0QAS+1XJBuFqXub717O0zgT6W20OnhU0Sd56oGXEJZURyqC/Ah5EOBQNrM//NtXFCSSL2sUn79dVCEb60K0BJmLZQdh1Cwe9Ni4vGXnC16sDIbdw0u2/NEBJnr/5I4XzXXyNconf+TVNJMBq/Qp3tYO6oRqXXl0y5tQbFrcGT0cycyRQdee9YmnFHaX3jApTQbGbGiX9VBEEapQOAPwNqIis0a1M6i4zV7B3WD1tcj/B6mkxM6P5zUsaPz+caJfC2PXQJrcVKcBaLPJWdNiQiiGkFo9y2mRO6s6ozZgsv/RT8H23sAY1SxWTlcb1rLlZS X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: be75fc25-55d1-47fd-c9b9-08d95d37965c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:17.8406 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Nxl0iQK21dQxmaMFYV14ycoqaJL0ZvEZCGMGdbi2QndXkeRwQ8betdAGETNg6NlTXegqE+D/k/+FL7rarUAvPMfR1EASevb0PY2U9klIkao= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-GUID: _lM56C3r23qCqu2FNgnnPJuaO95MsixW X-Proofpoint-ORIG-GUID: _lM56C3r23qCqu2FNgnnPJuaO95MsixW Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Add a new Linux keyring called .mok. This keyring shall contain just MOK keys and not the remaining keys in the platform keyring. This new .mok keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the .mok keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed destory keyring code v3: Unmodified from v2 --- security/integrity/Makefile | 3 ++- security/integrity/digsig.c | 1 + security/integrity/integrity.h | 3 ++- .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 4 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 security/integrity/platform_certs/mok_keyring.c diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 7ee39d66cf16..8e2e98cba1f6 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -9,7 +9,8 @@ integrity-y := iint.o integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o -integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o +integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \ + platform_certs/mok_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 3b06a01bd0fd..e07334504ef1 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -30,6 +30,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ".ima", #endif ".platform", + ".mok", }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 547425c20e11..e0e17ccba2e6 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -151,7 +151,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, #define INTEGRITY_KEYRING_EVM 0 #define INTEGRITY_KEYRING_IMA 1 #define INTEGRITY_KEYRING_PLATFORM 2 -#define INTEGRITY_KEYRING_MAX 3 +#define INTEGRITY_KEYRING_MOK 3 +#define INTEGRITY_KEYRING_MAX 4 extern struct dentry *integrity_dir; diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c new file mode 100644 index 000000000000..b1ee45b77731 --- /dev/null +++ b/security/integrity/platform_certs/mok_keyring.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * MOK keyring routines. + * + * Copyright (c) 2021, Oracle and/or its affiliates. + */ + +#include "../integrity.h" + +static __init int mok_keyring_init(void) +{ + int rc; + + rc = integrity_init_keyring(INTEGRITY_KEYRING_MOK); + if (rc) + return rc; + + pr_notice("MOK Keyring initialized\n"); + return 0; +} +device_initcall(mok_keyring_init); From patchwork Thu Aug 12 02:18:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432257 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDFB3C19F33 for ; Thu, 12 Aug 2021 02:20:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B3B8B60FC3 for ; Thu, 12 Aug 2021 02:20:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233920AbhHLCVI (ORCPT ); Wed, 11 Aug 2021 22:21:08 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:49994 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233700AbhHLCUf (ORCPT ); Wed, 11 Aug 2021 22:20:35 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2AgKT019120; Thu, 12 Aug 2021 02:19:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=LSqA4HZ/3glaDER7difXQuTnnev9KthsCgITY2sg0ok=; b=hqDwKEqt+QSR49W9+azloobf1BLxjvEli+ZWslOJj8WRe9mQRe9nd5aqEZJyJnZrFakd TClKpltRHuq6eS3YrzR0l8MuX3Kh97lF5eg75IvdcTVWHAacGd3F/GWH1Xd99KkoTNq2 DRyUM6NgOE7q7BqSi2xMFYRDBFy/q5/TYt/InTGyuu2SpiXuSP7V1zt2dV3MQl1EMgHM pCUMa7g4KGZjsV8TWhyLeclG7C84ScN3W6GmLMiXZRMn+OiSA/9UcEIUwCLt+eHt75bE jF2VPAbS38io71/MhfyJP+wubk5SsCvkbfR7i9wQ0GSa2C1VZQZdoVyF/9aUYz5BZ2kw sg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=LSqA4HZ/3glaDER7difXQuTnnev9KthsCgITY2sg0ok=; b=lM5Vt03ZJ9qT/TsRCgZgDZj1goibga4x0SDnNEsLzUZmruBLGLyOleK45HNKlOhE5w2E dlxTHMjjIConWismmAQg+X7tklZcqsEuEpb546aGs088WAfXSMmcRj7bxnlEKdK1ZcnE JXbUv0qFEzKrG7TsfEySMBADbdnSBLN+85rNGbATQt1BLq+sp+8tfgapMceDN+11lsJg xzK48a/dwJAGKlCpB1Y0Z2OrkpmS2GrBYa9NqxqiAwziORDQbWvISN9aP0Z/nVV/uRGH 0lCkVtHminhxT99E2a1pR/fNusLAvci11B7YgOWcxL0PgZegpJeD1zs0E8ovt7YWzX47 8w== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6gm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:24 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GG37143063; Thu, 12 Aug 2021 02:19:23 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by userp3030.oracle.com with ESMTP id 3abjw7j7jr-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:22 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nt3AoW0RqO1u0KxeWGQHQIRjjMQzYPEvJUBK207LZByvVH/RQODN7uUIK7RbyXZtBU+ZbB7aKN3q3wMPb1i47ntbVvKUIcprafck1ie6K0rSTW9RaqmYJHrQi5kVo0/a1SfwgYAaYUuY4Ap3MylhHz8ViVnr2RtI/MDWKnSP3bnPRHPO2Xocj3vrm3ojRWzh+kqL5cauukNiM7fGtp2n2/i+VHdLdOmt2vNHpMJx2qephYp1aiKo9uEM1gDrYOgd85wjEZEIxjSh0IMnkMtMsdcg9+Us1Oi8TlyemEeuwZtFqeBYYFBXkupRUCdhPp+9NatEYj64O7vt+ZB5x2cvYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LSqA4HZ/3glaDER7difXQuTnnev9KthsCgITY2sg0ok=; b=eeZyYvl77XR/GZEsajEk+GJcNKl3273Qc8S2TdtFiSK/UHk8yICdGfKLkQiuKcD4IAkfQB7CmZvHUN/hgRDX+imDrFhWWblnK2p8NZB8MdaPHXDoBGSDtLRAFB6iI45U4+e6iJwVEEI3gyQc8uXUz+2pKB7AI77Q+xHLQ8Xgl4aL/6SdhN2G9a57ZYHtO+kLmofpjbUwO0iQM00f4tt0LGYp6QDRVyeezVREG1HuMxrp9q0AcYmC2kuc/JKRobC1x4eGcjLJi3KTGKDXxae3yMTaRkYiyNCL7/5t40sebOdLsqywJXk4vHepM8V4ySiJX2WHrYCChiOJls6jM4KrUQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LSqA4HZ/3glaDER7difXQuTnnev9KthsCgITY2sg0ok=; b=P3fI/iH2YQE+CPkboF66dShFXLNL8ZVl7q3huxStSDLcUII7LD+r68i5ERvXvC1sTuHCTvSOjENFi0CLda6qi5captOQR1yVQ8vSQIpwJgiqyLAugBqzskgxFkiZ/EZ0sYAQqX+ZnvV4LD/xJm4P8OdHjj05Fm7lGTePkAOkNfM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4168.namprd10.prod.outlook.com (2603:10b6:610:79::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 12 Aug 2021 02:19:20 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:20 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 02/14] KEYS: CA link restriction Date: Wed, 11 Aug 2021 22:18:43 -0400 Message-Id: <20210812021855.3083178-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:18 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 13c15262-8971-4269-bc3c-08d95d37979c X-MS-TrafficTypeDiagnostic: CH2PR10MB4168: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mFgAa5jVCNDSB/lblB59HR2xtcEWTYT5k/b53VtdXnTwmXDWCYJ5q2Y8cujiTVBcsqQ7KtsVpnoqFxIOMrkdjUicKyhiuBCrwUE5+aCq4vqer9vLzLhr9W7AC2G0NjPIeLMCD7ipqOQBblBiqVgky9GFG7QGoGt/DdyR5CMlGu6h5noVrgZUehtOdzhXydGT+r9mtswZcOe6rl9ozfFEByzLaGeli1vbvVKKrJUfWk8VZMauCFN+dqPsRgh/ZFLBpRoDWuhD193LGf6PE6bgqSu4bJ44Z/LRhoX0S/K6GN0GITRb1u5g6Z/IcWs4lIaAInEX93hApgzVD+9wfQnzBm7V1vcdRlANZ+fXX2eoNZKSwnKuv8jrrGvkahUHoD9QB6B6IQR6IQ78WRH7ybvMmIBUfnf4e/pywF9CBgVhD7KLW62kiMrmanSZ/OEppkXpqoFYd93qfHZd3a0FvxTbpa+0aNrIbnQ4vXdJb2pagk4vFu7nlxTaxG0KR30ZVswmHA3Bia9U4pGFtUOVz4Y1MCyiRpVL+AwtBRYPyE3gciAHD/I8LyII7L/I4CEwyZ4gfCSc9MNoE7JAFox+Y8fHcBcajK9TV8nZNVg0s8N8lSo3169kkZ5juy6xwmrKvgcumEDQ92D3LcoJvuMriCueCsly2rrvYPReyr8BCf4hFd+qExT0t2/5c86+FTnnCk13AdsQNkZOUxQ9NX5Z9nNDmaTsjRt+CjDxxN3h5cke9ZI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(4326008)(44832011)(38350700002)(38100700002)(316002)(83380400001)(66556008)(36756003)(6666004)(2906002)(66946007)(52116002)(66476007)(921005)(7696005)(8936002)(1076003)(186003)(107886003)(86362001)(26005)(2616005)(5660300002)(478600001)(8676002)(6486002)(956004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Tb+eg5lhNf7YEfvMlZhcDtwIXiCq+GB5xgLNgspMpD5e8LrWcwZVdK3rIUSjX3Pi4MWgDjPK07iX/oalf4eMUWJn14McjJK/f55E4lEOxuSaMwir+ieOifKIFRgsPFwBmfyYzk3sqyiX/KSFJDTCSeIvOk5LR2cBmrUKabe8KQsMX8+JnMVuG1JkMGi87JuM44ipxBdlXS3hIQs1/2biwiIpW7dEbyLLTaGZDFzXuY77hBviEuMwFUw621yYgn9ue/4SnwtnfeQOf7migN7vF/h3Q+A4269sJyPRyeVV8RXa/awsC0ZP2aXqnUMna4EyEAxAgP7+aeSoPn8YRulflhVZ4UykpzMgcTixxwlMgZBT9TjIPeIe15jblbz+NAaBg9oT6D9Wb7Z4PO3JwbedNf7oAeKHWgpNd1GDMwHlh6cfmHMloQlLfDopAcCKkYz8gjsbGN9kYyWtIRzO6IxcCyylTOPEEAaBOeEnh99/oGR1YROrxjk1Kxic+SvB+IcdYSIz2NhKi0vl2W4gGYpGJc/6ScBEgNC3VO7WqL8zwuFc/chXUKQm+ooQhdNrdEskyQhsPbOBHSTO9R08zVIVO1rRPqBc93Sws3jtsvWiSFzUumHrHKj9o8sGZ1eM6eXCyV5gUBx75BQ0jpWHpZYJ2ZxUOXHtAi+QI/5rNWbDwARI1kjDbcD8W7+ckeLTcpQdNulp/4GBDZsKV5ZwQZYz20+D98HFFkcCa/vjoeOsXkQsZxfYlXBUdAeH/s9Tk4q6ou0CzaCyHISu1sQJtIJmXPPeAJBRkMXIOnuhJETbZzaZqjAlmRLeNG1do21yEdwofosNTvv+DXpvaSPGt5H8Ewow7rY5RlkpFY/d1CaWs5/FtrWBywWPiyUkj8j5RXJZK1P5NljsFGBU5Z1yB9BIgHkSZZZL0BKSiEP0si+Mmlz0cSWckvXpi3grNIbODcfGh7s+V+FQIQhG//UKV1U/5d+CrF5/k9xkMhXdo/PNldgUc8KUZ8A0/FDAG9rvUrDU9EJarSWbeeGABqLh4fgXMkFUUhpWGFFn3CbOt9dTrlua985Zmtan+RUdqg7fx+J1Pg+t3PmedMkeACxlakvEGBYF4859wNFwckHpj8IuUe/6RSUn1QM2u2Cf9qyH422BsPlLXhHqhZqy1n88D2/Qg3sTlsjPDnV8mDIxYhQ6RlsutT3oN/aXTnb+YWl1W8C/rUCHcZ/7dL6xJHaq8JGf+XMnHfyzkXbSOVgPO4ZSdVpChsNhEi7Weg0qORCg4SWqlYNbJoRC1M2kAzZGxX2eixdsuBRUQxWtkfe0Gpvz521mf4E5mJCGsutovgDu8uiw X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 13c15262-8971-4269-bc3c-08d95d37979c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:19.9414 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7FwiB5C4X6eG71cw6pj2deP64Hyb5740cuv4O5vnmLanxfvBYNKO5XCQoz8Babs2D9vJKgkNa3se5agxBr0dXZ+eNyEWyEyq+XgpAtHd4sM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: -RCWldmd7_kKjahDWesEQbUonVZlvGU0 X-Proofpoint-GUID: -RCWldmd7_kKjahDWesEQbUonVZlvGU0 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA (self-signed). Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed secondary keyring references v3: Removed restrict_link_by_system_trusted_or_ca Simplify restrict_link_by_ca - only see if the key is a CA Did not add __init in front of restrict_link_by_ca in case restriction could be resued in the future --- crypto/asymmetric_keys/restrict.c | 40 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 5 ++++ 2 files changed, 45 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 84cefe3b3585..9ae43d3f862b 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,46 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trusted: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find + * a matching parent certificate in the trusted list. -ENOPKG if the signature + * uses unsupported crypto, or some other error if there is a matching + * certificate but the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + return public_key_verify_signature(pkey, sig); +} + static bool match_either_id(const struct asymmetric_key_ids *pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 47accec68cb0..545af1ea57de 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Thu Aug 12 02:18:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432247 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5876C4338F for ; Thu, 12 Aug 2021 02:20:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A15AB6101E for ; Thu, 12 Aug 2021 02:20:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233793AbhHLCUp (ORCPT ); Wed, 11 Aug 2021 22:20:45 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:41750 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233619AbhHLCU2 (ORCPT ); Wed, 11 Aug 2021 22:20:28 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2AitU019188; Thu, 12 Aug 2021 02:19:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=mCuAz8xBmsK0VNzAR0lKnBkVqByYbVPDcSK/SpEOrQ4=; b=bAlSrvoL354FZlL8BnPwIMC3gYmvlrOoKwW81aXsc/ccqPtw3+W2PSqyoe7UOlN3RCgu LfvulVPZlHRuqpsxw+/RnnLTjsEVEmEZerKeCHoHlRZ0Lfqr5+BxK690OO6KzXexddcD OzgrUFgCqGyjGDqLAObToFiiGcsaN6wDjVkURKxzyd/S9TU7tPYIUbLl340A99CsxvFl UWFrIuBorJdaICy23XPa7iLLj9I40NmeHDGAEarj2J5UPWbAh+xoJdRduozA5XYSkSgo TvX2v84gB93ZHwovg6MJ2ADtpFaiubkXm1nzq6ienHe46T97DvVYHmHXkJEcty70J82b Mw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=mCuAz8xBmsK0VNzAR0lKnBkVqByYbVPDcSK/SpEOrQ4=; b=VkF2xS2g4BRe7qBdHMBJ/6KZzRaSGtEuDDLjyKIzJpXjzI1DUvzMkFayxsMuC2+ufbxR vNYMeVT+lq+cawkPu8FF7+iJtSrinjB+boijIRrmRYnC5SfQ5LcW7oPsBuszmSxywA2a ojnutjqOGEWF/LaECCl2AG0JfXXiUl72DXd9SKJNC8X9mv1c6wGCEQJIQHeZmyjS8CyI 2kApcMxTiz9Zf4QzWn7QKZZcUW+Vku2Pt4sLP2Hv17ueB1mqcATymluk4JYQf8CqbXBs 5iSesppOj/e9pIxj3VK5erM9IzmYOceYoQan2h1T3KDEMFqAqE5KSdYPa5n8bqjBTg2H Vg== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6gn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:25 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GG38143063; Thu, 12 Aug 2021 02:19:24 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by userp3030.oracle.com with ESMTP id 3abjw7j7jr-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:24 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AelYal8vrHb3Kc1SRrT3fNfNnvxlSgMc9oC/Nu0/OxieWUKOonufyCTGecuEFcLfahawxQ2ZHwn2YYkSwPFV/a/RgIeJn3V5S+QVsLKRZUc2uRQz0izIIYR+U2Ye7p3AL3alca0l/XNOINXxScG2zH4ZYW+S6nhx59cnG+6B0sddNYMD+9mrTEUeeWrYIaKAfcbcL3Y+u525/aZ5CSpLD6xobmhMKbsrVDh+004lYyzfMzFWXJkowif517eEYSKCmE6kHJmgrkolp6t5qUiEB5l5i7MhY0H2W0zA9mTAFKnIDDCrhNZ6Q3W8JtfXSOu1zJU+rW1cQVPAGl2DgqHLWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mCuAz8xBmsK0VNzAR0lKnBkVqByYbVPDcSK/SpEOrQ4=; b=GfvLO7jz0xNxC51/7hKY9M5uB8PvqLa8FNK3OubEsr6G3vDKqlPJC9tbpnU5Lmf0Va6KFpdZjpK83OkCPCn1o/olKVABxia6SeO9UnFKn5GI5cVam/SJWHtvhi9RKqmNjiWYosUcEQd6rtu9Qu/DO+Rk6dv9y5zqwL8556F/C7j5oqFoibarlKL+OI2QY6PQJ0MOOYgW92IS7zzceTfCQX1x3L5S6e5kTszjd3bzqwNFGsN8rCBdBvjVTy7KRutDMEb6F7v40eQZ/zd47Ha9ke5ErkJRBsYYWxkrF2sfLa7gzot+vls3YmKySibnimyrgAkFDeMs8Q0KJ/Fi9K8mqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mCuAz8xBmsK0VNzAR0lKnBkVqByYbVPDcSK/SpEOrQ4=; b=pKO76kg94hZRwfpFkBNAlBEnRbHeLykwXLiZjmcP+En3D/uRley3+w5tdnr5LHrmUr8aVB8bPzdB9mkVtm8Q4DfxsDqMFKY3C1KgseL9ShxU8FepNr8/aus7rsLQs+rSWxqR+YaiygMObcYEo+j6Go8EeviTZp6Arrm2JR1sxcg= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4168.namprd10.prod.outlook.com (2603:10b6:610:79::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 12 Aug 2021 02:19:22 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:22 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 03/14] integrity: Trust MOK keys if MokListTrustedRT found Date: Wed, 11 Aug 2021 22:18:44 -0400 Message-Id: <20210812021855.3083178-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:20 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e4f0fc56-8f19-4e8d-303b-08d95d3798d9 X-MS-TrafficTypeDiagnostic: CH2PR10MB4168: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8882; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zB5GqiSquXOjs0h5WnXDk14zJy/oOqLduJibeMK6R6ky9OnA3YW31da47NWuU0ZSlD4i3sTYaUYYbZYS/JyiFXVx2eJAxX6OMrc6KcuyKx4r3vsKTNCsAoAKeK5UsU1lJNn9Ipqci7FM2Pn8jSdESfuJ+WjwtHtNFBwjnf7MzTQO6iXXP7I7ng9ojlKClL7W/IG84n+xhKn0b1UzRn/SqkJbCCNPr/a4MscmSbqu6Q7xBeVxUK0fLxARy06F24nPfj0DM7Y27sA31szJRwn++YA1aKYw3DTHgDRLDEP57oPhDNuVud62BvDl1KIxtMxlef5/0QKIyaMWrYM+mXrYkYW5UHWufstYT+xSDahblZyHtcC0/qpfosl/vfNzFWbHW4CLa7xyKC7MrZ5AUuXhE3o2ee4R/fza4jUBflPLXzOBuRv4O0fue9dV53550qEDPq0Gkx4UIlvNiKqJ16xvuOH5w0CKFwfCbiYWIxeh+CFHv8lx+41YUjABFojbMdDPQEzNsH95VXnWGG48a9lMHviKbQtNTKoTiQUj1vXouIGnvblrYkJ4cIMPeG7y/5ETx7DENPR/yF1fp37FGI4hXdpawWx/9qDKcKYqEUAj4/3CvdUCPyoimKcERbGjnn7SePFxmm/j/t6+iiAG3JZrvNklwfcd8JWZTOt4Le4fTDwz4p1fjud9+X3+DcdY2hHvFgNBEECZ0aMbnpegn6n2WqfvSRSZGr9K4vy4ZoSLCZw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(4326008)(44832011)(38350700002)(38100700002)(316002)(83380400001)(66556008)(36756003)(6666004)(2906002)(66946007)(52116002)(66476007)(921005)(7696005)(8936002)(1076003)(186003)(107886003)(86362001)(26005)(2616005)(5660300002)(478600001)(8676002)(6486002)(956004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: h5V8vB+9E5kARaDAVPeHF1hCD0xQEE1yyqXJsJu/4ZU/NeE6dHfpba/+RMNvLHErEO3TZpyPRCcPrOUh0wVOXucdd7sZt2yAXyOoJf6bAT4nfIwuZ+FpojOwWxs2N+UU2bk9BlkocOLVr9Don5jySQqMe6mGmjPFBUN6E45EMcAblk6gfqWBehh2iPHr+7gDEV8GmpLfEzyV+VvgBWnmYQq8S62EvZNyKHYPLeg75hNUDu2PI/VWLyRQRBHy+RkY/J9GOJXDKbTrr/U+4rhgVIqwICJAWjsiKI4h4KEqnoO/ea7ZJ1SIQhaIBJDZQFt5G+hQepC90XravSpU/Y+1NZ/YBOHkCb23ETtqFER4V6xj9XV0tZwn9oURf2BL4y++RImLtSTIdfoNkdKMvxgfQAyoSodWV7zLMXAB9bNDa2KdYN/dPHKExSD7ppQDFrk93AcHWmtM9W2H/wytR+1bhYMWgLEokCJn26ZQ0mrNKK27Au4gA+7ME1doNcCQpoCrdd7oNvf0pVzmhMV0oqJEW9UDMzWexvIHSMsgWETcOWp4PatPVsCRIEZBvg6vyXKTuUuVqzyrHcTZ5ftuqRFf6B6VlzTQkbtTRyW1hGSD0s8QuRM9OXqxj2+Y2oLDQE6Nl8Ycf7mzM84Gc6dRsSRTUJ1/aWtnaqqk2XwvuL5JUZS5IK26NEM9D8yWEP6Usfoya5sFa4jrozckK3o14m6Eacgf/u8fAO1Gop4q6j0eGsAQGnU/nsLrpwNqlR9YN2K2HlC5vvlA/f6HznzPCE5c110EhapQjHoONx6sayj3ZvEG9dsXCZtlsjJnST1z7uLFlk72Eev9H2lbjbhCjtQl6U9ucdtLsvv9/JNES0Rw1vHUz2XkSlcXH46tIZGxGV2f/3/n17EnZZveFWqcRBpY6F4tuETk1xoRU7NLQUbO4lpK7fl9O8udxSHjIhXinNeGHg+lkdB62SpNfw11l8G4lOo1auZJCnCngN4ciyOilcl7V7BNX9ZSTDzQXeHGYjM4eyFtsc6WYrG+KuWhWO7LwZ71bwK38K0i4G12lCgTYSkMW2+gcW8WmSNcYHEjfOATfUC1nzwaIKme0p8XAKzFcgYwbKcYxzhlqDTLNwnaUVHLZg1uazZttBBI4F+MxtVUGwQXlhaCR4S9ZcJEYXbIybeOnxkjJsgxMC9s1V3BzmiXJuSZmcgrMVZoxeOJTGa+by5hGX7Ad14Ir+KHHhTxyOe7aiuPv5/TH9sQPpe4jM5riO3tjgpk2VUoYGTAEtoW91RRyy/lZ3+qSZESnq4HKsBBV5YjDCscG+jL7D8ei9RyvR7Km6dvr/oJ23ceLQGU X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e4f0fc56-8f19-4e8d-303b-08d95d3798d9 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:22.0253 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: zDEB36FXTI7MuKthwo3ff/A3awhYqBC4Sid5iMSKBPHl1nG+wUM4vuljd6VhqgDdicQIH61NQ4psx8BG1T1PhvhhultjxCau3BOsVeV+psQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: 4DEIsS2lEvKRFLF_ZMlGDRJbyoCrBw1h X-Proofpoint-GUID: 4DEIsS2lEvKRFLF_ZMlGDRJbyoCrBw1h Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org A new Machine Owner Key (MOK) variable called MokListTrustedRT has been introduced in shim. When this UEFI variable is set, it indicates the end-user has made the decision themself that they wish to trust MOK keys within the Linux trust boundary. It is not an error if this variable does not exist. If it does not exist, the MOK keys should not be trusted within the kernel. MOK variables are mirrored from Boot Services to Runtime Services. When shim sees the new MokTML BS variable, it will create a new variable (before Exit Boot Services is called) called MokListTrustedRT without EFI_VARIABLE_NON_VOLATILE set. Following Exit Boot Services, UEFI variables can only be set and created with SetVariable if both EFI_VARIABLE_RUNTIME_ACCESS & EFI_VARIABLE_NON_VOLATILE are set. Therefore, this can not be defeated by simply creating a MokListTrustedRT variable from Linux, the existence of EFI_VARIABLE_NON_VOLATILE will cause uefi_check_trust_mok_keys to return false. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Removed mok_keyring_trust_setup function v3: Unmodified from v2 --- .../integrity/platform_certs/mok_keyring.c | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index b1ee45b77731..fe4f2d336260 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -5,6 +5,7 @@ * Copyright (c) 2021, Oracle and/or its affiliates. */ +#include #include "../integrity.h" static __init int mok_keyring_init(void) @@ -19,3 +20,29 @@ static __init int mok_keyring_init(void) return 0; } device_initcall(mok_keyring_init); + +/* + * Try to load the MokListTrustedRT UEFI variable to see if we should trust + * the mok keys within the kernel. It is not an error if this variable + * does not exist. If it does not exist, mok keys should not be trusted + * within the kernel. + */ +static __init bool uefi_check_trust_mok_keys(void) +{ + efi_status_t status; + unsigned int mtrust = 0; + unsigned long size = sizeof(mtrust); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + u32 attr; + + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust); + + /* + * The EFI_VARIABLE_NON_VOLATILE check is to verify MokListTrustedRT + * was set thru shim mirrioring and not by a user from the host os. + * According to the UEFI spec, once EBS is performed, SetVariable() + * will succeed only when both EFI_VARIABLE_RUNTIME_ACCESS & + * EFI_VARIABLE_NON_VOLATILE are set. + */ + return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); +} From patchwork Thu Aug 12 02:18:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77B27C43214 for ; Thu, 12 Aug 2021 02:20:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 694D1610FC for ; Thu, 12 Aug 2021 02:20:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233810AbhHLCUs (ORCPT ); Wed, 11 Aug 2021 22:20:48 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:42640 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233630AbhHLCU3 (ORCPT ); Wed, 11 Aug 2021 22:20:29 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2C0o0016211; Thu, 12 Aug 2021 02:19:29 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=dJ3YY6AzIV6WxseBfX0AOvEokZPb+Q4tqMd+xZ/zLao=; b=h4gz+CRf4kbdvaIKgo33lJwI7fTHJsuljDCLAzsvhCpbp50TlwXAryTthvxlyCimKBWE cDmjn2PUB4qNQJxjSD3thHy0kIO/WWJnp4u8w1881AMFTv4/g24A78BIStxNBm7eWh9A 8OQr94wzIvvnei6eFz16gWyRPwqseUFWxxr0aQ7f141NmjPGajDBcf36d2+R5UBwwmG6 2FZGWtQCvPepqpIVynQc0HDDY/pxO5f/vx8mqI+Mr27esM00Nq9nW3wwlb6gpEgd4MxT 46TaEAIxND+9Bz76/z3Fc3zlqyVYhv9hzG/Ld5dnruSIpMsjgQyDDimjnNu4LTXo4WrW cg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=dJ3YY6AzIV6WxseBfX0AOvEokZPb+Q4tqMd+xZ/zLao=; b=vw4RyB+JWabPxoS80SgUhZe3IUROR0W0vZ0Ffh/jVgHRC7Yyi3cU4wUqZw18RsxSI/Af xdrA9vYmFdxQk06HzHkHYu8cyi8oISwNlBo3Ejef8DwPomU/qaxylq3aXcPO3v9TB2Xp 1Eg+gwLlnacPOhK8OYKjcj1hchxkw1AkNg7YJuSO9yOuGXoEolnfV/SEccgAj2fDbsaF pf0L0Ek+OlE94Lj+TeKhgYfnkJ95hoXuXyVIPZi/M6YdulsuyFbtcyCfZ8X+b+QBfW/4 d7UT47pBCOAKc7IBOsk55eultjLGKB/4fm1atHQv1vEsFAn4dzgxWgbjSsBMhgE7wxb6 YA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3abwqguqq3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:29 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GLIp044942; Thu, 12 Aug 2021 02:19:27 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by userp3020.oracle.com with ESMTP id 3aa3xw9mjn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:27 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fo2pbNAmedcr2vFM1s0ivUQtlUVasiIAhi9AccKODrDpAtGchsu1zQ+Pvc78slZjwmlBOs9l3Ps3OUotjxlfxWkkj9Ath5+ZA/xpxc8t456x86pJnfXiBSYPexN37TaWWAzjNWVnFZ1vHvoy2ksQ9fGyRmjR2ryfVbHfiRmoJ+pr5PfsJYArCn1bgKM46Fow3u5pHCPFpP4dhWb3rTaVItd/Q5qKIhohj3RZ0sZ//9wLk2D3pAHtLeX/zFBElgTWRBheN981vKwT6CNduyWFAXKIhTkVe7c+i0kjTIX8SoaGI4O/0XiBx1rJRw7e38jKxjvHZunDC2d7ozYUBWvVxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dJ3YY6AzIV6WxseBfX0AOvEokZPb+Q4tqMd+xZ/zLao=; b=e/5gA8AOBAKUsRnclEihW8RJxuhJ4HyBCorohxAYnVbUJzb01D5fNS6Qfi3EKcAuas3QsPBymnqo9WYm65bNZNgFo528dZM8DTxky7IeGXTXBE79aPGgpuHvDQfVCu0Wn3JGyc0weVbTdLhne3FWfXO5FMGnY/I2F/Fo9MGV/aMJRHNDyzvgFAftPob9pxPwDsFaXKcoDts7l3DzIiiQZ5jHew0rx54E8aYiZgJKalC/e8FnVEUCclVbTBtLo6ys+xMjDn7l86CNaAhD1kem2SDXLMf0wsxprYjaJ+O7iMgeo26BEE7wJVUho7bZSskYCMfDjZRk1LWyAm/JLWydwg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dJ3YY6AzIV6WxseBfX0AOvEokZPb+Q4tqMd+xZ/zLao=; b=0GPs9HXhxSTNhbqRf5d3eXXSH17hiZUoRhwhzMF1/yqEgAOyUMDPu14MYkcYqAN5+xRr3np/e7ILdw+PgHAjB0hR5Mu0imtQYg7rt9dbjcD6zhEproCCaiPMiitt0GHaF1Ry2rh5NJW7UE1T2FYP0tT7ewniafsYXSTNYKpZalI= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4168.namprd10.prod.outlook.com (2603:10b6:610:79::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 12 Aug 2021 02:19:24 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:24 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 04/14] integrity: add add_to_mok_keyring Date: Wed, 11 Aug 2021 22:18:45 -0400 Message-Id: <20210812021855.3083178-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:22 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8425c6e3-71ea-446d-7089-08d95d379a19 X-MS-TrafficTypeDiagnostic: CH2PR10MB4168: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Hh/JgAOPwMO5vDvC7L1JdGTd9Z/U/hz7tTNBdbqkdA/dBf2EJIy5KVn0JFgx+V8RRN2RSFJOFTj2zjyUhzX/S2CipcfZZE/8gMX1ulHDMCOdoZjcv0EWvQUIIC4iIhdW3bYCYvk9wOzxLnDJ8AiB40wBtVDyud7eWQrN6U73F3v9JspT17qD2iFfIqYi+3KapbRdcC7yBQqID0YtWAefT4onkiq9Ccfz0t8FrH2i8ZaGAbRkuJDAoQ0jAjgkVpgTMMnpeU/4DcJsJQ3NYD7iqyihccjqDkCqdB+xFvoLBfi80+YIbNhBdqX2rpi0JLGM7eVh36as5LxHuPco0I3pSft1ckax3BFG4M/f5OKWhnac+ul9ixfMmnv6/T2n8gA7fddOp0FaiJ+FdiMtRNUUDV9WFPKjq+t2CNlISN7TeJSd0Bo/Dy+uqrOJve/jsbIi3e+3RIwz9rStV7s1vnOtNlJWZli2e8MHvjAohdsoNZbzkd0fGquHjLDUWhBC9u6TVQEZbxPvvp8WXoH6fKBjVexzrTnIyk/yX1i77V1iRlgRPm8Q3uqdc3VXJXBBn/idb6lDAn+emxNtD/kFZTjdASRWK+avz0Y7SVBMAccxqASwvSADYUatwxdEmNsZhV2jpExgznUgCHxA4BwImevHKUBdziWet0zNaT2zzDu/aAtIKML+0Kmqcx9F53ZSh67dItySW8uCbiWMy+ZaBgaMgqT1EZreIbXK5BMhbNnfyYQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(4326008)(44832011)(38350700002)(38100700002)(316002)(83380400001)(66556008)(36756003)(6666004)(2906002)(66946007)(52116002)(66476007)(921005)(7696005)(8936002)(1076003)(186003)(107886003)(86362001)(26005)(2616005)(5660300002)(478600001)(8676002)(6486002)(956004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YJhl6oQjQPqeNL+W8aRSheHoG7/W8tmRlObOkb6/DwNXyOyVbQ5mzYOdD7Q1DVP9fiHtKyuU1+plfKvzzB4h/AIBm+7aCabhpW9Y/4kcVOqsa1iFoxLzAYygkmUhCkkXIRVMhfAR6Vt+dYGRecCdz8eF/C2wTsbHr9t8SvhtQi44fvwY7rgbbQLrPNDcqk2aVxrH3kteZb0yvHe1Pam45D60zlVUk5I42tJKbfbYLZXBDnLSaGBgOcmSDNGdTUrvZ75ZKUEATZxtINa+y/REBcsPK+mGgfULjWNQObMpQuAAY4kme+u8Dw/JwNcF9+TQgsnucUTkpXoKOf8fLhN++vrH7GqtjR1mFXWRrgkDnVTWgV0BG0x63fDln3Lf/wJpnSxExJ4+eaFIqhzJzVJm9iP4dQBQ+FalnGE4FTSycUF87PUE3+U6zFKjh5a7iuZ1b0oaVos38iF7K7VDngpuZr39PELNn46wuUMOtd/onOaWX15ZLRlSDzZ+KPhDq/JY5SD6FA0wNZgUTZzG3NKNNmQIfvLPWVuRbG7zJffMicavSTrNQaZSlWiJ4DIYciifNc23ztOgdnatxPupY4eEVa73zQ8bOFlvfyfqYKew/d3kqKLhA6MkO5pV8WGfiftLn96tfkCUsBtBFV/DKxoW2IL/Y90pFNfCB0IY6ICjv2nt9QbOeu1slY/yG2yWJ6L8QqBIgHRDO9Ll2AWgcvBD6TyIhMOe5PT+eKS165PIHDAveabJ1hTKMRaFjHpaaWQDvofWGwJH3wvR9XkoRNDEPL7XhRxG2qB2SVXfxCSTfvSzMZ0kPDN6r+zpmwRmHWIHPjsQXyG7dhtKz0lBwvAvdBrDFY2CLuAi6L358zi2lILP16VSW0KXZoa6VEDk1CY3oZEHdKkDfZRHslrHKdhY7isvgDvECXB2P2Hm8szY6SDFQPsG1d0XIjpiyMelePxtJrovhswQ/crZB97zMRMpznUt29eSdjoBqaBxwmT/V0iZBD0MZyFsnwpnTIrn8Ya26RFdv77BtcKpyijwIbj7/1A4+yz7MlOk3imDZDTnCfq4DzYMOxipCFUiCnN+n3ULltNHhthyX1q4zXP4bi2yJb5vwvAd5uHMTe0oi374ufD/3F9JYQ/tQmSTObNb/fsU0q189CxFNAQFAKpUZb55GCYghI+relryn0dA8NZw9HLBypJ58casXwnhjuoPVNaCoCjvhUxUeiCIJYa64KonB6o+MDqTA2G4zmvj7eKLJCXXao8X6O4Pih6jKlsNWAZilmp7X9sddO3tPGoQRGLojaaBX0Hdp+rEfzfmvK7hieGi84aaDUtmnFyMANsysz7w X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8425c6e3-71ea-446d-7089-08d95d379a19 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:24.0952 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CWmNKWKUkatl7yVzzXzQP0pbee/LziAPMCd38xCgIoE4dBiK1g0SV/PtT9EjajlE9sE5s+G4lD6qbDuAcjMhN3WfTvaE9nHxQRt4koXRhmk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: LOJzTOVf3E5A7kR_B68n0LBiRbzS0QiT X-Proofpoint-GUID: LOJzTOVf3E5A7kR_B68n0LBiRbzS0QiT Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add the ability to load Machine Owner Key (MOK) keys to the mok keyring. If the permissions do not allow the key to be added to the mok keyring this is not an error, add it to the platform keyring instead. Signed-off-by: Eric Snowberg --- v1: Initial version v3: Unmodified from v1 --- security/integrity/integrity.h | 4 ++++ .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index e0e17ccba2e6..60d5c7ba05b2 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING void __init add_to_platform_keyring(const char *source, const void *data, size_t len); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) { } +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index fe4f2d336260..f260edac0863 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void) } device_initcall(mok_keyring_init); +void __init add_to_mok_keyring(const char *source, const void *data, size_t len) +{ + key_perm_t perm; + int rc; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm); + + /* + * If the mok keyring restrictions prevented the cert from loading, + * this is not an error. Just load it into the platform keyring + * instead. + */ + if (rc) + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, + data, len, perm); + + if (rc) + pr_info("Error adding keys to mok keyring %s\n", source); +} + /* * Try to load the MokListTrustedRT UEFI variable to see if we should trust * the mok keys within the kernel. It is not an error if this variable From patchwork Thu Aug 12 02:18:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A26B0C4338F for ; Thu, 12 Aug 2021 02:20:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8C70B6101E for ; Thu, 12 Aug 2021 02:20:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233658AbhHLCUb (ORCPT ); Wed, 11 Aug 2021 22:20:31 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:40534 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230035AbhHLCU1 (ORCPT ); Wed, 11 Aug 2021 22:20:27 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2B9hP031679; Thu, 12 Aug 2021 02:19:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=HgTXRIKeppjXFu8ue1hL/Fs0S+QcCYrzkhd3VAoGn/Y=; b=phZ0+mcptJKpk0gn3NBXFIPuuqOPSZBo4RXGKphPGaB34T8LtDOAHJBTonf8iekDQX0U mUNiJQXK+PG5EUcxMIMu4aTveR75rteUHB+PI6eOtcC7yUhptW3g3/3Iui8kjvIPMW6M d+TpS9d4AjiQWTim8wzWePBAyCusF/7xYusopqg/f0Hx8lsNvK4LdC58Tng2BwaKgy6y Cj6TprsYeg2pxzADNPhvW7rSmRMow1lpJIE9O2rAE9WwhrfEMr+eVrqJzQGPYGGO4nbJ DRg8AMsY0JRouhb+smLLXt8JzmbrjbrlRBN0H0YsFyDQAryv5jUTGuKEFLtfo6qAEsRP +A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=HgTXRIKeppjXFu8ue1hL/Fs0S+QcCYrzkhd3VAoGn/Y=; b=FWio4/V4Uni7R0Y4mQqYz5oYzuYpT7n95oAAIHLvHx9qoG0EuY40bQfpxM46OZNhl6Xz WNrDMKnRdWK0M7CNXkIGH6fGaqdHlbNdUy8lxPpIszvdgojT6Uptb2xkHzytqMND3QlU OsUfdaoGpDDakWuRZFbcz/1Fn5UtRDlvlmUjp6henoNAuIVWxLJNjwzxzKIZC4IWbz/I nQGzGBaLr9cowZEsRI7ORrztXRjwnhh/5k1KiO0dvW/atRsYf2XGG6pTwmsbYXtpHema irvOSmI5c0lKrcwSMqT0uZH/LocGyIP2rly4bZWZEWhAwMGMuw73H9DqSX2kkAQiX8KQ zA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3acd649v11-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:30 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GLIq044942; Thu, 12 Aug 2021 02:19:29 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by userp3020.oracle.com with ESMTP id 3aa3xw9mjn-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:29 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qoe4IOatsUyZGlqdznY8gNsdV2H8mPA4cc0W0pP1LJesFWcixPTJeMfEWHp8BiJ+n4NfJhRkg21LoHYcd9rFEJ2APkSyojGn/te4Jmi9SSlqOf/KqnVqykPUc5mx+zOu7UArQofTpIuCsoUmRGbeSinV39yB0IkSQx5/sOSv1/X563cYadrnTg1hiO00EVgSBLTy9sFjeicum6X7FifDup7CS8oIRBxa26W/DEqe89dsA//fK3EZSdLW0LmVThpEMGh8lk/wKDarZu89Gm4L//W7n70WGJu1g7vSQWtfU0JW70HVHiuuvLjEoxGmsbmxsf3n13Mpo1O3i0aCjrvFrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HgTXRIKeppjXFu8ue1hL/Fs0S+QcCYrzkhd3VAoGn/Y=; b=dkKfBpDdhCtlL8yK6Rk1fGutGUD3PvSlgvfKF5wSjgCVCRhZ/vA/6BdIznARGIslzvP1hOlfCNJCCrVkggqMc5Nchmev0iyCtmsdNcOmahvhOqktIi3t23KNpZ4Oy/hIuLsyee2cHl7gc8SEMOBypofWcYiYe48rJEdlJcQUoqQ9+axQbeJbSyylBevc3Lp6hzLQi3YtTeCIQ75bM8CYNZA42hPu2PqDqNlWjitZ5nU+mNx2rXMAT4ewVyRZkM1MoUT6Lsp2QQ0Q326CIloiLfaErqtgH59CFjCyTW0ZcmkhIjx1XKK+xLTD0yuq/jMP3GnWJvqeKF5pF2GaW7bJdQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HgTXRIKeppjXFu8ue1hL/Fs0S+QcCYrzkhd3VAoGn/Y=; b=Co2S0umssAHvOsoSXN5x+h/Pq9BC3Hhru/yzvOICMm8lRK6B5zWUXmLndV3bFDpZ0Y/+sNwS9GWC4m2wgVUX6eTSEotJF0Hu2W2BWHf+jBXcnE89Oa5Xs7cFynnp4IHLSrwW0Tfg8x8QvcmdREZPANUqQMS8tGFC+6R+qYXMaq4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB4168.namprd10.prod.outlook.com (2603:10b6:610:79::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Thu, 12 Aug 2021 02:19:26 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:26 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 05/14] integrity: restrict INTEGRITY_KEYRING_MOK to restrict_link_by_ca Date: Wed, 11 Aug 2021 22:18:46 -0400 Message-Id: <20210812021855.3083178-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:24 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 158fd5da-9a5b-4857-48ff-08d95d379b55 X-MS-TrafficTypeDiagnostic: CH2PR10MB4168: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3383; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /o7sJR6QgI2ay4rOxoZ2LDi17uYY1pgKDJ/v9eh1Y28vnkdkzzOO0us7fY2rq7vwRQHWp4G3DOa4dDXf2Nu1h8vuOwDirdZZH3ctAX2hKoD2nCmsubCa0hBKbICl5RVMMMUcfbgfW8A0TkgmKnyPhIieN5rjpVWK+zjdvLylAy0B/DQ+eYbCBi78w94ZDlWEYeJg8EMd7ZLeq/Bagn5nSA+QaFqvC5C7oBqtJY/teKZpBUtdP2zuxL4tPkrzFpzkRX6N9BZSxUfnGZn0tFLQ02B41AxshNzdOHZqTw0PS4U+9y56diYGTDMdlQvRDV6eBn+EMdL3DzADmjLvovvPxSCi33lhlRmLpt1WBTaCIl+KN0yS4dXNESvECe2AS6cdCoZXWUR0gWQ0PFX5R6JVFoofQjOrhDogvjv8+faDcdWzn+7CqWDVtvnnUcjiZUN+U8/jYbWcLXbiPn0PkpToRMgugLrrEPyWMlZZdQZo7eux8RZZAWwNepBhTCSyaDihLytz4iakQcmo43tviSFQk46O8Msm+9KAW9ytHuWuvTphjKpmosvkcb8ZGo/4UvehgzFmNwHq6vAVZnY6NQa8SNsnAhCrYb8AkaVZAnad+TZvYcZjxn9mG4LNq88mbcuViUBRqHDjCxA6ffEQlzIJMkfxBr25DsshsyTnVhGmW3YWLqbOXV9+c4foMD9D6zvutSXmfUuVModlEnlHg3uPjf65dB48jo0zBBxLApHoqes= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(4326008)(44832011)(38350700002)(38100700002)(316002)(83380400001)(66556008)(36756003)(6666004)(2906002)(66946007)(52116002)(66476007)(921005)(7696005)(8936002)(1076003)(186003)(107886003)(86362001)(26005)(2616005)(5660300002)(478600001)(8676002)(6486002)(956004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XeEnHzllWTuUTvQBdA3OLS6arUZaDOkri3PSoPFsk+CM288Eb/jdNpKQGlWEbd5DHXKU7Ad1nCeBXg9ldZq+PL08VnqNzcHgqpDAwxb5WOOun5sl0OanX4q6UQ0Ntty2zR62Mx8h0E4llIUAm4mgbgyiMGkJM2pGcBMVN51jRKpcsAyllf6VQ4h4j+GyzPakcE2+iKCmf0rwpITZORPvkrc/+T36XL5ohJR0t5EHgPNUpnlWlNjDi02cnNo+4E4WJTOoJLMNrIn+83hX6gnnpmBY8xNB4+vt9XVABjuwNAZ4lltPvCJswSRPi+4BkhGRSUZveZqeXqOhJLpipOXe5C2vF4TRUPjG4Hj9mSxead+FqCJPRae5h69gpbpKUg6UeuvLXbI7BcrFYChY90R95NoYAEOtsCgL2tJF08p+rB4bv6jwm0IoeqVrop5ygegmO297JMSazbvuHLqXoFPw4CcNtBryVaO4sVATb+wp/cLjFAfbmgcGHn8Tjtg+WB+vvOsTIs+0enMSgbIJQ5W1p1Af3Q/wYdcXHTZtSxhyZJ1L3R7WDuUGzL04lm0WQcxkWwqO7omROcxOssAbYdzrY4aHnaA+zsNTL76aU0MjQI7EAXb5Uzbsw7icUKbPWNyJa6rIzVlIEeZ74lm4CZV1gi1xQSgQQE5K2Y/p5rsluZhwmfnS9m+SVDCGZ+MFlFezk54ZRyq6Jw1iqv6CGNr1jS4G9dgwIwMIQF1cyEGPGHyVWtMFOUvfjpiUQE3TfIzq7F174TmpYsdwLjalBoczXPu1SdH5bzOdf6mBc9wphXQKCVPvqIYZlCdTl3qU48ALRXzTRUb1VV2Xa409cWOF7zMIKqy4re3OkKKF5vkI37eXJEWjGifPp1n1vStaCIt0yrOY99/Y9q9lNEYu4Nqi/jzs91IRLAVtm7O1FnRNgqZFmcd9my7E8asV3ivsDvjKia6q9H0Y7lyoFVrADbSBGT/1PdkvzHTBb6lQi28wW4+sLUqDgxrTJ1kguibYpvl8lIxofckLpZOs40aZ6b+KwUC6TDjwRg28Mg2UpGjDYNwp+ioROGYlfQYbZvpCuHFoG4NIM/4ism4pSVBPOTxuPVXkerMOhmeHu/mcSR+y6ypOyGed1ZOMgQjCfzN5xejPKpW2yKtMqMNBswvpJN/XPDVqMQ9GvP2tVmhhIkJ1GgveDUDyUzW/UOfQNIYm8+jDeKCaAmS5OUb8j+N5/qBU/YR7WzOuh3N4RE40dTK7FAeXa/Wfy0Omjbu/DZQKWbsfvLGFFhc+6lCTSGJmEdU6RtmBAHT2HE7KeC02l7iy6KtLGu2js9c+6Wj05qgLaQE1 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 158fd5da-9a5b-4857-48ff-08d95d379b55 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:26.2747 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oFf67hd61ariRawNqYv/k5/BrBif7/gkT6kE/0RQNh1fQYmkpagaum9qBviHiuQJYfOVh2MEhydkJ7/ybyymTufsBMvi5SwjyukkhXr1DuU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB4168 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-GUID: Kbtdi40C8DpECuYTJvZUVFU-pvGDu6QN X-Proofpoint-ORIG-GUID: Kbtdi40C8DpECuYTJvZUVFU-pvGDu6QN Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Set the restriction check for INTEGRITY_KEYRING_MOK keys to restrict_link_by_ca. This will only allow CA keys into the mok keyring. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok keyring gets created even when it isn't enabled v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca --- security/integrity/digsig.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index e07334504ef1..ec94d564c68a 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,7 @@ int __init integrity_init_keyring(const unsigned int id) goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && id != INTEGRITY_KEYRING_MOK) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); @@ -140,6 +140,11 @@ int __init integrity_init_keyring(const unsigned int id) return -ENOMEM; restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MOK) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; + perm |= KEY_USR_WRITE; out: From patchwork Thu Aug 12 02:18:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432253 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9D5AC00144 for ; Thu, 12 Aug 2021 02:20:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 894B560E09 for ; Thu, 12 Aug 2021 02:20:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233887AbhHLCVH (ORCPT ); Wed, 11 Aug 2021 22:21:07 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:46542 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233675AbhHLCUd (ORCPT ); Wed, 11 Aug 2021 22:20:33 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2AgKU019120; Thu, 12 Aug 2021 02:19:32 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=BPY6yZmsFQ4j5wzxHG1IXiZ/qYgkveaLJK+iSGYbMJ0=; b=l9MHframtlnRTic1LV5Auplb82haLixVBbg2ni2Sjw6yMQbu0MY+Z6ZxEop1qkaR668o H5IXuKgYXzlpaqSjCJV2E5B8iJBM1fahANkj3JK/SCpyuBCMcGCS795pw7DMatuy0Ubf OQdYMfxlH3cNjX/L6h26knlKHaTkBMRR9H/y2b+NMBnzsG12ERHwU8yv1ipfRVLaY1hq j8LsX0OfitPlV4yzCET7wvMk2a5D4l08Cvvq1l7tIUo+r/v0jNvOqj8etAdeu7XnCSP4 ntee23LX9z/9KSXWPNgsgpSu0m3HQ/d7h0Nyn52G59kojOBj9MJRrYbRfBzDLRm+DWuu 3A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=BPY6yZmsFQ4j5wzxHG1IXiZ/qYgkveaLJK+iSGYbMJ0=; b=sFNncD6aQOE5pe0NHL6kdYR6tgCj9xTx1sEDXzp8bLWHNdD5RfBMLEKf+aAW7a5LruZ3 FoDTOiMv32/mSVHZWUFr1AoHRQYIp/MvoKOHb6Jm9ST1BZnww35gVCK6AWng/K+YZ6z/ GvadL8gHlGzn7BCfQJbEgb+BpYl6ayNAtzksC2TgPMjKW6YAl34T6zp98w4SBJliZmfw Y6+y1NziuOAtmLaM7abwthWqRZM1x2jFFPd/HJNPr9h+ikPDj685wPxVdohsZyyza1jU U/+dQ1x2aw47XzF3V/HKXLEIUy+ANpfmsGuo3i3HRMlE1lQjN/2PdZ99j0pnTNhWVbWn Ag== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6gu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:32 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GUsL117958; Thu, 12 Aug 2021 02:19:31 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2170.outbound.protection.outlook.com [104.47.56.170]) by aserp3020.oracle.com with ESMTP id 3accrb4s9x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:30 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LyNjPQZpT8V1LPP8AaMi90Ah10FrUKyC2iibkdGtSKHoJRp47y9ausnz0VgoC0B3YHAqIOlE2gM5t2T3d33juFg5Bfw1RXlZrSN3P/kB5wCf9n2oj5UvUKdAwBlYk/IKRtsWsVVYeplyJl0372oEhwKePCRfKBPGwHxIaC1bHq41OEgxv4FbDRJHqXlQArdCwlSfZT25WEwcgV3V4XqFUOZmQSe29sbuPlww28B6HxQckulyFXvf3LqRNIleRleO13Jj2VYnwU3D7Qx0rQg61NgfQojJP4oAdv6aKyOFWcOroMNwDxGOAAejE9Mq3lKPL0X81HFQK2Rx7Lz75GRqEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BPY6yZmsFQ4j5wzxHG1IXiZ/qYgkveaLJK+iSGYbMJ0=; b=jtS3R8rRtjL/bFuSqQrOKwulDzVcG3Vy1fxvVF3FDz9DTmjGTDlG8hPFhbZnc+UR7PzzsO53s45GJyaOVdWIcDYgXmlTVLRd4DAveyxNYqniU6fLhURq0/+w/am7eKBgiGCw1WLp22nVNKnZflCkFf2dIXtDeHkCSKUIxPA36ch3pyoxrPPhem0UXwps2y229/6jx6kLVqSynTKg5bSOjfDO80p2VTjnlTvXK9Ti0HUfTAYWNA3Q+v1Pe33AdO4C+2IjjY54y58z5x9XITgTHoBHwJEVeeuI2o8Z8oR4QPy4DcopeZts+2fxDhr0Nu9g5xWTCYhkud5WzNsQf8sA2w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BPY6yZmsFQ4j5wzxHG1IXiZ/qYgkveaLJK+iSGYbMJ0=; b=j1IYBxgMlyLV1hTtCjAlu8T92QVhFRBs2IOgv1guY34W/ATq1dSijLN88Sl0OEbaVOX59Biv56MgroOoW9kypNFXv2K3aBAK+vVDpAIrdDw6W83D2Gq0WTxS0Gq0oYI9QF5yUhdFY94k9jum5vznm5MC19wmOJDDLh7P6zjKoRU= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:28 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:28 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 06/14] integrity: accessor function to get trust_moklist Date: Wed, 11 Aug 2021 22:18:47 -0400 Message-Id: <20210812021855.3083178-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:26 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c3a7f66c-38e1-426f-79f6-08d95d379cac X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2089; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: sZ0XskAdtGGA762KWpSe+nQRtbUikw7O5Fq0OQXmrRwrNs33WY6fs1/1Ils4Gl70tPqH/H+I7yqUZu7XfLwbgbdmQ7t6aW1C0RU167WgK4mswOfzB+NqlQgFScRjGxZTJ8kfGoDytzJIY3d4uO+jx0nLUNX6WqWQQpBsr2UZRuT74lCIoTs1AbQitWFR65TU/Pw7om9cXLwrISC3N66lqbhBc8ndyYja2BK2nif2kftpjwwrioPSpzChPDr1ZMYJu+MKq8t53AGBa6OgOFlD6MzjEc6DQz1f20Dp/XwuKhqkpKcsQSFv513XmoZKk11/FxQ8xBkaH8lVVJd7Qv5wkMXdvoHFOxv72UbQ3rP1HfQUtMNXsTMPauRQEL4u5n4bzu+fmgj/f5JzWLrvdI5Z1xBuqclE5sIxuYuCl6Re93YDAr7rKXB4HXcjYPJrhXWiFtCvnpWRRYUzgD1UiRWPiBFxni3aBo2j3TpVll9c6yBAdCj4XYK1/51IR+z0EMcq/jugmzULHKpfsW+TZ3RBYKo8yuqzHHKGj4FocS5p6CdE9CV8vH+3ThVKU5aG3bm0j+0dXEzlFGkse8XFESsq8PKk09fQ7FXS/2pRMVnq4P6rL/ZJjvliXjXZQgyw5183hnL1gm6pNosYXGy2JzgyN/WtYEwuD6NdcSQGBoKr8sLgSV2TEsqhpCfeQb8Lgfq/amhMYK1/ew9R//oqEPnVLA+WfGk4gySPHWm2V6vcYS0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: C8LXVeDOxcY2MKjqhArUomRQozNCdjdGlMg896tbkeNl97yq8PUpipL1xO4EpOYVzbxCwXoZeuGkSUGHo2n3C4Y/eUt2bkarI+GLNTxg0KH2DkvnPo3yNoUJbLx97B3AiOtBGuNb/rsnsqIaxmVZ/SXbcIpOedCFLmC5xhY+9VdpnGYLx0hggv8HBNEU+/6FdU5H5VCQnfr5dPdpl6VDoNGQzkld76w2W/f6j/hXVRvdK9qsd01v6oHPkGUr/09IadWmQUiR2XA9tvval4Db0YTaepeqFj8qRUgmEJmAR41YIspbeAmJ03iFtIGh6WTi7DpQVSV+N7MKH6/G1Rd+sm9VJoKKeeLCJmWdlRp2/5uF7cME6LKZnCNvcXFD7bIrHHtNOHCfbNSyHTkFiZo4WFERZr9qwYhXgg52DOFhxw0m5/uWDuPAanutw2lI2TB4L59p+N3krAxX5pdhZIMFKaEgWe4vEdnFgpQVSXwuTBJSDVy/GogC2Hp4bd4lCPwcSxrQbEt8TOoEMFO5M4/fvyI1aQf5yEwwu70fCZE8XfzlADvh4hnYho+JZjYxs6uXE1OR203yNzw4AGiZWalCvlEoPXkZ2eeRu1naCIvhc24HLylZR4ODxzD+Yr8bARvHq+8WNFvp9H5KEveCa12+JfjddUcsALNZX91wTBV0PlHsn0oEfp9fW7hZ0LU6g+8yDeno5zRRU6kD7TCucQZkxd7Rwp3FlJwya2Mo3V/LWgTLfxJheJbhYNwiutTtKIE4IgEJFYlQvEemoZ/JioFSRgG2J//Z/fx9hSLVGjeHNaRzWiZQjDZYoOJ5e+U4RxWq1mJK+iN7fod69d+3aiXbJTnsgLkNd0RqmjTt2/3bJm7YcPou4Cbiw97Zx92tR4wGkqog2k4mCqsFbXEwweN/kvtH5X3mZtftHM22Dm/62yzy3apNVRAqXLNZp4ITa87E9by7pWvBYKFNTe2aOs0zhm9y8Ok33jWSe/j/oh14aj8HdgKtTctge3mJ0La+1ROrRgHwket9hsiwadV3vQvU/B6vdhVxmq4YLjHoMwokunlnfRI5mMGOWEJXqgDym4CSepK3wcCrJ2Wtdq4oxwrYicrlK/AZvf2BInRBBqy7THBeMtU2Qv42mWIQmtcW3UG5QkmaQeKhN5uAjPqjqcoK5zuPcwDTzhTEHNeNSO0LHqmkWKXKc+ZrRNgZ6H8+7+8Io0BTe56BE+J7iUCdcCHi89DwdWJHru0WaAiC05vqfKMPwTBZqXus1v/L1fvcyoK/AeH1hSbJ0nHg2hEerTwT6n4vwzmWARv4i/mtCk/+l3ZVAFArczWgQzLgVYxuXrjH X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: c3a7f66c-38e1-426f-79f6-08d95d379cac X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:28.4053 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yCW271t7+4o/ARlpuaSgkSw+q53cqr++Juo26XDKykWYRMalL2+rFwtGKAunwKvL/Wko+axHb+rMnAJzz5BDhPKkWfj3vuvxjiBLoWYagLU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: RjeI_Tp25u_6VIAamuDOpUIGVVKw7CZr X-Proofpoint-GUID: RjeI_Tp25u_6VIAamuDOpUIGVVKw7CZr Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add an accessor function to see if the mok list should be trusted. Signed-off-by: Eric Snowberg --- v1: Initial version v2: Added trust_moklist function v3: Unmodified from v2 --- security/integrity/integrity.h | 5 +++++ security/integrity/platform_certs/mok_keyring.c | 16 ++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 60d5c7ba05b2..1fcefceb0da1 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -279,6 +279,7 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) void __init add_to_platform_keyring(const char *source, const void *data, size_t len); void __init add_to_mok_keyring(const char *source, const void *data, size_t len); +bool __init trust_moklist(void); #else static inline void __init add_to_platform_keyring(const char *source, const void *data, size_t len) @@ -287,4 +288,8 @@ static inline void __init add_to_platform_keyring(const char *source, void __init add_to_mok_keyring(const char *source, const void *data, size_t len) { } +static inline bool __init trust_moklist(void) +{ + return false; +} #endif diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c index f260edac0863..c7820d9136f3 100644 --- a/security/integrity/platform_certs/mok_keyring.c +++ b/security/integrity/platform_certs/mok_keyring.c @@ -8,6 +8,8 @@ #include #include "../integrity.h" +bool trust_mok; + static __init int mok_keyring_init(void) { int rc; @@ -67,3 +69,17 @@ static __init bool uefi_check_trust_mok_keys(void) */ return (status == EFI_SUCCESS && (!(attr & EFI_VARIABLE_NON_VOLATILE))); } + +bool __init trust_moklist(void) +{ + static bool initialized; + + if (!initialized) { + initialized = true; + + if (uefi_check_trust_mok_keys()) + trust_mok = true; + } + + return trust_mok; +} From patchwork Thu Aug 12 02:18:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432235 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56735C4320A for ; Thu, 12 Aug 2021 02:20:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 346FA60FC3 for ; Thu, 12 Aug 2021 02:20:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233575AbhHLCU2 (ORCPT ); Wed, 11 Aug 2021 22:20:28 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:40062 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229729AbhHLCU1 (ORCPT ); Wed, 11 Aug 2021 22:20:27 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2B9VW031678; Thu, 12 Aug 2021 02:19:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=CBhdRXOFcF9MXz6FTSZY+gFbu2bkXFKvfFXXueJgB/0=; b=s7e9QZ76rqUmGN50FMwQQ3oKE34ftnRSD+rtaOlsGsP7UhEAH+16uTjyYIscAuXaCWWr ffQKxbKyPrnHIO5gSKisSyweVK/jL0Xkl8H+ep0/3Ez1NbiVuh6C/WRnRm/IXfrYgZbs jFpM0x7TQiJYGcXptG1KdbqZvOODiTxrTWZxP2xmp1JfHaSCW9HvSv8F74JqlVUqIKlS SRgpnHzM0vSkgp1/qxefl+0bu5kS27b38zoZAYUHPSZMb8SVhmQuTskQKWZoRgBlC/S4 DjeF02fWWcvUydPA/Gga8mGPhplysGL/ush9f9IaW7ffY2Vl2t3ibmMHMpV+09BYJvuI NQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=CBhdRXOFcF9MXz6FTSZY+gFbu2bkXFKvfFXXueJgB/0=; b=0NqFHhasbyO36LmBw+rpdkjIANAD7qP+2mhtpq14AddhHaOPXlGHw4xMOyik0n0fg64v me19nWLFOHuU0zponVhRrzk6Kr4Nb4MB49lLr6F9Mqj3V2Tt4bu00ZQVll+U/uLD9zPj wxdknO3cPknzNJOY1ERmjOLxg0gN/crzrUZ8+bRKheaFNLSItrFsEh4OrIscBkW0qaZo ai7fpAhjmQ1pyDmN4QYiY3v+NUeQlyWbTvRkSCPBL/kUKuMS1E0qcpvnqF153R3zdv7M zYSObTClMh3nip7Ye7bDaTMKwFRXcfHdIq1kC8gQ0josry7t7J+0j3C79j3GS70Exguy Cg== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3acd649v16-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:34 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GUsO117958; Thu, 12 Aug 2021 02:19:33 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2174.outbound.protection.outlook.com [104.47.56.174]) by aserp3020.oracle.com with ESMTP id 3accrb4sch-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CVFPS6/ENEoQijPrVfq0jdLMkhp6wmRXebO2o92V+TRyx5jBEJuDiu9Kq6x/MtQ4FNw8UttIsxTHXJSENHCbK352A/slmgs5o8FkyMVGYxTciQiYkxzU4Rj6FgxzSOnfjasXsTWCPuGzDUjKcXb+i6CnNRXiAM0mBuWqUVHLD5Y+Akr8XiuccVCcDCoCEZZUQxgEEJ09e2fIzwFTP6k08O4raVbuL11PkhEzojj1pD9X9shfdanpq7DUQlReGzmosEH3QuA92xyPM1bM6mhExc9FQcbUo+YBN9s5MMAF98hRkbHUn+8U9bFMOk+n7JsUFfFI3dSHeiE6xBO+uNS9BA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CBhdRXOFcF9MXz6FTSZY+gFbu2bkXFKvfFXXueJgB/0=; b=CkjVsAkYhCujdkpAqy3N7W6tsNj9hOXMOD5cATCieM9o2lFORm28EpvRj4Tac38BZiShyA8SSwgnh5ScNJNcW0Kt2ydQRTUpuGjYb5CtP53wDrGmPjzeWCiJz85X4lRRwDzZ0nMyL37fD0x7m6lAyxfb82Whgokaicw4hENfBZN+/OnSE/p0rJsgpd6Scu5aEQ0FRgGYNjnhnGl6gCGxG/v62XJ+rcY582GbwRfEKw/2pSbgZa1gjh7WYu1rS7YiObdo4VUvYXfUzbDnw9f7SFnMrjhC/RZiZVgtd9ZLTR5yKfoYbay0aSA2azJpDuYUP9rPOH2nkBrwqbnQyey59A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CBhdRXOFcF9MXz6FTSZY+gFbu2bkXFKvfFXXueJgB/0=; b=ePZ2MBCb1xvhEqZgif9Zs2bZ1rOd7uzMAo4gFZY0G4Q4RumjugEVHeSdQD6fQiv4BpwUUSOapNUE1wsk6lTeHDK45RbpjhM2VSbSdJImR1pttapCacifFwb+DeA9xm99MgPgL8048vqDePCDY5BYG/PyPJ0XWIsIxxmKhS6z0Yg= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:31 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:31 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 07/14] integrity: add new keyring handler for mok keys Date: Wed, 11 Aug 2021 22:18:48 -0400 Message-Id: <20210812021855.3083178-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 95ca0ced-0ee5-484b-8f4c-08d95d379e2a X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4502; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 1SHN/pxN2ALJ0aPOWlpqMscukFtaQa+I4ZMd9R2fMg5maSY3pivUXaBuY4sS6hnxzVS2qpQcywAwbQVlD2Je7NPxJ1TN2F4+L2fo0mWCjSmw55YORp32fM7qf6dal76FStDhxePQNjWwZeRymCe7V0cXpFbBhtO8DLQeziPERIxk5QuV0FFbSCZDM+gtepfjHfzp+xi1yl3N9Yk+BxaHl3yxboTOWsylbxy2AenhM4MUFecKYT4rk/uqx3S2N5FY0fQb4EZdXjqoHAMmaZe7O2vAfODNEJ0+HoP0YR4EwZy6GGjcqOLMVwdzZ1EWBvP7aZuKHE9BvdcgohxFE+TOV/U/v7ptyfW+Sf0OseaeBdzPrv17415rmKqtHrP/GdVXlaCxwMthYmg/bfXxPMKZ8iMnAJ5hD9IJT5tc0SWvEO9TMffyAtRhhmAhm5cj8wD0NpGyvzkKAH9spbTKa5WunnrKCVL1RJQTYM1r42CrwsaDHg/dt474IMp/x/MxQpQHOC8wh6Ubs7BPogW8ed5PwX4qK6osahxJqTQ5Hx3UYqkaathHmmZTKU1Eu5NRgs6Ajd+IOceH/SczYDqkpazUCwq22dT0+hNmZ0B+KaikjMPtLughLCnYCnOZZTo3t7xw7cZt3EUtdZsj6rtq4p1KN5X4mA/EMe0MtrQhYNMYpsElc5v+Aqvnn7OdqflbNUDZD1SvQv7zx0r2JfEGKWrs+f9R0LA6UBFM/uxyHUa+N3A= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: RasQ0DXTPgpVbq22IEMnaPe3+oQJPqHfIcQAXHM8TKHJVt0/EQ/frhnVT2yKdVTleJyYJ2ZacWxGCHOnX87XaR9w7RvzZQfrtQlxhHdROz0ku9pz1HQh7dR1EGw9BGJ9S2hlMwjvpdQ5PHBb9+tuZenJORUL65pkDln0o85Ux8BExwp7rRGAt/KEHYMetRWUQmO2wt60xJ8sF8Ea14TDp7ppP21EmChwnAWH9qCXql8wz/WeeLe1oO/N/lImYY4VfnXn5bbCs3AzYsQF0biMC57/hxJkoazAN/8I07FLyf/pxdM+GjkM4WdrIc9rP2h/iZs9VFGkp6jOK3KRsOZn2q+a4P7ULPUMLsy1EBXqsrDnvPUjGY5lWzLaYiK7B6YDkvpkOjGhXdBEN+F84ZlpCOpd+RhJjFWTtsCHZO3HAtQnzPMbjQ1uFqun3JrfUwkblXEIJXkPq1Y/+OZdKkeg+wwUem+t0zua9uXkiwVES3pQSCbTUJTMLxnVHZUzWOxDxe34pFi15IGzsjP7fFwgFYmqiCQyjHVYRvVJaks0nLK0f4+ff5T8nCp/mvF9lPm0BPnzvUzP6VwR0wkJ0KHjKKL/TfAW+xr6vDAu+42x8OuC5v1IoAmqe7x34ymRUPnCeEKnzX3XnZ3f0ggUpKqyyVWLqkguTAac0eNQTG9dGyl3/HDO6pDnZDyNBFXsI8u3SJ8NZYRYoD6yXMD8DnE/GMToP957EtBkblY//3N5UgSXiAPPt22o0uAIVtjuY+18s/E5SF5zQkmNiWA2DqAsoVpm3f8d8+4JBfHDm4HtDx5/1RFNyYBjFqTnLw8kOIuXBPj+1p2bq3fuSP43soDTZE0/qSlfxlC4agTAvX5/jyAhFhINprFDiiRxCGrgHX7lusmVAxAtQX8wtKZUhgI+pXP1KoOOK+CrZ+IfLgEGIPNXhF7/AMAJcat5womMqkf6FPztqsCYVfvq9fOgsJAW1hO81ESFsLOYPznigXdHq3QD1HVql7xCGuYf+o78fkJLq3h19GSPFzXQfk04XjIBnPPwl/68sQ3VAYRievfKsXN0e62xPG39McS/rVhUaTLaW6OyKbZseFFexY1bMfiY+56q6bkTS6iottYBukCt5MP645qOhXC6GME/ZzsnbR/NPmxKgpdxoF9jeOOaO5iF0vAZerNiGYGuXvqgPJNLvBe4FQOLISOgq1RstYWicYv85D/5yxXpEHQouRHuDlZ21FnJWXlMLcR5sW/qbVMh+Ylk0Z9hAbpe+jndQZo+EsDSc423mrLn/vVGOUaaUPaQE+Qdvi86duv+F0OcGSgWoKt7tkrAPV8OYF2nbYuHlQEo X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 95ca0ced-0ee5-484b-8f4c-08d95d379e2a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:30.9512 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: EDEBfe5R8CZG/+UYoLcKqPNXdoGPxm2viwfJiJkdnPymvWBjxxqPUSPjQenwuH+9Ld64sVJQPtepPz/79XT6mut+o1EDALjWKm9vuYPGZ90= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-GUID: ZnNq4OPLptfoVw2PvgWNLyHsTbmubt8K X-Proofpoint-ORIG-GUID: ZnNq4OPLptfoVw2PvgWNLyHsTbmubt8K Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Currently both Secure Boot DB and Machine Owner Keys (MOK) go through the same keyring handler (get_handler_for_db). With the addition of the new mok keyring, the end-user may choose to trust MOK keys. Introduce a new keyring handler specific for mok keys. If mok keys are trusted by the end-user, use the new keyring handler instead. Signed-off-by: Eric Snowberg --- v1: Initial version v3: Only change the keyring handler if the secondary is enabled --- .../integrity/platform_certs/keyring_handler.c | 17 ++++++++++++++++- .../integrity/platform_certs/keyring_handler.h | 5 +++++ security/integrity/platform_certs/load_uefi.c | 4 ++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..b6daeb1e3de5 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -66,7 +66,7 @@ static __init void uefi_revocation_list_x509(const char *source, /* * Return the appropriate handler for particular signature list types found in - * the UEFI db and MokListRT tables. + * the UEFI db tables. */ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) { @@ -75,6 +75,21 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) return 0; } +/* + * Return the appropriate handler for particular signature list types found in + * the MokListRT tables. + */ +__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { + if (IS_ENABLED(CONFIG_SECONDARY_TRUSTED_KEYRING) && trust_moklist()) + return add_to_mok_keyring; + else + return add_to_platform_keyring; + } + return 0; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 2462bfa08fe3..284558f30411 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -24,6 +24,11 @@ void blacklist_binary(const char *source, const void *data, size_t len); */ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); +/* + * Return the handler for particular signature list types found in the mok. + */ +efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); + /* * Return the handler for particular signature list types found in the dbx. */ diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index f290f78c3f30..c1bfd1cd7cc3 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -94,7 +94,7 @@ static int __init load_moklist_certs(void) rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_mok); /* All done if that worked. */ if (!rc) return rc; @@ -109,7 +109,7 @@ static int __init load_moklist_certs(void) mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + mok, moksize, get_handler_for_mok); kfree(mok); if (rc) pr_err("Couldn't parse MokListRT signatures: %d\n", rc); From patchwork Thu Aug 12 02:18:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432239 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E05DCC4338F for ; Thu, 12 Aug 2021 02:20:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C1C966101E for ; Thu, 12 Aug 2021 02:20:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233639AbhHLCUa (ORCPT ); Wed, 11 Aug 2021 22:20:30 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:41312 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233426AbhHLCU2 (ORCPT ); Wed, 11 Aug 2021 22:20:28 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2B8Qg031617; Thu, 12 Aug 2021 02:19:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=mPhASgRgSvZRc7FB+LtMMBO1Ye6oIVA/Xh37pGQL1Xw=; b=u7gklOs6fSHjydqHC0dUPjuD4Oo/UEqDgDJOdFghUl17edzQCC0T6DwUe/glDuQ8Rwd8 sBPsPtvoKm8oqVE6XeWtc+PQDhzC0I1J7cF1u55dTsIMrqRfm6BJuYhe42vL5aZfeP9n lgY3NkkVPoCgX/4u0ApPsJIv/b+cCaOZygqkinhoZJktvEXlyJoc1mFOKkJK6McMF533 0QW8bqCRDGu4wzANCyetNrtQJpBIljqxmJB0dFgw3i7c1TYMhJTBJsbmSxu+Kv0wVrcw jPQTj+A+IbTJFnjPUl5oSUgcdnYk/AgZIyUOaoqVqn5lFUZM35QOxXkCjnaGTy98Matc LA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=mPhASgRgSvZRc7FB+LtMMBO1Ye6oIVA/Xh37pGQL1Xw=; b=xQ33tP6CAdOv7jpT8gE6F5ugayV/qEp4tIKEBttY8Uw1djBitYkPkjC1534Wjf0SVsTC Jzp1Zd5ykwoWrDSICXOFVAph4oDjBl0sbYmhpUHrg4SZofS6osYHdbvefTGwGmQPbpFM XZtQO0BYby5y9wgiOrAzvKQ1+3df5QRUdJk54KSQerXgKWz1qvfBiiw4KEdHdfdScHSR tjEAbKrTqbICW67ubTAWqkjrQgcx09KgWTMxcI+Q1JOAOiaBaKhnxIyPNawPVhC3koqn st+mED22s365ybe92xRkpQIi/tI7jfZQ/grc08tA5Q7Or8/RR1Co/Zdchdx2XiAKBHfo fA== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3acd649v17-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:35 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GUsP117958; Thu, 12 Aug 2021 02:19:34 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2174.outbound.protection.outlook.com [104.47.56.174]) by aserp3020.oracle.com with ESMTP id 3accrb4sch-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:34 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OucZVUQSI6YwWB5FjudaizgmXschxi96zFzDqkoyzbsq8MU6Vqe3EyK9uSMglUklGL+r0COeIyJvQYWHGzm6IpmSsx0HY/lZK6VlFsphV4owHv0UOMkvAfw+W1/pv3sQ1wp2oEx+WwpMRb/iTortw6TgA1QD5cLDi5LYyR06QZntyq4T/nyfcxUNKPcLk3B6x06gT2+liA1y6YeF/BtXXBhFLHR9aLkTRGuX+ypTL6OB/dadqVkKpgrNgqb36v3uLZsYzqzqjnny4Q4Yl6W+gxg3msjU/Fmi9UU4TMv6+GSiHc3/VJ+vjwN9bnnW5GweTC+IBUwSKf1g3rlVvsYMTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mPhASgRgSvZRc7FB+LtMMBO1Ye6oIVA/Xh37pGQL1Xw=; b=eH38ztmAoKgn6pWeCBTx5GjONZds/kRloVb6k8+lcTTgDtRSH6BSWMk5AJBK9rjEGU0fRf867sFjeuCg8E+eXzTlsqnJB4cC28Hhd+0nBhXFg1iMScdErMn++9PeqNo8HWLyDf8CcgXRqxlGkHw9Dp16uoO9Xnk8FNTdQQbCgPj2wiFt4sEvh/WPoxRLWB2NgOrDxlPWeQvXJG2Zb2ZIg64uLln17nnUq+15Xho0dJH0MikW0v7frtkR7vDoxZ/zwD/gJfBl0pA0iMnbcq+Ocexnfb/d9WDic4SOkXZx6ObRy5k65uKYR4TQMzevFfwZAK1YSqaKYbYZTcVNWESWpw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mPhASgRgSvZRc7FB+LtMMBO1Ye6oIVA/Xh37pGQL1Xw=; b=WvpCdp3+x5YEjs8U7n+15JE4bHYBl9O6MObAtbj/Tu8o2EURqrsqvpbP4mJy343+9gFc4+SmRdZsJiy/89rupj8zEr2Vp+66jM5HzmN3i8yvNFc744oZHXlInH6mSk5HhPH5ozJBZZhfJt2nhOYv50153Ydq3ZE1FaTsWeX0Bv4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:33 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:33 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 08/14] KEYS: add a reference to mok keyring Date: Wed, 11 Aug 2021 22:18:49 -0400 Message-Id: <20210812021855.3083178-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:31 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4f3ffa8c-d3ae-4762-6e9b-08d95d379f70 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3513; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UJsyzBksEV5RLm3sUWLI/+4Z7HOGN4Nma4q1Fhgl5hCPlAb83isfpouvnIJQpoDxm0zdANkOZWhN9fKmu2spC8mHaqbFQxlsXlo8z2amoQSgm+tLdFx8Fb/fCzTNUqdNe9XrdHNF4LkbHN7JZPeN9w6DoUPZvX7hzPGmZrXC6X6M+2t0fdVKJyRfi7VwyZQzq+jqw184KBjRuEqtxjPX+Q86qj9Cwgr/3aTrwti9c0tuUt7tobkNq8YEUPv1+RNXIgUleUw1QJdk+e7kIjc9COsWLNPJ4dpc9DcEWIhh4Hjem7iHWnfVaDnwUb5ppxifnzl85LPdyY0VuixM3Mi6qRevx1W7JZwYYEjmkNcAmlUU48kjiupUAHvCg/yHZtYWi6K8IjfVE4qsl9d+cgR+prkogfrGkUaPZG7qmPsHO46E11EUdrD5hgAHbts9Shbv8F9ERHTUfZDHgI76qpa1hdn2KDaoi0v2bGyK+hyQ3pLbwWz1Vc9mjnt89oSB86+JspA+1HAQ8WsxAabCv2/3yOo10kZI2h8Qn4ctUMU7MC9VcFrTTOsviCW8/aXaNTt9e/i3YLtSX0MiW9osqIGf1fD4go1IXZ3tAyzwd0OYQckq1ZGL6woYUBib/d85hNjdf10RlyeRQ1TBqE9MjhyfMkajWIHXfpxXMNh92ikkcleAIP3WE0SBvwqiFFQELWf9CG5qLAltCpen3rMSDqeiMa+kI+JM9PboVJFzovh6nMY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: cVDkMN7cqHW/uNodG0TF04d2onODwwhda3DG4xtjdA9oAH2yb+53ip8lKPlrgqpOpzJy8cfnhKT4EqCuvCUjeconoBYN8trBWL1RAv/sFCxSv/2nVf0qd+viV5TAhDXM0kY+ZgzxnbrS70ZRhMoXY381zItUJ85wGI1jxY473c0EVfVv4Snq8OIRAC6nMDX4ar0qcpNPERrszRb398Q0fg0vKQKgYFQXlqOo2Y2y0gQI4MqXcV6Zp77zKW8HaKHb/OqjttyFUuAgvWRCsS+zeFNNnt3sADFRltH5krDssjsGkicRBnKdl7ftnBWm3udQtB3K9KGiIgC7VGT2v90ZbJDtJldIbxX9H2IpY6Rwy4sGw0sUq3ABJtyLyiZLM3ThHQl11oayDlSkemFL7dfYNlU8K5SmRdSYPuu+Ywztz95TYwZw4QT7BQXrw5ap9YsHHKSOK7zlQ5Y6N+dtH7x0y3gBUHz0lnHwhu2ZiZrXRnp51qXJpAUhhb5zp3WY/coXyXmz8plCiy8Dt0SOXd+L1kTcksqu5IS7gD/sFJCQF9QPXdKRzIRMnZAKb1RXoRAaW4TCEJga21EMOA17zAifOD+DdvawL9S64CPjCSpUgmaeCGDc7C2PBLBQwNsx8Ds1L7h0rq4tMVR5OxxRABfpo8QO7Rd4fimTypqsiP9IWG8sQ6YqqMz1r1A6UQyB/Cjb5UqEETMFQE/kPOefdmzRlIe2Bg++uD6QfsFK7S7pbymsH/NrddTCC0jJhfEyj2w0+fSzg20CylyHwrjkpoYgHbIq3F60aE0Xtd1dRtSsv/OsIGjY8CyUY3DYbcAPx9E6GoTwwk+2VyFYof5UntXuVpjotHwGH5kQb2Beo6yFzLMxz5DxLK6Ar7eYOfoWK02qsT3E+mOowFG91SLPyzz/r8aRyIAExzAa8yWhfeZ5zSJfBGzHeyAkcmUhbzzI481qwkQVRk6GwVHlpUVTrkt9zb5bOLTwQBFVC9QUzaRcK5Zs04CBMWeq2Y5q6XPSu8tWvQp8E5yQW7RO0xmJ2dTY+9fERA/IHIiIa6yuEMCh0tVeEzFPctVUd8z7vDnk3wjzhA84jHMe18yxN4zNULXPUNpy8nQNagtwl2XNLW/HLVphZou9mMUhBOmORH/rTxFqa2p89MD8wSkk5qYN+D6gxgPTFURxqkmmCQptWtHdlp6MKhCodVAAOX2Z1+sTIWAWYC87FuqqbzRIinxNLuDyR3/JMQ4Sq52AlusbU0piggC9hlvq5fi10apd+J7sQHeOIonKJPBTyCV8ztNWqjoOXvwJpJJG1Jnop6Pgjblfl7v1LxKi+oiZ03peRlHmnKSQ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4f3ffa8c-d3ae-4762-6e9b-08d95d379f70 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:33.0699 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: t8ZqkDMCesFpIHowGykIlJu1jdh2B6nBsL6cPsdgeDR/r8C0Jx9WiyBAjkkWfWfCzEGzc+QwNXwh0LOXFeRqW0P6CTN+8LvBQicWIlnvFp4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 bulkscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-GUID: RculwFoZP3GrEl9oaRQ-QRtOl_pb2h_P X-Proofpoint-ORIG-GUID: RculwFoZP3GrEl9oaRQ-QRtOl_pb2h_P Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Expose the .mok keyring created in integrity code by adding a reference. This makes the mok keyring accessible for keyring restrictions in the future. Signed-off-by: Eric Snowberg --- v2: Initial version v3: set_mok_trusted_keys only available when secondary is enabled --- certs/system_keyring.c | 5 +++++ include/keys/system_keyring.h | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 692365dee2bd..2baf5447b116 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -21,6 +21,7 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; +static struct key *mok_trusted_keys; #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; @@ -90,6 +91,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } +void __init set_mok_trusted_keys(struct key *keyring) +{ + mok_trusted_keys = keyring; +} #endif /* diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 6acd3cf13a18..4fe9cca58685 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,8 +34,12 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern void __init set_mok_trusted_keys(struct key *keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +static inline void __init set_mok_trusted_keys(struct key *keyring) +{ +} #endif extern struct pkcs7_message *pkcs7; From patchwork Thu Aug 12 02:18:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432241 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AEE61C4338F for ; Thu, 12 Aug 2021 02:20:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8F5C36105A for ; Thu, 12 Aug 2021 02:20:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233685AbhHLCUd (ORCPT ); Wed, 11 Aug 2021 22:20:33 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:41590 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233614AbhHLCU2 (ORCPT ); Wed, 11 Aug 2021 22:20:28 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2Anh2019348; Thu, 12 Aug 2021 02:19:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=ExTw+zgFROobW1qu4K930Y6KMWnA4yNcE+RkzrFc/aE=; b=hxLLM6k4ATJZ7JOAUu9qoY+8iY0JM+Y9tjsdFvWlaKTGf6xDGWTthu9RqmPdlLeOgRIc oVJN0cw8NVFn7PvhUaPuoRKIuzKjDpN2ngARmlEsjlyelzTUXQ2uQgPDJ9bR8sN9SC9h L+A+L4jMYT4MOqwqNla30xuqgen1G6aIV2Vkn7wnlljJRhNmklnAIaHbQJESRQzHMRPM rbrdaG5v4oAuoWRsNd6b0A11ejfOnwdSkSqpFUL/VqAxaPuIOkKSCEBl/8e010afTBxJ x58bJ8PIl63JcNuXGQ2zqEkp1jofVfZSbwpt7H8oz0egJNP8Yiq2NoVv25X4KyoEEZzt dg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ExTw+zgFROobW1qu4K930Y6KMWnA4yNcE+RkzrFc/aE=; b=tBHWr02Hh+R4VS1YGtGWZR/AhhF9JBf7or5qjzSp0C2nUQa2c4BhjKfmrgxwnRjwa+Dq //XpNvBbylm9KACL+c+dqi0X+zqPjAiulEWf5jeqObi4zsp5vTdIxkl5iw5mLsu0qGrn 1w4U+BJQHQAVfcSFDCXX71Izn5HXwJ9MB8yxs1Ks3/qGvCQe9paxuCFkEzqVwr2VNXgN +LNKO8+bS7oK052z3T1ezbBMrsI5cfpEymx5RmknbeJvoVGUKUqDyxC5Wv7u67MIsKuH pGS2hRuPbV65W4tXAyD8V0zpkEPHJkLNCjpX8SrEdkK+SaUH0UjxXeeCKycY1atDg/V8 zA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6h2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:39 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GeiR083586; Thu, 12 Aug 2021 02:19:38 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2174.outbound.protection.outlook.com [104.47.56.174]) by aserp3030.oracle.com with ESMTP id 3abx3wuf3b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n4lEzjmrVMUW1+ELyw1xMNMg4PjYrcubNhA1TC76nGJG/VXt8YPr74DWMCKNoy/DZMp+WQsZ1+a3dD1g6xXxo02BikhdHvj459e+XlSrOOy6IFIB0zw/O8vBKQrSzh9WulLo5x7SYaEhaZahh4e/8qz3GbtkUhselARDhWTw3eo/dyxmO4i2eiQy78+Hj5dJrs9MW+azjCJRbWPFhZpD+fPXVbDGFEnbovPoEyz41XgcfLeIRDJLpnP/EwjtRtU98G0FQSZAucgP8ujRfCfPp32GxICvnF27wRziNdpmo+XvX+BVxbo6CpfKdOYK48skR4I1dgu5a4I8I5CyznDXtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ExTw+zgFROobW1qu4K930Y6KMWnA4yNcE+RkzrFc/aE=; b=n3XMSQJtNNJUxYCv8is1Fe5PA4JNobZa+1KEhUfgpCxzIFuKC+BuZcBcNQiKkiRwDJjwTKT7k21UqzeNJykjXMUS7LCq2BKs3AHOIwjju1lyBaOlbi8VmGEiZsY7piJ03DJ0SYoAauFm7cJgZ0Xkn15RXd+elZfA6rsQd0PgBor1JOFMoSJD7emnULmRX9xIJrWmKyQM4E/XswX9YD3fFYU8Dah8fggZjWhbcVKwWUgbTw5Q35wVOckpApTJRyQ0pBERoaAdeLA2J/xjY1H3ougxWAjAEGKwN2ULRXcOEOqDiXcAGiZUaS1buNxWdW5/v344KSDUYpWpKQ1yZ+m8og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ExTw+zgFROobW1qu4K930Y6KMWnA4yNcE+RkzrFc/aE=; b=ahVO1YvnLi9UqCVUUQocXA7rbRwAeMLrTJn5FzTmx7OKYU7iRekA259LqQHT5CTh8plQC99V34qZJ4ADAPm/0pMpqMwzRSrAwslB4DD6SFOCtIuMvRDAe3UgWGIkn7/RxwVFQlF+ZXjj3nSjvE+tN1YdKhTe3SWIKvEBYHYJIpo= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:36 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:36 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 09/14] KEYS: Introduce link restriction to include builtin, secondary and mok keys Date: Wed, 11 Aug 2021 22:18:50 -0400 Message-Id: <20210812021855.3083178-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a22d067c-5fdd-4e80-d289-08d95d37a155 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: roGCUC38FLHWeQWXtVmf2WvQdg183Mj5C3Iwvr5KSaxZ8enne2WClMq4ECu0zRSm//pMZKWT81Lu01js/T+SrBBxmmK41dFL718347zPccBt6X8X1dDB16MUB/MPTGidRtICNJ/rIuKiOxA+aVpOmIl4QM/VGxWBABMbUK44U48m93thQFMTd53JxZjWkNGlPNn5i1S2RkrmLoYohWfpTb6c5wOzLizMAPsPTLwG8p03tyLK7+/Lcysy0326R9mBvvyC8/eSLHsvfR+58vO27I5aeuj4RkXD4W60DRlxDBRf/l6nVZChbggj2+B0SVVvTYPhWw+Swkd2O8BDa+bimaI4+gLO4X+4fhtRrvvWBxWRl3ZNVRhxInlw5SvxvWLNgeWPSAbTl4LNpukctbD6Wiu33PPhH1ajpl6jboH4X49uZmioy7WbDoynZMFTrWCcFTBj0ImqGbxb6DBpaDyCZQ/u19uU+MX1K/y/fb9bcYO/5kC3o9v7xU/PxDKmOifpco/rY2GLRzJUCsSvqh4WcRbT8wyHxbTGS7sW7iLVYxnYAt+EvrpwCR7Qh1c9XWeUfH2O/jVxUKeHJ8HsdDFUJCjKvD39zOtS2K/H6rc0HPe59H806cwK7eBjd3Dmv1ap+gBTExhOl7s0BgU43LIyOZ/i6khMO+iemyuH34rcomBY66MB2zB4MlbsehjZf21ks7toOR13zLRZx5WRv+V8ZNc+mhf/+NHITTL6acS8kLA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Q5A7R1knFIUGEreRcMa2P8Wjo7mEmHC7nYwjsQjBYmdXVuOv2ZG2K/cipoerxiWLLepTRz4whQoMhXX5AAphwm81LbSDAM7/OxHLEgIIu7S6eSyUgiPbACtQMuQYiuxM2pYlfVzdGQJ7Ge7QoN69Tqj66p/+iLb7ounSr5x51tnozl0jodyy+oYmilDlrR5/KavgbJMVYZgsDOOlv6Ad+ESmy3BssuZ+1waEGXmglZ4VTDYhBQ/6UjNHvfdc6GAdAN+1SbqQZ6cDBBtBI2MeWQEZMA6/q3VUzb32Cw243iLO36LzFQExVhqZZmG9o5ZFVSziZb5VU0smNYODv0/4nLpuweVO7GDvk2IL5d9KakQXOayyjysT66yRv6CGl2JVjEHyLutxJ98J51KSfbBO9BAtj/wF93hp6osjP+cGLzrHiC+UHmb4NVQeiifwEF3nNECV0UaeVAPpBEQzjea6AWcVHLYEYD0yiBAgJYDDPjbCNJRHzj0QHUE6s6iSypuZlw9w1rDIJIlHiAcQFMsSjxo4UNQ2ZVj3DwIIpg/PnS/RyEa5g5sUw4tvnjZ8HJJoNVYLeAfhbQOVMnmGOeqOs2+BHD/6VoO5kIxZC31whjDkrsOwJfsCTf3mC8fG2/HNDcBkPyntS/+vYJ4cDwyVW+l1OO3JqbJVP2lxEXtovVyAqKygxUDuyMY213sahokq0gdEQ15l22hOUnIgQA9XFuYg385IaH8D1eUzUNfEkmXsMjsOzHfL1He4tRYto4Pi7Iouv0WVi0DX2XXYITEbyPBVzrHH3f6ihekqy3+4qrIRD89VJu0XFA9rdyV3P4SC0RTvszMimBDkvkhjGX/CTG4j/tBw51OhHNhCtqCASi/sLHxONE0ke93CFjGPbA/9fBaEiEi9gornDwE2B8fcvbSeEyeyakjo6tTnm+F6C/lGbkAdT4v69clZTyaiPzrpk1kcrkt7G8+6noMImG7OXOvvG0YMTBb+fCYAbVlnwXRxgQCaU2Zh5+Jiee4jFx7G/4wtvPsmHJARaEZhnHax3qNVl7fVex5m6eMUy/qKXp6DF6+DPMmrKIXs98rQKaGwB3C/iTeIJIr42Bab7pS0STnvxiz80R9KSjjRoPo+UnomrQox89+MLs45oBEGY4vmVh+FCJL9ZDO0n8ncCmosYmq5hQKgQHqsVMCGuVtXPmCPwlbu/CYKKdOBxheiZ7rKx84X1MeSTtFujdFtB4VcXUpao0WVzfXTmBJcJdWNRZiRAjBBKugpmbdfm3iS9UZszfuTFidwChCuoo5fE2+HiQ4jrBa3H/zgSB+AZ7I94nNi0cXWF57T39vlcNTxKMc0 X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: a22d067c-5fdd-4e80-d289-08d95d37a155 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:36.2649 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 334pX9rBGg+IuUGrQ8YdGR15N6/cxQz7gEMkZ2FVwveXlWpCBmZUtm2hU9qafXgtuA3fEknKiLkqmac+iU5WmTFsA3kNs5Ookp9wN5ejDtg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxscore=0 bulkscore=0 spamscore=0 phishscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: TYB8AbZy1RZJ2A5ZXWhTsE_5XrbUWuoz X-Proofpoint-GUID: TYB8AbZy1RZJ2A5ZXWhTsE_5XrbUWuoz Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Introduce a new link restriction that includes the trusted builtin, secondary and mok keys. The restriction is based on the key to be added being vouched for by a key in any of these three keyrings. Suggested-by: Mimi Zohar Signed-off-by: Eric Snowberg --- v3: Initial version --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 2baf5447b116..cb773e09ea67 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -74,6 +74,29 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } +/** + * restrict_link_by_builtin_secondary_and_ca_trusted + * + * Restrict the addition of keys into a keyring based on the key-to-be-added + * being vouched for by a key in either the built-in, the secondary, or + * the mok keyrings. + */ +int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key) +{ + if (mok_trusted_keys && type == &key_type_keyring && + dest_keyring == secondary_trusted_keys && + payload == &mok_trusted_keys->payload) + /* Allow the mok keyring to be added to the secondary */ + return 0; + + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type, + payload, restrict_key); +} + /** * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 4fe9cca58685..c9fcbfada567 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,9 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +extern int restrict_link_by_builtin_secondary_and_ca_trusted( + struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restrict_key); extern void __init set_mok_trusted_keys(struct key *keyring); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_builtin_secondary_and_ca_trusted restrict_link_by_builtin_trusted static inline void __init set_mok_trusted_keys(struct key *keyring) { } From patchwork Thu Aug 12 02:18:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432255 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBFCDC41537 for ; Thu, 12 Aug 2021 02:20:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A9B99610A3 for ; Thu, 12 Aug 2021 02:20:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233852AbhHLCVD (ORCPT ); Wed, 11 Aug 2021 22:21:03 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:43030 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233635AbhHLCUb (ORCPT ); Wed, 11 Aug 2021 22:20:31 -0400 Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2B8Ql031617; Thu, 12 Aug 2021 02:19:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=S0h161gp7WeG3MSzEHzB55cOa3TDtfaJLyXOrfOMe8U=; b=jX7Zm0hPVGHWfaPgSYJg8s6GnS9lpUNyFKY6DxT6xWLhiBVpu97dZMAKg4v2uq7GFyXr 90w2YQwypP01PiISvnDq+DD0LjBAM+9E3/NjB5v3rcSUvxZGXK5W4/uUepoyRM2/HJhO VlshLl83N9vTo+r2Dgrv1FebvPCOVDxG3vGYneQIa/PKzONZUZwwzc0K3p+kMbDEx4tW t7SEqsW9rgJ0PWCyGuetJ4hpJ+mQav58ilRqLuELU0lJUnJ+WYx6kdykDA0HenWeXoKr +CZ5P1pyQFYgDgoTrqsR18gv+m2nfbU+KJkZIqEzPiNnc6+C3dkYgYzJ/Pu2n4Xe6uqN +A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=S0h161gp7WeG3MSzEHzB55cOa3TDtfaJLyXOrfOMe8U=; b=v9e5d4xU35mTSaby+ecUx3j5EuKksw3LXwrhZQdC3q7HMTUQnE2psCxZQkHZkpO+TQAE a+1j4E0JoEz24M08enmiubcwt0TTRM/85xwSwuKoO7Df8tLbemH8MkeAD5guNhXpYOqS cLANgdSIZAn3UzSYzqrikVInjo+ZB5NWU5bYKMKXy7MgQpGT0m/DSiR976xf4pLhV6NP hTWgPqndL7c6byid9KjtczlDvAMXdM+paa+hmh0SdjmA039qFSjIYoZ5mWlUhLfF3Z2A HZJ7B2RAQRpZIDAE0CErj3tQDIBVsliPNbee8dv4/XX2kJBjq1SDJtQ7SInXXwWsnY9R Iw== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3acd649v1m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:43 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GL6d045017; Thu, 12 Aug 2021 02:19:42 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by userp3020.oracle.com with ESMTP id 3aa3xw9n37-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:41 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pasqg7tjqdh8i0RF8B4PN8/SDJjcKwaXLgUUrY2tst+EEf1+TIlqYl7I15aGNMsXZrDi3El/YRHzpTIZESPJPJaFK+zgDazoaodL9hQN1TvBnwVfz2lNCmh07PHqAhOfmeYlkL1P4JH1AEcYv2YAQ2s8NHJy0lxxSXZpVihfygXb0BWQveMaR0CNzJITwLrOpA/JSS9YeQS1W52Ho+6WaEsuvgaB+6wcM/yXNB3eb2btv8RsAruvw11BSN2KIi4yg74ppU1HECr5qi8G4UpyMJwKjqjsecv6arAY2jOpbVg41PD7zN6VBxdxXla0ZgLgPZU3cbGGId0wnaPToxz3Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S0h161gp7WeG3MSzEHzB55cOa3TDtfaJLyXOrfOMe8U=; b=JwExITZCgm7OZNxKTSr5rrGiWrx4KRhYQ71RaK7vnE5ZYG69WUEcOQIIfcG9pWzlIAY3n37e4RxWf/PWKKXdXPAp68LHZ8FQKKuOVVW6BrNTZwBtOFA9NbCTxLCBOtfYAFCLB7UotUDPcRgz0AfRZBzq95SpeQ+IwHiT+dEWvMvHB7TYfEmta1X/Plt0UxPCkbuIsiAIztEA/iHfO0/zBKC/UjLeihn+pP/q3kDL6sF9ajL3PS1SR7v67rLhLzHtfDxuNi0hxIbasXYSv0/L8Z6ZKvww11FqCL20VQzh4ds61W26OCVj8GncbLkkSksTdwup6xcwcPY0xnyOY1xWWw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S0h161gp7WeG3MSzEHzB55cOa3TDtfaJLyXOrfOMe8U=; b=LDzk9Aj7jCq5WN977sVOQ2Rc8KiuTrOPdcP53s95EJ6VVzTGteMd2Jiuzq6qs1G2zeZgMdUc1n5yhxpO8EXrbWVzZJ1mwiCpyBurMqO26ZXjcAYQ/V8kkwjY+z0vO1BUpMEUb4UuoL62WjFlwg80mkhk8NSiKL3oIAD/6U0ldtE= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:39 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:39 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 10/14] KEYS: change link restriction for secondary to also trust mok Date: Wed, 11 Aug 2021 22:18:51 -0400 Message-Id: <20210812021855.3083178-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:36 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0424774b-f111-4b23-4ac1-08d95d37a2fe X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2887; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yrJA7zdGM0TgvEkYV6WssIDIwcJTbXLrkiXe8/FfywmFSxPzOrSJDf9d2KtQx4pacM4Has+6WxJXL2A3OzAGpSy40JyAc2su+POaQYeDJ2BCAPbKP+aLKpOYu0Pz3ECYVLFoQOND4Zr4WKsIpqEwBNX+017PIrWVyN/3W7Yy4fc0ez4xfMGd/2t/eOSLMn+jx5osRpCQXXKIs5HEz5BArydYkN6uuYGNSk6t1yQEaW2HY2WzuGW0/OIJZhLYber6BgI/nWLm2qaw135B+lLTN6Bcaabpo/UJy1I7dWxCDR/ZqWEJyzQydokKmAfVZE/YHwU0dOsKYSgqopp+MvNI9XxwB7vgVZgbAXiGwW3Cp69mSKKdiUlwBfibZLdLSfzBxkMJq3K1F3wbqucrjfawI+bA0iABwYbJcLHkGYHqA0hvWX2DZgnEPuJxBccIhjXN+iqGN4wxw9qGKAh5z4uliif4peOWBtGlhx74w9toPZ2JUt+htsTCBqZQfuASD9iledRjTGQgGDh29gu+heki6UvxRSGcT6Xm67uGZ/AL0BsgO0zRyD1mmkOdPvuF8o85jIcrgbBd8pBewDoYSfNq1H2OHLy7chAG+K8ycAkB/zoHgraN+lqtaA7bu618QgQzxCIEr+RSlM00uWL6lQUoam9JBR8rl/cqO57JifVE2ncHqWoCb4eKql0J7spVzDxhu7DTja6e4K3C60QJZMCCKucnUS4COSR7SswR7cLYwsA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: gr+81CZ53PUc3YklgnrnFf6wIIBuuU86ac5pj1SeijAxVjr3rdUxeKNenJAPugne8ZURXm3iBlAJUXQy5onR4ynGiYPOZJB8lRameXlugYYnuYTgFYcZFYEnCPGUgoCmVl+lmgmxG42dHMpMizO3QV8Nx3EJo0MNMGFR4ttAIcgVEdV/bv8sCy3Cc4C+PV9dmvBHBLgXRjZJBqi3itLKk7DbP+yCi2Z3LOIOuunKEBEme4JWb5azBnUSRFLjCa08Wsc8bOT9pJ1xY1cTYK/dhL/0gjp4zTibsOgFhMTvvzJNhJIbRRZyfA9VLoYocrlW7nSZr4ePfwPb1FW96b6ZObG6aqxxE3QDuwudcTL/qIkb3H6nFGNXIEu/R5wzMFkGqU1xxV/iNrWHX84lS8ZrcO07gAd9E8likk3ptcYgUE60cjWqylbxcsFP7ajPSG7DUvXTvQEjtD9ud6NKaqmu6SpQ9K9VOy2Hiz+pSXVrKeQp451MH7ahgdwhaZyYkzxHEuX4dGQ3hJVygeIQlhs+4M6BHx3jryFw46rHBf9Nr83NgpzK3JakIfCiRFNp5LpgYIQz8184eTC4JYRXdPBnEpTDdOUfQY3xyQmnRLRNsGzKhsCy1bHPnnZoqQ0JETqAP0U21u5rakLx1GXuwl0d/nhOXzqSoEaXJKP8qGxzyyDL9Qaq2D0G0ueKS8McHw9+kwdt10X3QaFC86R5kzwrfT9RXuPPfxcII0/LN10cQxdERt8JwwlXraNdmJi2qq9WQgMIaWlLlyPZR4amWCdmlrAsA3udrS3LM1A7tr3sxgpbp/M76tCjjADv5X2C58+h+GF9fbxWY2GW21k+e5JTvgjgtzEK+6X0+rQf0HCcDpyCiL/ukEaoN1yJqzRY+piqYTFbDgIO4NwqIKC+Y9EYe6dxruOJ3x4q0taGOz8DkDpJkHk6u+PCFyS+dtqu09Q3TGao7tJjKJfQOG6QvHbHCNbIL5WFxcuWqQZJYDkJZywOLt4S85tnibNraZnDtqKpmClteHoSOgVcF0i781p0Qs6A3BYl2AasRkOXegdXrOM0utsgss7x3+MaY+D8KsbEU2EMzGUglWDeI8CiPoJxBoEf1fumZkXa3wsNM3XwTxvqXWUJbn6E10AjMduiij4d+kMlBgQ7LSD3LAoNdzJQFn/mBDFXA86V6ZiIoLi/KOczdd4RugkDTUoRkFBYkTEMT4ivT6L6CDF5Wutbea3ws0lirsZw5QiytStMh5UBnZb/PItkIwWsRzSfg+rcmaTI03bDscziCBksohxdTeW8W8nE4GK6NzgIFGLBSp9M0bIDNUH0txuNn9SMn7h0aQ/o X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0424774b-f111-4b23-4ac1-08d95d37a2fe X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:39.0626 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Zhng8PDTaq0kwiybDyA38Z8SMfXMKQ9J102RUH6fYuVwWPdfUp7dbfY8V7c/vmOkk8QJuUlhhFOHav1vRjTpQTE7vw7XfxUo4pZZroRzlPs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-GUID: n0SAhQJN03Lf2BtcECvmmfot-HbgnfCM X-Proofpoint-ORIG-GUID: n0SAhQJN03Lf2BtcECvmmfot-HbgnfCM Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org With the introduction of the mok keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .mok keyring will contain these keys. If not, the mok keyring will always be empty. Update the restriction check to allow the secondary trusted keyring to also trust mok keys. Signed-off-by: Eric Snowberg --- v3: Initial version --- certs/system_keyring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index cb773e09ea67..8cc19a1ff051 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -110,7 +110,7 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void if (!restriction) panic("Can't allocate secondary trusted keyring restriction\n"); - restriction->check = restrict_link_by_builtin_and_secondary_trusted; + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted; return restriction; } From patchwork Thu Aug 12 02:18:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C4B4C4320A for ; Thu, 12 Aug 2021 02:20:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DFECF6105A for ; Thu, 12 Aug 2021 02:20:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233826AbhHLCVB (ORCPT ); Wed, 11 Aug 2021 22:21:01 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:44152 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233645AbhHLCUb (ORCPT ); Wed, 11 Aug 2021 22:20:31 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2AgKY019120; Thu, 12 Aug 2021 02:19:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=9raf28RglAZn6k1+01Tbi51tg8sLixVJzgzRviuM+T4=; b=fSXP8Y81bsS1bPP6SF/wEI+TconfXdh7HUeNz+DN5jV4kmy7sktM2gqWOr1lWe65DshT nPBWrKyjz1+A5glub1GPzq6bf+zZ7rmX0O266RlSTKvl6+xPi1qq511QFHwlXxr/Cvud TaAwiFDDZxqvTjYSdS3gkspmrUeq6dHKUaf6e3lqB9A8outkkmPV7kj2SDX2jwWs1YZp 8ITMkNPVKyxJ/5r2rR+Hec8n8IzTFQIHB+LsydnNUHahVR9fNOaLHPALQmSxCJb+IZQy QUEf/hMqrd+xpeutYiR6CWFgU61Vu9mwMo8nT720OOBky+zWiVa5pM1yEFDVhr3WVltE 1A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=9raf28RglAZn6k1+01Tbi51tg8sLixVJzgzRviuM+T4=; b=gtwhN6W3kA/JLtHTEM9wdGbz5PrWWdwYFdpqj4D44zwv47NINfPCujGRgBFwwyLTDI+v +TV6GXigwJmTeIIhAzbt2c5UrfGlFICADkkqKQm9ZMdum3XgT65tgKz+AuaB10mzvYUA E8Qt6w02BjNCqJl8C7sjFX3o1FelF3VU2ru7MECd3ys98svrDFCu2+sAlEi2ejApgIGz gw1YWBRn+JaRxTidvAqV3+TfzZ+ZMwVkD8+jw/v0s8kbDrCih+l0lGyr9dyHLUdNgGev LEoyCZuoKXqgEYIFvTQvHTbm6BKxDKMuvlUaSacmcKjE6wvw9nXLmagwYM2wBxCxw6Gb PQ== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6hb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:44 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GL6g045017; Thu, 12 Aug 2021 02:19:43 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by userp3020.oracle.com with ESMTP id 3aa3xw9n37-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:43 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GYaRjlh0VJVjrkpXb5Bx+NndiRxcXuzjMIGs/WspdHjVAypgLtgnQ+M7cK/PcaMimBffoLuvp0AWZ/653fkydBjXpdDlpcSfTHul5Mdn+tN1EUrnWgS3m/Cip/sTFsf7oNYi16t0JKG00WcjN8bePbpvpuW+MzK/Ns4r4+WoBYhAAMkLle6vCAiZnYCT/w+flmMni6CsTbD2W3cpL0t/t/TG9QsGzHOU4T26SlVBerSroLS58Tf880+9H8ije6I6eTXp515wZc7T8RYTUmKRNoDYIXNQewQgScR8pjQp5y0igQI0O00nzF036yaf3Uxm+OVy3QdNxIsBVBIFR6681A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9raf28RglAZn6k1+01Tbi51tg8sLixVJzgzRviuM+T4=; b=LUE32xm2vYrKLhrx7RKC4rdnOKz47lZiHYTvb0tWfLIVdQcWsWOzTNnnFCmQ5wDr3UvqbsL2Do4xwEiqMguOX/dY/dhSDoqPpFXHMGhcd72DR3/hJnPGUCcoL5t2eQ6h0M5a5hPk5gPndX6hYvkzVcAbxQPLQyIsvlrXrmhztusFb30fbNQlknq03QJ5bBY0kClJPzceqIl++vS+NlJC6rkP7qk4VGx2CGESwnSXpxEGK69MQVF+BiGjz6bIiMO5g6r8Tv9BWZZ/zT5v2FGidpGA76D8BHS/IPSlTDMBjOWYNob6hFncIbbHFBYzV9mriqjEwKNCFfFRPpfeK7eryg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9raf28RglAZn6k1+01Tbi51tg8sLixVJzgzRviuM+T4=; b=AINbo4Hqz9ffQsyAvVaH805j0f78B1+kAbn9nAGprKt8M9g1Xn7m0Qo2xZ1Ahj0mpyMMtIOs64c6aykdbY7abOTfsKKr9/bzvWVRFZF6JFJb+BwhVLyIFkdsimlB7DX2NZR2k3Ule90UkEGRN6NBt4wj/XW/Mt9Qlba0Mf9IJjw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:41 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:41 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 11/14] KEYS: link secondary_trusted_keys to mok trusted keys Date: Wed, 11 Aug 2021 22:18:52 -0400 Message-Id: <20210812021855.3083178-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 751fa296-c675-447e-d988-08d95d37a4a5 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: JGbMKqKIgusW346Tr/+oID66Eymgfz06D4BM2lfCt6wBSzryMOe8fnzO8Fb1UeRrKCJrN8h8TeY9Qv+voNMnji2fb9D2uUarBBSzhBpttPjvH1be13Pc74aoprr9iZ5qEB17c9cnBLDHPWNRxDfAWbhfp/87hs8mKM5ct/bSQcjCbQrM8ttejVEXNBzwW2NgNsaW/Hsv/w2eOZNG3KbSXZMAfwWVjszB+kePVUV5rZ83EkvkzMuiRkj/+Y8UEZanvyIVpslBd0wBUW+Zwhs1aRkBux0+yTiSfjpQ89mGqMDZueOeYhC8XNC6RIhHclSLLLAIsGN1PKlQiY+WXRRU9ws2M88KkfAp41g66tpyyelLuA1qZGGPjp2U1QkUnD2EyHBkH97uNh2Tk49B/zwjJYMSJYk2icpHDKD0pF7oNJVzLweqYR9EOVe6a1sv1jiYLpqzhtbmvemAC44mFKD9/IDZdcR+LsbvCbs8Sm35NuY54ICNYhmh5AGW4tIb4bX54mbVTyD6fcwkWG0WxCSMPA3Bdx3RNOyJB/0DFky8hpyUDhKFVJw+KyjBQLz5Yu9vrqdSvsX7WOvVlSj6++hdSywOkMPCADgF3fQtWTjzaUiJRB3OmYP7lAJLN8ro4m9RUbMlCuVDeRT+oMtz6t/OyHFVnZCKgXrtXK2nxLdAiE906iqkTSic6j92QdpQJpvTtsH7IJfY6rMt58Sy1ASi0wBYoFoyRuohGVHKBHDPZkg= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(4744005)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: OsrYYSBDDIcFxbhKA8NaSiVtf6SFVxXaiufcpBbow6CNwAMDY+B2uo57u/bKVq0PBiM5+1tgxiLEUsQcBItBWzSSvera/0CypEj9U8twMr0wknqmaQgJzMFcOWu+zRTFDNUuIcCd2ppMVNRtFnrG3DclGxKczcs7wEH5ywnVkTXoaU6/7zsb1I1fkF8o1MxAzCe41TDlKw1jy/FEgdjMUNfA35mv2dxSx50u2MtxFfRBInYB07ER+VCbuUTqabloMVBAebSfz4j7msGITi8relcR5w0i3BUIbI9nuddGYc3p+uaVZz7+LEMA4RwwdFEqa8M3cq81TgwWwnSCQXp7Xv+wevAZSV8JInoUaXtlqRa5bviqg7SIS3Qij/c2ksSwf4App7HVEorL62zLR4DN9eJuDHg9ILXHHn2GRIA4MeFTr9h9k+cYDH5NZXubb0lmcrU+4APiJJYDmrm7yBefs3n6dOi//GGjvQVSUMvUC3wcTOB+KiO7jHKCcDMU2BzETl1NjYatnYUkgDAgEhWB4iIrr9clOqyWp5ls7Q8rYYqJR9i6bx7QLvD8WDJuofTiKb6KQ+zjM7jUIQlfBKB4TwnFa0Prr7k1V9whiOarRdlxGyJ6Taj1R0Zcz6kG8ysnI3XquroxkoqQdt9TbRBCDeRcrH9/dXzWHqWALwPgtwWqy0OEm8EIefkjsw6jEXxNpjHeD8HtjHo/2xrpazY0nqHQG1MXzO52C7vDIjTqN6nle5ev7di24bisvGpCsFXiRYggYeMHAQnYVyFMH/nmZbUbzfgt9Ov0qXEBB2Lf9rxoC+yPppcDTo5u1q5M8DW9S2bLLR6by5gy3VjgASaNV40214zAlkWJjBUeXQ2a8rDsmcnp9jjKPpZNiRwmJNSrYOLJkx4ZdMTS1Bk8fZSKshcRXTD8LsMcI7sFOym5MSmiEYadz/95UOJ+fBC3D80akfrPmKngmKm8WRFofDnOJzgaHY7LMRTX3R+o8MRoxLcTLM/vMk0Ci59EAX1MaFMPbTg41udz/C2GmlnBkisPsPNs+JFOhbtWnTo65t/IdKpJxfeA+aVGOuJ5hrFKLZK8fjSrAYobq8gaYtUDIAt7ov2EbZdVy7FL2vrr3koX9vWJ2Ez7cneITUVGm3lpVaYSF5rE0y0Eh+B3miv7fHTlPaHOcW7lOlYRE7rdjs5x5oG9ABZcvjuDtYTIzWINF4bgycUNt0H/tMbCS5f3oDK+wPafb6GnyYYKANMUz1R+6v8Pbxv3Om9wc9QxbN6MTQZ5AkWMmSFvNsqPbB6R+NdudtD5SsifPdWjx8nHxMPvNmsb4kZZa9cOC6TuNuSCZwI+ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 751fa296-c675-447e-d988-08d95d37a4a5 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:41.8344 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: owxWKp0t5ChSLp612KI3V9UdLr14fv5GCcLMoiYxt9W11WTM70pe9M3xYsfFDl1SQZVtAoLJu3V3T6+VYgEYGM90ElIzBsCA5FqkScqDZoI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 spamscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: 5Vo_fMuTYAaJB-WK-sgGppeAsXyqHGMS X-Proofpoint-GUID: 5Vo_fMuTYAaJB-WK-sgGppeAsXyqHGMS Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Allow the .mok keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .mok keyring will automatically be searched when searching secondary_trusted_keys. Signed-off-by: Eric Snowberg --- v3: Initial version --- certs/system_keyring.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 8cc19a1ff051..f6fcd53e3a0e 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -117,6 +117,9 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void void __init set_mok_trusted_keys(struct key *keyring) { mok_trusted_keys = keyring; + + if (key_link(secondary_trusted_keys, mok_trusted_keys) < 0) + panic("Can't link (mok) trusted keyrings\n"); } #endif From patchwork Thu Aug 12 02:18:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432263 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EB87C4320A for ; Thu, 12 Aug 2021 02:21:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4549C6056C for ; Thu, 12 Aug 2021 02:21:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233619AbhHLCVX (ORCPT ); Wed, 11 Aug 2021 22:21:23 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:57798 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233785AbhHLCUn (ORCPT ); Wed, 11 Aug 2021 22:20:43 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2BxF3016204; Thu, 12 Aug 2021 02:19:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=ZUKp4CsDrGLzDk4ILUQrNSey8xcCKAP2OcvdwHf2PiA=; b=hg8hl2Qu/U/Ak6CMZ6+WyCrr5cJAWmu3FGyaFNkO0k/h4lv5XeGkrNP2gykJo2MsFv3w XC6quPuP95Y1YgEh6IppV5nk+Kjn+O4Xu2DirwlqXkpwFDXXQzRsfu1py8TSTX7poU6H ezDgpLD9uXg3BeQkU27eclOgMRYjiegUXwxQcTWxrA0Sg3FksMpzyiP+jKtL6zKj/sOS 0hyPyNiypuybA/leH6L2j47UfWPqUBcKshfFiy2/UylxJ/Pb6wUABFUU4J7PGdobWnx3 WEbV09u+2pgd2QrpbShZs3EKHOHMx7YsJpQJ60W1hMz8vtg4vXGJg4FinQpHlBR7ubdx +A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=ZUKp4CsDrGLzDk4ILUQrNSey8xcCKAP2OcvdwHf2PiA=; b=bXjOWratFwtN3Tll/9Hs5Nv1Q6qgN0+mTgkHak+X5moaFsueC8T6SSyp7FZ3+A3r03ME ybdB4nI9jcir5kGBO1wDsViV/JkLO6EApQRu1koT5KBm19L7xZYt+MgjuRQYbDVBpu68 dicCAjZCq1Eobe75UkI6YGDz59IOTRv1WPA8hKEJdXIMgzvj2EBwS3GqpqU90nvMmjHt LhjncRKOC6EuYmHbqn19g327+p/lmjS5G4/YM5ATz9Docfwy51nnOYWUHfmxJrPZ7VkK ggqfrJgZpUApjsMMlyNSlDhHaq6Td0R5Mc6/S1NUHcT8VlAsYR8YXRfzOdUr3ij6DKCc jg== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3abwqguqqw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:52 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GIHK143188; Thu, 12 Aug 2021 02:19:51 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2170.outbound.protection.outlook.com [104.47.56.170]) by userp3030.oracle.com with ESMTP id 3abjw7j8gu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:50 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gvVaySoT35zOeo8xOpXYuDIhLBeLwI0MtqjE+CRD4PfGTFpu2bIODkykLCyHlso9QZMXY8deo95MWRPgmuxoGRCTofG0UPOIJR8mGEzdADTUdH2cW7whTto1k1pdVz2JnXS2fB0WFIv+6LW4XNhAjmHpLIVuLMCemfF6iPlNW3tCEgGvxwlteieHruHm2ExoMFrBDq2GWuC6YsvHwhvdOFY+Jb5MxX4Q1up8YfFE5sKMuiSQrbItLlBlKkA+9/VmE5dnWvPARcFc7H25HVrIyYFsI0vZio8eA0kVU2Vvg3KcJKu/8ffZ0JB/fTXotzJuf+gChWwH5l3JSls+zEFZ9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZUKp4CsDrGLzDk4ILUQrNSey8xcCKAP2OcvdwHf2PiA=; b=VXYa+fx1VDykSkzQMG5+EbEfFctL9O0viXcuCmuzaEj5fwXG0sjwvXxIizE+RHQp/wwQ5O5xKbHVgbW5CFPRcADEOKc9BDpUapsGxb8k8+x6G64k74cf1kFet/evEoYT740+X1pbt/1sQoEqkqHHGmCCmy7XTSc5/J/nIWPm2e8BaFAcdWKEXYmp0k19PXQz3aH0nenI4AuLl3VpGAvPaInYVZ7LFHUDT2/uzH8ItY4/KFNqJ52Ak+/xRKWji5p3SmYZYIjCo8chDSoCjMOKKGewN+kD4etaShqjdx2lJygsT71Wp9Nifrqyi3kWTtKZzJNhnepaAPbVm5M74e69CA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZUKp4CsDrGLzDk4ILUQrNSey8xcCKAP2OcvdwHf2PiA=; b=HjmfA6qflMqDFJUFRdX5fRzoE4Ke/M5W1YJokZ98LFuTgabg5Tf7iKln6cNBOiEKj87u4hDPbIMEynnnkDI6Qy6sD4w55ZVHDy7z+h0C92yWI1NRyLW/d8pSKER09zrzgznx4JBsTrzUiJ9tmDA8mIpy0RtGWiu+sU7SZbBc5kQ= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:44 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:44 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 12/14] integrity: Do not allow mok keyring updates following init Date: Wed, 11 Aug 2021 22:18:53 -0400 Message-Id: <20210812021855.3083178-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e1b9dddf-be16-44c6-c5b0-08d95d37a5e7 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3173; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gAo2sWf+BLGbK+5nAn/cB9tNhSObG/hKXvSJdwrMqzQjANchZxh4QYfjP/q13R1VssJvuaxYsTCScHRub224tE5mocT3nAD2lnUQfOrKehxQsk61f1/9QLMELErZjfC5yM5IhXkAu3pNN7LeLSVLJIt42VM14TI+GEuSFLCRAEqvgQbZY4LYVvw9n15iZfdwACfPczeWPcjwSqEDTVfYtzevVFMZJS9hXqo5SayqlILL8lgplb0gXiitfElq9BSdlcSGV0haMT0pW5Xj3THTRTSXBUcpPY8SkZMIZQhNy782zf2pH8L4nlW9XBn+TiMyLY/nE9fy2VMO+Qm6I0Plg54MGV6uZQVLtJJleLOnyj+EUAtny9uMOFvdiVHD1NDbjoKvfLzOXkT+QX1z4JiITpoRig8f5BG1kOiG0ejSy2Lgk9cBMjYaFCdXwIOWOLBu8aYZR4t1Po2/lu9ztaE5muYnUPsvXXIaepW/mt26Ps3T5LCD/FeeCoGahX9K5KnzayQ56X/qPNSimU4Ifzo7rTMFp/1+9mytkxOws+bKkMRvmltHH14gZojhag+l71EbJQCaHzstceFzdzVAkJHSYlscFlQ61XDy2lIWgABS+7CzAKM206W9coUmmRMu147eIG7vu9fUlOX2zfIArnXkCPWnKiIp2itNOZbei4YXv9htgsSDT88jfQHXmKQp8Mkx6xS9iTFYsLiny9JJAZRz/7XLVHA+POJAEs8UMHG51V0= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(4744005)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(15650500001)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bVcSZMNppJxI3Q62xOrmy0bgLJHBtUxsj4PAftosLcat5jUUWakwe3tMc8FN3wHyOaNfJolHvdt4Abqn8LvL2SJEZLFeeVUDshKAWpuEwCeIVgp9BHre1vFwT+/oPW1AIAcd9qPPtLk+GI6vE8a6KV0XHBhlpZYeau5QRl51aMmaHGBpo93pZgN5WTomcO/YSwBCAVMyCYlWnSdObzhzdaTR1TfNlQHBY01iIR2iCALN+9ZDrUrBV2vcmkUyN34iFr0BN/1rTgusmE1LZwGZEvx/hwWfs3C38oI1JQagZFTYcgcSzhAqes3OVLYIPNsstqeo3dMjGy9/3hNNAbwvCLS/RhWjKuZyNrPf8/3LU/Vxgs7Ly7doB53i0PbyVMi3f5UDb2z+gMLDawiUhEnyAtRdULajyRlugqg1LBU2v8nOeRTvfVRe7Q1qHwv1G2FWpdVMPtAucOnm9Jf6MWyTMWuqgiNTluSuTy9ZjSjQRhxqyP5tszyjPANaaUuEEIMo3WBuDvF6xOt90jcNStx2oGoYi1PiW9TGSrAw6DMc2iiSX440MZP5CHh1XNPalkKz5iAWr7+ThayD4GZjclTWRUkzH+m7vy2z1DLuwm9LrlVQhZEsx2zV/rhpPF7u+pGeYwur0UBn4B7nFSFt0+rmpkArzE4VurA+zVw3vdWZT+WNojHfHXmSGgLYqiXrok3CiI2wr9HRVLmX1y1h2LBmFpXxwc/FOOKBf26jLDUg1ySIhVyAClQUHpb708uiPgHn5+IO4eRlCDEmpZWVvyPnrg1rRl2Scbb8JDczkCK7btcf9vv97PgW49eA5rvTbOfGaztFBvfILdHrHl7NsF/2XmLWGKP43eJXfq07JHcIGqaprSXbvJiSBpA5QvGeC8LIMNcyTrIxw8KIEP0EEY5u6I30p04883ywaOHYzaeAOJ460Wy/2u9E/ubIBIc/gJMpmGOsC3xhcTTYbWiQMqZV5CbLMcXaKO2f4uzeHrBO6UzvAV1Z6Ri0dAi5H8i+/Wh5wRSfJD3b85zswIuudVXocqfrv2yoZVPUbjyyTFLP78IfXcWFl5EPmfl6k2ENZaCL8l46N8NcrYf01J8Bi52Aiij+VsemFvOfWGh42zNNqBFdp0+mr7AtUTCVUFSuDsv5DwED5tnwalzfVqBtcOKWFnYB9RLdZmVjv5sBXiGF2Ip4mXPUUJCFWQMFGiOTPZwyi8D2/159bZtq8xO+GlsQ7DXqtEPBiXWvkIK22vx8UakfcI0xDfS0nsK9uwF4/r/hly8DUJmxOdEbNXsVvcJjv5VcxIkKiSXqbgtuMFZEAorUoTGWcUJtNAs/8UT5LnjI X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e1b9dddf-be16-44c6-c5b0-08d95d37a5e7 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:43.9432 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fQ8LPTCXBgJxlP4sUjwoFvKzif0LBwgMuAQ9p6Ahp3f+IWbWI7nYzE63IzzcH2DK6kO43HbKfkTyYx5v98Jjw5YoqcRY47B5mrxYJeSbRn8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: VexbvrNR8aXJsy03prVg3kBiV7jy-KR_ X-Proofpoint-GUID: VexbvrNR8aXJsy03prVg3kBiV7jy-KR_ Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The mok keyring is setup during init. No additional keys should be allowed to be added afterwards. Leave the permission as read only. Signed-off-by: Eric Snowberg --- v2: Initial version v3: Unmodified from v2 --- security/integrity/digsig.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index ec94d564c68a..0601ef458e03 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -145,7 +145,8 @@ int __init integrity_init_keyring(const unsigned int id) else restriction->check = restrict_link_to_ima; - perm |= KEY_USR_WRITE; + if (id != INTEGRITY_KEYRING_MOK) + perm |= KEY_USR_WRITE; out: return __integrity_init_keyring(id, perm, restriction); From patchwork Thu Aug 12 02:18:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432259 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD6B7C4320A for ; Thu, 12 Aug 2021 02:20:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A9E4660EB2 for ; Thu, 12 Aug 2021 02:20:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233689AbhHLCVT (ORCPT ); Wed, 11 Aug 2021 22:21:19 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:54834 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233760AbhHLCUk (ORCPT ); Wed, 11 Aug 2021 22:20:40 -0400 Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2Aitc019188; Thu, 12 Aug 2021 02:19:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=yUritqkhMEeQvFwpdzhjtrvkIwCWQoUsmsWYUymmTys=; b=NAgN4rJJgFdegBarZJvEgcFPU7ojdYOVHz6UVq03opWEVCkEx4IFF3jlq6p8eh6ZqRYW ZCcFRQhSHGl0dqnxpQy5o7Q1+aTHxJPyax8OTA+nbq45VJivn4kOqHxXNik/8hIWjFQh IZzpP2YNmkSgyvs2pOUTMUT4Kk850mfD9kO0vl/EgVcV1JOTNLXOFHHcU5iy0ncnovHf oha/yfCPIPeZM6GM3Qn4hnf9rsJc3dDBNSLq4fEuFH/MVJWTiJINiPSZOEXp5yfWFvRR fxy+G7i3OaUYjBciqw0KvKk0Skwdpfo6Sys0rFhNCOkrdx9VKY1bMcjlHZdCmHN1k9OZ nw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=yUritqkhMEeQvFwpdzhjtrvkIwCWQoUsmsWYUymmTys=; b=kvM6NYLi3Os6fnsQuk6rFzx2bCUV4qTGefb9weHpgg7nyghmz/ovQ5tttuausHM2TN6l f8bqWaZnndUGeq53fLKZGYMBg9EgMDbrAsqHokZidnZOcLb2sPjBz+c93qF2E09fWGub FQmjiFMqUSb11mOzvM+efzAlMjm2mc1V4z3QnvNGWKlZnP0aSyTFdkm6FHsGp4GUlvjU oiGr02tbZ7kwps00FOIYSYK6YFjltvMzSpTpNWSZN5vO+0NB6TG6Up9iC+Zdc7XS8+Gm +M6Fw8qmetUuVbpC2QNTHgsRjTAbyzKZch0KLi+lEgl5uUTSmL9vrzdYe+YHzJZZZFSs DA== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3abt44c6hm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:53 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GIHL143188; Thu, 12 Aug 2021 02:19:52 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2170.outbound.protection.outlook.com [104.47.56.170]) by userp3030.oracle.com with ESMTP id 3abjw7j8gu-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:52 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hI/GBbnRiXjivMeMRIco8KYIJcXNuX6ChjipsAUMIFZi3UZ/X4I5EzIIjSV12dTflhtu3iuj7R5tP/x0/FpGFG3PCDtiq73r2dE06KrukSC8YL/pNcqT6AlK6TunwR7OBjANIBr2lph/qJ8E08GPUVFdglMKQHd9JG/n5DwT4HNYDuEeEzqQCnHkByqQ7IyR/oBfitrV3QXXD+VOX3ZWtLseBNVpsIDVQNyUFqdCRZyDv1CDNruonMPG/w/9QGYu4ZmnclJuraZ9MGmv1fUOy55ymbBgDILLvNQPocgwY4mtzYgpbIP5LggALIRVPJd05xmiALrT96fN2ZnSQmJUaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yUritqkhMEeQvFwpdzhjtrvkIwCWQoUsmsWYUymmTys=; b=etfMZ+OnyTUaIWB8+fESyG+LNz+sML13DpNsnvnRrjlcVO2U/Fd/RmXiMZgSwqJ18uuGrbXO9pdOJrmPiyGvovf+NLQJcaC64fHawoxwimyk9wL0ViUcZt9xj3KvHtcjROxCckctqAtSuDMhlXd8eP0ayF4rlXiN4IP8Uugh5FtNCvB2WtIZ4pY6pK1df+nqZLTL5RG6YdF3g96WVBHrWMMavjeZ6W1iDtgsF6N7DCW+DwhjT6bmIJT6LgIWQmUFpzfPmAXuC25CYqDtvz4D3jJMwWASrau51oz6jq++EekoyiNElp5vIyYXvRGb5Efvp2pOpQ25TJzKP664DdnKnw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yUritqkhMEeQvFwpdzhjtrvkIwCWQoUsmsWYUymmTys=; b=W+7HEar26RBXNycm6RT3oSS4eopI0QFkXlBA2HwK27fQ0JgkgC4QkwL7t9AV4aYW+OvRRa6LjTIN6+ZnJFBqS/W7Tf5P3oiogbFZUKCIA/ZkheTHIL1GW4F4mt4Vlax5mpW6Az9EZoHnK45Fjm0WpH0O4hst/IudF6rCYufbDOE= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:46 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:46 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 13/14] integrity: store reference to mok keyring Date: Wed, 11 Aug 2021 22:18:54 -0400 Message-Id: <20210812021855.3083178-14-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:44 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2d719aa3-ab4c-4f3a-3d18-08d95d37a729 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6430; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DzKX8bvwCx4pZlMKOn6co2lKhqEgxtM9VVG7WxtTewKdcxSSDF2VqZs9DSqgUI3xqN+2AcV2D931HnCuOlxv00A6Fix/r5cLKATuwONGnDRT8zP1WiA8yfuaoyANgv+HkzRivPisLjhpHrVhAqK1aFtmrV4ILslpmVfWMKu3b6FQEWu1N8As+uZSQnyNmDcHbXMuWI7pHTbUzuWa4H2aPxuLjW554TOfgpoIXkvJJQMCt88vHXoGJPkgoBL7MUjvdkWedPJ+Hzvn6DjuJdO1LymHKT+KAb4xIZKfr48YX6qsZBahPS4cpd3bSThBOuWKk8LdxFe9vwiTSD9hES6dE3wBlZ8K+B7FpYBUPn29kE8Fl2w0kCa3+kYRHAAXlPhmaNk/+xWdt953bkXujq5Hv6EeeKXghizq2DehNKkXfmr5LKqAUQbN1oVMwTT08c+0JUISYUmtzxWC6PJjMwtks7zStyBHLfBTYDsxYn9RA/UWK9RfdG6F+wZQtVHo94898r/OH48NlC9g20qoT0HmaRhvvYeNFPezINa2TG0hBKKxkzqZplpmfEly8BPtj3Skr5anaQ8alhkywPtKHaDNme9lZfNrQw4UP8X5bMpDqQCT7+MdyQzQcQJ/w7tulN/F3Rc2G3V2ZE6YPRD7iFWtw5RTeOrBEZXcIgl+94RiDK3Ox4aZnBxf3oZJIczYF+U5B2zY+PR0OR+1eX9rKCeKoMvXEkCllV3EC3dG1ePwXEQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(4744005)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Vbq2MXkqbjomgvjqHy9kkjd+xS/+E6R/PCUTW0UbTG12X8mXEi3gOGmj5m8KZZN7/O0xPOXqJcqP4T7O5joyMjSBbfwDduY8v2VOPx35ouow9Y0ayyYI/yLsM7OuKvsSMYymRpgKymVO48nso6CUIaNKimJBtlSyi0jCaM70daGYkxXUiqVsseVlP/uB6Hbqa/OSMgo3elb0q5VeiBAowD+lGcP7tu5cpMmYP1k4u1uTSeWgqDGG/dAiI2+eou4MkrjyM19dEj+JLRhrNlNevtwOckflEilfkI5zPz5FgEqrA/ZxLIAjakSBxq/S3z5yf1nrQXgcaPJhO1N3a4Ctbj9LyYwP5EUSK06cVUIkLO/WFtoVWFPBhV+XfJxYJfUriHB9BaD2A45EhiY7b7JfpR1VihbpBlZpfZuJI0NVE9PU6DxD4oZwO6TBJvKaDm/diF/OrPqyFAy+MrXndTeqNHyYK53VD3+Ic+CiEmhttijTg+e6n5NjWMsytk/u/ikgSXUhzifhoslSUbA9fkWhfCiPSRJaC4HolEFFNxDq+EEr0xQVSKk/JMnlLyW3vFeodB0z2rTVa5zMtgMDms0B6kiPRlTdpyq10Rm9aXVEEATDD5+Cs9wWkDFqlTvieXZXtdCMfd409xJLQX1Bs/7bfQIvoHtwvc68/DbbGqN6KmzMIMzLA9mCeRnrr/B4o4vIEiKDgAQM/MBtzMI6Kt1XZgBmNno1laxDnZ9xjmhovPk2ZqdFvLRt2wUZ/R3MrSpAP36JVX/2D23y1wbzSkidmVhvNAR6cVU4lqaxutZdy1+0j2FnNomvFVUaLS04xkD/IuDUWk08/L04Zbd1BGB451cAjh9ZGMq3ah7n83zroyrvgUJyrr1g5CekxGNnCO9SOZvAMist4Ukqne1q1spfOtu/AB9LdJ0XaE2GoKtMC19VaTcDSrqtDyOlDPhHzVkjw9TfA/33gOA6eDtuYG1W0ZK6MNOqqe7zTZYE7UZq0X/qZat/373TgPE57d+EOgeYDOKA2c2HzTc/SmiA+/RmmiWwy77XuzkbpqtEPIRR4Y1mRNX56qk6rigYV7DqxcGQkz7pkpIQCxlrCVjzxO/h9XE0iQat0lCq9V7fCluBNf/rYkex9JE/keIAFgfsUVI030UuxDGoApup3YYod9qKO15KwopNdqTy5qNE5h1tLTIq8MPeC+AvEg7IpOgUb8qsZMzqrKAeziySlxeUeKhSwxlXbHuvEGdRUcokuotAbFodtMZe1Wd6ZNXn0G+T4euckh0yvvklF+YhyjeTBklBHNM1S0R3Dvdk/FB5Xo+MKlaV7edlYyaRsgA3nNv+B1HZ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d719aa3-ab4c-4f3a-3d18-08d95d37a729 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:46.1187 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aEcRp2D+lWb2HT1DL4KIAoWvXtu7xM8kYAhhXpWrQ3DMPsAvnckPG1D3nF1D5BM/EJ6hQX0jLMqzohSzbO3tFF4c9rrKb+5l+um02QyjQj8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: kXicW9MdUJQd46K7krcqpg-ajHTzdZuV X-Proofpoint-GUID: kXicW9MdUJQd46K7krcqpg-ajHTzdZuV Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Store a reference to the mok keyring in system keyring code. The reference is only set when trust_moklist is true. This prevents the mok keyring from linking to the secondary trusted keyrings with an empty mok list. Signed-off-by: Eric Snowberg --- v2: Initial version v3: Unmodified from v2 --- security/integrity/digsig.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 0601ef458e03..996bea950972 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id, } else { if (id == INTEGRITY_KEYRING_PLATFORM) set_platform_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_MOK && trust_moklist()) + set_mok_trusted_keys(keyring[id]); if (id == INTEGRITY_KEYRING_IMA) load_module_cert(keyring[id]); } From patchwork Thu Aug 12 02:18:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12432261 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1D20C43216 for ; Thu, 12 Aug 2021 02:20:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D271C610FC for ; Thu, 12 Aug 2021 02:20:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233731AbhHLCVW (ORCPT ); Wed, 11 Aug 2021 22:21:22 -0400 Received: from mx0a-00069f02.pphosted.com ([205.220.165.32]:56774 "EHLO mx0a-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233780AbhHLCUm (ORCPT ); Wed, 11 Aug 2021 22:20:42 -0400 Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17C2C0o6016211; Thu, 12 Aug 2021 02:19:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2021-07-09; bh=oYw9rq5kRDCmTjFFvf42NeJU7vHf/fqd3JAdb9zMsO8=; b=uD8WN2tI53e3J0qLVFAHXF028af0Kg9a+XZEZcFr++jEyJfxizaQiyMkjvhTdupryv2A qFZA3/j0M0fweRfc8fgwW8LFMB61Gzd/n2v7Ioi8k148/Opg1djDQSkC9HEenBx7vz6y tJ/5azvzmPo9qx+NWKEKYdjjRsxTxJLvCeko5uhC6zO5rCdrdjH1Fu1W3jfo3tVE6ZBG APjUHtsgWjZPFgrtBwl3j68FmINZXrw+Y+Hrz+khII01CziCOsxh6oWb6B3WsER3Cmrf cskb+3c2LjCxxOclK2DVkV0ksRVERXax++tyEhuMkPEQ1NAS3NBXeXxHg4/c0CLQSCmu 0w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-type : mime-version; s=corp-2020-01-29; bh=oYw9rq5kRDCmTjFFvf42NeJU7vHf/fqd3JAdb9zMsO8=; b=nsYt+aFY3nBhS52sELf60nA1q5+qyKXXXr5dzyPR1V+MYLKLtzmYNpbyMtf47sQbi0UG gDkSa/MeYiVfKp9IqN5NmA/dirzzkSOPOwcVcP0LCzpbIzyovh7oxhm/W+ZKt1ctsY33 bwbr3EP1iMDHOTxXZNQ1/A0FrqpA3+YqdFku4oAofAC3p4gHpNSKrFljWGDQSPS5cPCp 1ZeBW4qX5GVWKRlfEsClw9NXT6/EieL7QfBs+pPqbt7wlF5nGfGcWM7cgAICsEDq/vkr ivUP/Xekzvj4f5K8rZY5I29wwRwbi86dX+91LnSIDEow6aVhf30vgaqbq/5nsjHTnUIW VQ== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3abwqguqr0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:54 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17C2GIHM143188; Thu, 12 Aug 2021 02:19:53 GMT Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2170.outbound.protection.outlook.com [104.47.56.170]) by userp3030.oracle.com with ESMTP id 3abjw7j8gu-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Aug 2021 02:19:53 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fqwviq3k7JXidmV/RBKxZ3EpJA8z0rfPFA7dNReKmav97kpa2ltGsQD2e00XbBJCyJuXa5JdbAGe46IRmxjstplizTM5DGoYKuazvdx3HXYWP44f23ZMuJUU+K9hct6K2Su6SE3Mu3+faZoDJEHdeXvfn2wTh/XZ65xUUi/JT90VnP4VR3py7s+hUY3oYnN206OWE1QFA6ZiooHmutLw7CGFFdeugf36UkPA6vkwj/O6PZfX9I4G2V0DRP6poYYE6mY0l2nYNENzi92ZAXT7XD/MtLcDLEXYY2BsLZHB09ofoobSWcLu1GnbDYzsAhTYw540K8BeikLEo5f1pMfzjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oYw9rq5kRDCmTjFFvf42NeJU7vHf/fqd3JAdb9zMsO8=; b=NOf6vMd5O+j6FgWdXBTKa4bV4Q1g0R3ZiroTpP5fTkrBbkuMwbl2FAzsJO/LyvtVodwYNaf4LZhyULb6aXFXp0+7czTBaZ1I2RLDJEjAAGfoZ3Mg8W5f/bN35cd2XgL0Ih5SaAOURp/GDciAebD7868wj2VI11VzelIvc8dthjBt3msZDuQ+NU+NgyX0yVVsWgGSTvueBRKd8xRSm+O02cJDYaDduFAy+emoPCsrPhVVNbNtAFSZpIpApSqjJXHZcd4yiiX8kB9cqbe7QyNL/GJMi/4Q5dsedufv1KHPOPbuDmj2qRl+xnGWzPVNYf5IdbgYBQ5pA4RBxGxQhp239g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oYw9rq5kRDCmTjFFvf42NeJU7vHf/fqd3JAdb9zMsO8=; b=EvjPOwOaDk/mFXY9xCmNgK6q9pEvY36Jt21DUpM4jowwcMclPXQOY/OcLTe5UcFD75rGu914nU685qv0A6PuXDtiY6JRLetrUYbzM6oCtujc5uKPW3zbVOYq+4mfuuRVXgfIFPa9tcYuMbJCqAZVf6PCYNogkn2N/Lp6NKHeMMQ= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=oracle.com; Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CH2PR10MB3960.namprd10.prod.outlook.com (2603:10b6:610:6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.17; Thu, 12 Aug 2021 02:19:48 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::bdce:cf4c:518c:fd15%6]) with mapi id 15.20.4394.023; Thu, 12 Aug 2021 02:19:48 +0000 From: Eric Snowberg To: keyrings@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com Cc: eric.snowberg@oracle.com, keescook@chromium.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, scott.branden@broadcom.com, weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, James.Bottomley@HansenPartnership.com, pjones@redhat.com, glin@suse.com, konrad.wilk@oracle.com Subject: [PATCH v3 14/14] integrity: change ima link restriction to include mok keys Date: Wed, 11 Aug 2021 22:18:55 -0400 Message-Id: <20210812021855.3083178-15-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.18.4 In-Reply-To: <20210812021855.3083178-1-eric.snowberg@oracle.com> References: <20210812021855.3083178-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.us.oracle.com (148.87.23.9) by BYAPR05CA0062.namprd05.prod.outlook.com (2603:10b6:a03:74::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9 via Frontend Transport; Thu, 12 Aug 2021 02:19:46 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 635ad231-1862-4b52-8443-08d95d37a873 X-MS-TrafficTypeDiagnostic: CH2PR10MB3960: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2399; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ryY3L80Z78I7V9l4H0V9O4oauhB3NP+mw18kRYXEEDs4p+niu0Ou//rbLzUCjSzbOuw4KjPnXyYVhqrIzUgqGW8U+J6lYZxZ81LpCpzAbtDSJp1Zw6Xku65XuZ0OxJXLgSorQe6Krh8VdHCSp5N77o4nkqGXb9iC8WcuchWRVio4Dxojn62Be4keC1ejBCRaRL1vB0AGRe9mcgBalYZ3IpfrQQb2uNtZGH6ma4giGTwOGY4CYpjATCBl+OUaQkYA06+bL4BofW5nyMKv55qhX0rzvXgmAIf1OuWMD+tndREBW1iZ9h5FqlYKuOercgmZUfavnCPdG/rsDu4XhW3joMGr5QQXsiTt0GodWFQJKsZF6qLnWGMw+Uo3zbHOcJ1lqUR2272IWDXgF+UghhLuClWF/CVPy/HOPeMHO+FuS0Gw7F153YHN8C78ivXeb04ADdtH0Otk8r26xCV3lZ/iov0WffVTQoNWhQBSedAdl+LrM80yWv6l27U1nkbule3HiEIUhYR5DpFeEDlpH62UwsvsB4fdg7UQEUyVdzuGsjJmaHshpSTXal4V7VjrMVVUeSGjoRueCJm2Vl/1v3NwBBcUoSrA6879WsCjAqJkGZ/xILbR+rVnffjrFEGqpCvkuL61MdSr1k+aAb/BcRGBOoUneYnLnhFm3+9pQme4TN7STm9SKmRbK+dU3SBd6KkXQXdHV5eyrJDEzZp5fuZZCIy/47zymLzfKpszQTROLKM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(396003)(39860400002)(366004)(346002)(136003)(376002)(7696005)(2616005)(38100700002)(66476007)(956004)(38350700002)(8936002)(6486002)(52116002)(66946007)(2906002)(44832011)(478600001)(316002)(36756003)(26005)(86362001)(4326008)(66556008)(921005)(83380400001)(186003)(8676002)(5660300002)(1076003)(107886003)(6666004)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: E/W5j2BB7/ZoVPwx1qLKyy9ypyQtxpABGh+a5Ynm2J/l+6UbMi4TIe4sWqd4eVWe0SCQDEy+RqrW5T1vBvZ86KlYAP9uccXG2Y089g0Ac+snp64EWT547g5fLwsxzyx8fnk771SPvPzqopC0HvnVetvNJD1bUT7u+I7s0uUOSjt5s7NJIQvna/5tZzb6OV3Xa9l3a7KeaPaiGeTUzMexg1VIKbS2zKEbWTljPbst4eGlX1WNDDDkQMJGNYdiyzTPmKA/1okRl1E2LnC6iU7AT89zGRNMgvjcOo0xWqtkmuojNVO5QodQITjqbkyPAwdqhaW4KXMy18C28+6r/4ee+bOdunyeKwPHWKl+CFQJsLm39h56pjR1oSKqjJwnnSOVnMFKZk3Fmb5zQpHOEjLUSTPFFIi7dsA7E/ENzcZ0XK10zhJxvkV7XorFESKCjGiYBShHV1As6QAZGa4kfJu3ZuQkxwYDoQrK8HES28YqrirlKXaOKzP+Oz7xPi5as3xJtB49CwyYh9yq4QFG+YbHPPF+I1e4GStorAWfFPItcXZzmERL3PTaj02Kk6RNH3swanxfJP9B75zvtDcDUIm82kaIzmfK5XOd0sKz3d/yUILCmb3icb4dbH8yBCwk1ItCLOiGDUwJBep/rKX6sDo+Gram1TvRQKXpPp07pAdA9tvnDP34f/NufzJrrIu2Z1kkk89N2c2C8Bh5DcK/XALy9aX9cLffiYGsBcE0m9cuLJVUgIl2RGEPQSlQDQTPIM23rsnYtbMvSwlws5FmaZif6I5Kl+2gFjIWn1JtNryWCaUs86Z0zkwKrB3BdDsOKAUoAdqxzMZ3M4XOlFXQBDmXN96SKAldiTpIDGeyebIHPjhm00M9Tgg2OyP2eZCNGxpv70TWr7CLsrIyt3z88ipuwJ1AO6m7lv5Q1yQHN+9Hec91e/9eZnSu7DoIPBoX/bX6Aqq+5gtB9yW2XrKMtFc1pEgGY8yt3EF8gPWw3gikkbXc1It8Bq4Fak9PUHiZIKeqBUOiqRdPrC6TRASslKdP7WRIyAtXCOLAYmFkayLOm997X1N+HmpzoFIZBxHCQD1p1EegwIEP21Kx6NTuKGvceU40MJdIJaDdWlyoYvZ/+gw230wn65mONOyuvZtq0uth0jlawulNDsahF+S5E/FqGy4eHgU2RRCdy/5vK3SaetRZR9OWpq/YjlGLirM525Ayp3jPiGWZNwJ/ZV3kCZ4DgHnvovyvEQM8GIEvf/cBx5Nd7vo4cAMqtpFGVVipSV0623Dy3BZ62Z1e6ZZ4Oorbl/RN1xunn1jtynHatIWzERs5mkzbSxfiy9XdgCx0qS/r X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 635ad231-1862-4b52-8443-08d95d37a873 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 02:19:48.2015 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ncDmECj7+KH/CLedqbgXeDN9qu5NDkhgAQOlbZqfp/binIsMBc92dYT7Lyeh2yjlYoB6aldN4Rim/YTfcudsWSgs+HQtBlaZG4SCb1Js9iY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR10MB3960 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=10073 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxlogscore=999 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108120013 X-Proofpoint-ORIG-GUID: n0hbztuBF9QMKC48Ejok5joQfzd3Mv4D X-Proofpoint-GUID: n0hbztuBF9QMKC48Ejok5joQfzd3Mv4D Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org With the introduction of the mok keyring, the end-user may choose to trust Machine Owner Keys (MOK) within the kernel. If they have chosen to trust them, the .mok keyring will contain these keys. If not, the mok keyring will always be empty. Update the restriction check to allow the ima keyring to also trust mok keys when the secondary keyring is also trusted. Signed-off-by: Eric Snowberg --- v3: Initial version --- security/integrity/digsig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 996bea950972..1419ff4fc2b9 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,7 +34,7 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY -#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#define restrict_link_to_ima restrict_link_by_builtin_secondary_and_ca_trusted #else #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif