From patchwork Tue Mar 1 17:36:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12764978 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98B8CC4321E for ; Tue, 1 Mar 2022 17:39:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236581AbiCARk1 (ORCPT ); Tue, 1 Mar 2022 12:40:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48634 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232903AbiCARkY (ORCPT ); Tue, 1 Mar 2022 12:40:24 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A9992C651; Tue, 1 Mar 2022 09:39:42 -0800 (PST) Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 221Gk4Co027265; Tue, 1 Mar 2022 17:39:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=IHLVHiLcgA1hx29GPP9MdjjcZ1z20pST8NuiURmdQsu8wd8XITLmk3tTxJovygrljHKr Mn57L2ROzgd4HDSrdyvkjCsdINrTMJJh00YTt8FCaFJDPbxh+hSLmJxxVTdNcz46mpoF R8mQCqK7B4oQUmuU4hVXRPYf3OIikZWQCabZ87ZtosE191r6DQQwLTRv08j6s3/dVZok KOUoYlpQddE+/YnegToU84zkEDnJWp0zr+LFGEJuTIoLxybbn0+/pZSXJogPvq1p7+bM wA3+wTAdhp+hDuuXkQ15jPd2vaOiFwQEsnCCrcXY2JeDWP1rFjwbzwqK9olGLOKAOzL+ mA== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3eh15akewa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:07 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 221Hb72q059897; Tue, 1 Mar 2022 17:39:06 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by aserp3020.oracle.com with ESMTP id 3efc14xcvg-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aZH5p9thXmFZsjD8XUCRuw6ovQPsV7cITFsCXF51fT7HbngVibqaF9KiRukh8wqya9z6AH0bk/losUiMwK3CwpfFsj3GJwAYZJsqqd/FJyCBiowNTtocZmLg7oRD3Y/yZD4MpBUg6/J7XlFF1Mky4eRM0CRcMBTnVXcbS+ahoO+ASKDmTX4MsMBns3jqjjewqyNBdOFYu58XCd/WKsn7wr8mHXDHrSjTO+Ye1fJecZ6INQxT0oFGXhd+Ygg9M6pREzq6J54FIjDSbASzjhvPbd0n0Ti4Vox+jdYddYs8jEaVwKhXvGvBdqxYZzGuUsNJX/lpuJYzs3lwEWaxeR98VA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=GSs5SLO9kf2CbaVyrcQ3B6ymzfgG+Zo51PQlRvdXVDyYeAmP7jWN9qyTZv9j6jHMFm8rRAHYlj+tzMo6PvVKQWoJLDpqH1muxWUgtwHiNA+3wWSNRZvkaThcvPPlsMhQ9oCKUY0UMqjFiIB6wxiEHVO/KdKgIpLd9tGr1J+byoCqedmjWtVrDYew6qODdQqV1nSX1YTp55ELvu4+82gOHRWZ1thseEdATSy3PMrSAjoWCY1MefRS20aMIcNiJU3WubHRXRgJGSAc3e7DmYsewF32mjbay5GDTUmFET4gDPYWWBrkWJes0qJYn8vSMsSmVLlDwNd27sl8IWxGdvYBRw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ILxKA2RKy2S7lmmEzPyc10vgrmbkb8/rXFl/vfMPZRs=; b=UILk7cLQyvHqNRY8E5AVzITOg7MW7WxxwqcVFzB1hhLj0iVAkgI8cCJ5J9RmF7t19k8lGE8FZ4EXXzIYGFSXJsQL7Rtex/CpL/M0J70Lp8W3fEz8qEJCvkaEm2KMaK30dNKo5WF70dfTJBq3+6pyvag1W8vS40hn5N2+q3svRFE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DM6PR10MB2795.namprd10.prod.outlook.com (2603:10b6:5:70::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue, 1 Mar 2022 17:39:03 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150%4]) with mapi id 15.20.5017.027; Tue, 1 Mar 2022 17:39:03 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, stefanb@linux.ibm.com, nayna@linux.ibm.com, mic@linux.microsoft.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 1/4] KEYS: Create static version of public_key_verify_signature Date: Tue, 1 Mar 2022 12:36:48 -0500 Message-Id: <20220301173651.3435350-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220301173651.3435350-1-eric.snowberg@oracle.com> References: <20220301173651.3435350-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0194.namprd11.prod.outlook.com (2603:10b6:806:1bc::19) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 36aa0204-3323-4486-59b6-08d9fbaa6065 X-MS-TrafficTypeDiagnostic: DM6PR10MB2795:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GwGw00cZstOi+TaSICGPSHvjy6jYTbH7SbUJV1H+AdJtuNe1abiPptasSeMlHRTXFMWuUuJ72IJcN4GQK730380w5orNMLqfCoGTN6pKz9qXDazcvhRwGGJFD9Gx94KMlp+NEYutYv21UzplqZH5DcVb3Zhr4J4BDXGIF17Qwe8JkU7nppp0fGXhBkPgKtsJJoVNXAXRyuzhfWEx7xG/OalKKX/A9W2/HAZvw6BsQoobr2psiu73StuHgYzqLWBsOjtFYkxxFLDh1I2IQuquvJx/Yrp4ZeJ79ry7eq/fSiYbcSDYjmZOPl/c+0yQSSs0JyBNIpFSpT26oCNXQ5W8xxb76F1wMnwRMHWlookIl4AEeti/9dIVQuSuRvDVutIVAwgW1TRW5f7mR8b3nAgoaA6Y09r3d2X9M275+hZp4uXMsOkEp41HT4nmuQ6rU0G6ZI+dqPQ2lV6vNDXSzS1vY7/zRzA3XtNSHNf9UKmLQ/BOS+jsvpB6HZSmrMW/Ae5bTWksYCWpAhdJN/mMK8wWrsxPt5F4HTfZCuiZArj2xsXYVKvUdEnQiT5S8mgf05C1Nu7BBAXZPR1Q7ZvQD3E1VMJmk5beeSB8xeYDY9bAPGYdNtOwgJ08+979M74heePOzub8jBg/UuaK+svjRMVbPzA0LR+t9mqfFbD/6iQexojzfOBBdi6Em7hV/djdSYb4/XEYHuFkfM4js5Sa/0Aegw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(1076003)(6512007)(6666004)(6506007)(52116002)(508600001)(2616005)(36756003)(86362001)(316002)(26005)(66946007)(4326008)(66476007)(66556008)(8676002)(186003)(44832011)(8936002)(6486002)(5660300002)(38350700002)(38100700002)(2906002)(7416002)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 4ioemPi3nVN4Y7O14zF61Q7uGsUT/0jrOtbqmLiT9QoiIZ8CipDpZ89zhFQclAjtbx2E8Q7zqNXFpdJI725xyB4Up111z35YsngtzOGZWhk+Ie9S8S6eb7YaY27bLb4p6iZYlV2YGqJo8tdgaCuCTsQjtIFreyNBiBK8LkYG1m6y7OoQYenyLD3UdT3/trT/ASVeLnmzV6WFamhRQx+Ulw+LRFNs0gFjhNk7rwnNkT43FKLucinAYT+vVGPTObkWFG8P0rEH0X9m5PXD30G+QBHkvrxrEIseBz+yiqSIuqW3UkyHVba9MBjmfy4M5xUXLk28ZAnfzk6do045a1R834AXMqBE7uMF8bDt1Dn4Vy3ztil669MV5imUTNnaqow5O/xvGFWkS/UwIYwUhROdIZfc5tWVw/d7ihbUcfi9rm6Cdq6a8sLoQKVi+QdtB4hO55kn6fOdKY2/Og2Ol55l8ADIvHIa5juxNo0wREC19dtlt1Lmiqk/lJWAE202nHTsoGiqfMIGK+qLpZ/FbPNANaVinooBz2MTBJWxoSJt3V9DbXyFCZFNAcO/Hq+5eXV/9qYVFbBBGLpJrvaw973zryfBqR3wdnwcU5GHVkl18q3OOmBEkWZJ3JcNI5dQeYCRo4++D1rwSD7GCJYuPalA1zq41HV5TNeDkbWY/xQdnKm+O+zgx3Pxu3842pCSRCo65kAxEtdVc1LseMGUfaSRan8EfV93wKncTZ/CVSjhTlhJo8b0zA46PVNcxbDzOvRZ4DOkePQ2VUTYUPT1tNOY76FaElHRe6vX8MT/dW4kFjK9jKnutI4X9PaOJ45ZSP6SzlGmzSCxO/9TTqd4Y7F9cIiAdd9abT4QDVPtPGZYUXw8z+7VuWQSS2eP4cFevxIriRThb9J84QR3IiB7EbVtVpSM5bOQuL2iYV+JNmQYr8qv/xHfd4QMPMIWSVCKkSczZQHICDhmtzKpJoTD9rR76ikugyrlXVurdXTbm/k9CbaL+YxztVq/Gr0DW+VAS4+Hi8dDGCf3HIvMyyc6/hx9fwFz86wC4ec4b6qwiNQs7cBOUeXoPmTN81E6DjMPdRTyYZKMnoa0NNK2RXH1623UbcpCrk9oHrYnbqNuGLTsmEgR1LUPtKXQbvMNk+ovhVHNJbTvi/AdaFajJdRQAf3JHGVRFetqff5YcV9IqtjpPG1V7f4sFnNln7uAd5alc+bt6vbiTFQNKMuzVCK+DPpYgxhtUdQ8zGPNeOhM+sOkSrZF8LT+iL4+kFwn1lf6QLhHlSmYPAd51x1GOAoqHZFtJQN/D45Ox3YtdcsA9QeEldJnK4WOB0124BRk2o6hUsifGsgLmeKUD6mcmgZExI1PyCjxnOfHw+xkdUY2UAEqfk8Kq57XjE7O8yxQhK0cHclM53C+M5EPyHx3krA+eE/MvRIt9CpslxDSiVvCdV/T949cJzxqnekbzHK5Svhmu/ore4J3UZWjqCD7P3PMFNEBj8vK4G8g8OLMyG0yr/jtpWpVdsKep6bpmbKcQTreKAQmkWDt2+aXkEZRBxBRI/RV5u6rOBA8qEeI1tWcvvnhN6j4ZzaCKfIRvqCBHglnKnayhYzgVxXw6CLS6eFhxDfjIlAQ0dBB69oQ7UdNenkXaC6qw+KwRoBrTg7wObSv1Gn2W7FElwU8S7iwDP6WDohdUA== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 36aa0204-3323-4486-59b6-08d9fbaa6065 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 17:39:03.2246 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: B2QHQqSo28LfaAK0pQ1kPJkQQLo1ZfrsSoQjQeMTduGO+ChKfN/D0S74QNQzYdwIPUmUzQkrR9xm9seGvd8n0IqSA3nm/9uD+PiqbfTOURg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB2795 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10273 signatures=685966 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 adultscore=0 spamscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2203010091 X-Proofpoint-ORIG-GUID: K_BwSsW4TlIQJuVc7yFk-W4lJjVGKU3J X-Proofpoint-GUID: K_BwSsW4TlIQJuVc7yFk-W4lJjVGKU3J Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Tue Mar 1 17:36:49 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12764977 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23386C4332F for ; Tue, 1 Mar 2022 17:39:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236560AbiCARk0 (ORCPT ); Tue, 1 Mar 2022 12:40:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48626 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231127AbiCARkY (ORCPT ); Tue, 1 Mar 2022 12:40:24 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A81042C106; Tue, 1 Mar 2022 09:39:41 -0800 (PST) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 221GZQSs030556; Tue, 1 Mar 2022 17:39:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=uRM6N5Y9SQ484OXU9OKivhMtqwkyXf2B8EcdMjIoTB4=; b=dL+7Z6FXKOyVfh9lrCqfZwsOFCiPLEA/fNzYkHywm8ofxSDSBXj1vl6L6lLWZcz5U6qr Nnp1rUo5kllkTw1jsybP3xhiHrwtxEQpQJ7ZoJoaZYkHnj9BHY9Opqw52wp4OvsWOabR CmDElBNQs0U6/+4lQ5xtBJ2Ig7tESYrn5W8kgfdmzXrxWqndjz4c3A/3z1wMV5GiLac6 XFvIE/t3JMTvnErK+tNd0uB9+YlJXq1V2MG2uwzAccEzeX5/eMgn4AB4s3LVZ+jg8gko 1H/O9WpsQ4cygy8CirmVppJglLK8gU2iTWLrkY0O9V8Jvvp1zT1KbvJbi6anY8JS4Dng fw== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by mx0b-00069f02.pphosted.com with ESMTP id 3eh1k43hvm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:08 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 221Hb72r059897; Tue, 1 Mar 2022 17:39:07 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by aserp3020.oracle.com with ESMTP id 3efc14xcvg-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CIIxvAvqPArgw3WAWIE7XvrLmCW6pjaSmOBPtfFzfcyG14l5/xggJDuikmTemhBiNRBcIQG+FdGgZxteO6YsJo8/LDT9LsudRTgvgnEXqLJO1L0hN5oSMBQ8U0iJx1bzsvG/PSCTJBkqhAvdXYHaYiaflG3HmQeuw0vx6XXYjcEVgNytl29gKxxdUqtIi7ACk9VWrhZ64JYvTU9usNAGNuUIF2e3F/2T1T3NCc3nC+2f+2+v75d2UunAviG0VTpaajxEtvCZy6y6PhLgD27NR+2YTuyb8IXUBmhjfH/TUBt34v72qjZ41tXPPsa+tbvAhwzcrlAJCMXWbQ92p1DRbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uRM6N5Y9SQ484OXU9OKivhMtqwkyXf2B8EcdMjIoTB4=; b=X1uuM97VE8cFUdxnByj5n0Ry/xbD27JbNEuPtwmuUSgp1hu5h3yi8D7xVE39kQcNSx03HTTSOpPsubyvEpZYEHk3GtFMc9Whj+jnjeS7F8p+HElYJUrz3cvGnS7v1Z27nKDWvv3Pd7HDz3k03YwjwKptOOGVXnFIwd6IZklPL4VmR3cF2AanYxgQeARBshW0N6hIMj6CUSVFs4yGR/BQyKTo8D+0uZkI6yB4GjQuTS2JwYyqxriEVPqckY/CYrSGKSYQRqHGw/j6LOr8Zjuo2dTrFIN99FiIZfXItDPvberaBc6MItUph7xdFKJ7/4Yy7514bwRgPQd379tFQjHQCg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uRM6N5Y9SQ484OXU9OKivhMtqwkyXf2B8EcdMjIoTB4=; b=WmlC4KakZxhOnoRoqCdneZQIS8VJRypE/AOwAm51peO46MnYIpZ59oZ4uGsgT9qhigPrmgQ8JLjuRoXiGgz568pieSvTF8PBOWADVWmSlsJlnqWueEGTLMVdleWGdKbwOgGXyrZt0LEgvwRyAe6AsZRtqU0/QNNcOpdojqm+Bgw= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DM6PR10MB2795.namprd10.prod.outlook.com (2603:10b6:5:70::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue, 1 Mar 2022 17:39:05 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150%4]) with mapi id 15.20.5017.027; Tue, 1 Mar 2022 17:39:05 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, stefanb@linux.ibm.com, nayna@linux.ibm.com, mic@linux.microsoft.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 2/4] X.509: Parse Basic Constraints for CA Date: Tue, 1 Mar 2022 12:36:49 -0500 Message-Id: <20220301173651.3435350-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220301173651.3435350-1-eric.snowberg@oracle.com> References: <20220301173651.3435350-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0194.namprd11.prod.outlook.com (2603:10b6:806:1bc::19) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b4ff3a0f-89d5-480d-671a-08d9fbaa619b X-MS-TrafficTypeDiagnostic: DM6PR10MB2795:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UuU77XRRyKgAiAsRnB5Amd912L29OcYFAc3ZhUKGUitJbifYP44r2Xy65YvE1Lsf/0w7DoE+BrcR6Wgd27YuoynVeYIetImqmaKp41WABXo4bj70LywVikoebNoVQPnGkc/UwJVKPJY8zi2n3+COn+z5tPpVQ5TR0quCW7DQd0l5v8nTbQUrlagMwrI4fHHtmsH1P+CVEzmb+MbVOQQtXc7VnhwKHt1FDjt7fkK6Inj7qasaswnnO1h/0GwWNfB9JhfrO8pnbWjXR7obqvrEZEvISj/pyk3Qn0XA+WqmeOl87V0UO7GMj2fm2YXFpZPDOjlgv4FF/Rqf077ssOL4frvZsFvBJBguQ8DOG/DQiUfUsPN/lWXpLeif85cceK/2aeGJbexJYEZtAONy7on4BgyoU/iXPdAFXQe841VX+Sxq+o12oGNqdnhITjcVzP/pwhIYXsyjIKyLgcEUi+n96LiulIEvTp6l/giOpeOiwpHR/28EEyUSrze10/7SQaqolvnkpbNTSBZmTvsoB6febifgQGDE4vIRVZpdCmGre8V4qV4NR/3TGYfcAzypH7gVJGwuFibpeJfhsy7piUp8bFdi31kMlW2UhrxOgHgHPkwm3U+6xuAGvzaa2v+N/vl6HEw2B29WZy9KGFyEkNzyv11fN7GgC54a+7HXYrDaOAakGU0SWMYrLMM+H6KEaSMWMGY+pwydZuCkT1+ZpShw0w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(1076003)(6512007)(6666004)(6506007)(52116002)(508600001)(2616005)(36756003)(86362001)(316002)(26005)(66946007)(4326008)(66476007)(66556008)(8676002)(186003)(44832011)(8936002)(6486002)(5660300002)(38350700002)(38100700002)(2906002)(7416002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: YAQYdfF2VyNLcs2vP6rwHiTlCds7b22UQ1ntDWPVapw3pfJgZNhsMYIqLAkZ/Jz4mNC5wcFeQAYpjtvMvYSKNgD9J4PStBb1NMvvS7tDSS05b55YZX0s2bykIaO+M7Qndi1dFCWbfohrvsGMOJcLDquZ/d0y5VNJoX3BVG1DO221pD1KRgNkmUeQcdr6oNXhvTRqWTFNGBYMbhrpVcUpAvbf66vdV64CgPszCKhpW8UaYwSZrr0eO+QiVNehN+0aztBm/z0z8OOA2Zn68tCX7MLO5xst0uU7Wv5XFQ0+L9j6oWSi+BSYABWUifOT7Wdpvw3+ftMbubtc4pTFE/4SCLcn5PhlxangUwjarj/Pw5d+C135+pNDNfTELVpPeDxqPt+5fkk58QEG5xI0S89un0nPBAWW+5ZrdU+S/eU+rO44+jos41ROt1uH+m9WFwGZLqI/M7ayANTFjTVAqZk2FeqHb6TgsjWzsXkn47FCIXvGvEF1GpVBOn4nAUAm1JVLsObeUIW8KEuhm95fx5th+5dnrY5lCt5FavHVZCtYFArx3E8avuYECi3Sp/e/qLuFzDaBmSYHSjYqM3XmrcKlPj5+J89VNBzhShPW++n0mXIGr0CV6hI+wv9IvI4aH7JcsMl6o3i5ouzGg7IxeVqbLn75P69HgW9jXeMb0FXo8Z8aRxVD4ORwrCDttXe5j+myiW2x2L6xZcIZJk0bOgYXbwq5YZtFCJAqltwl4WWCYQCXVrVwrbvvmBZmtED6fyfiaiOSm9KY0Y3KyNnZA1PoPYRbnr6m6Mg7HrLOhRdNk1u8cSapYeAR8Y/6xABGGNmbr2c3jR9qHZBjPGGmSvTkABZDpLFRGlTsg6GjyCZxNT4WhDcsow5vjQyFUbqYoESfv6Y8+cprN8kLCKfO7wC0YP9J/Lg/kFDgC30YhFPnkED2ad0zTGHl+sGRwLU4+73y9QnaMg4TKiMC83Yao/JqskYSJK1a2tJYwoqjNnVcvCpUaS9uL18DH4hyVcqRHfs4dbQquOdKeuqFdBDlXpARbqVbk1MALXCsUJMDKJCOqxXqJNSRTtlYJmqwDIOKAV1oEsc7uNqwf2VSlqUjm+PXDSUr50vUQmE68edsXILraCvK670LbJ6a6FYumZZuWpUtT/mpmdEdYg1t4u6ky5ONoSPqoOvenzOAsPQ/ltdc/7ny1sXLLfhwOxm2PdKd6YpdK1THMzRqkPhS2GhxEqD1DuFMoO7GspGKMMl2s/pgPTlcbvJ+NNZwZvDd1xSwwpTXwycEyYtaE5YPKh/rLpnon07C5MnOGxHDI5ih2CJVnq6aJvLFi3u3JeLzims4Y4ynZsx5QMF5KMVi7T/GGQVThaiO8UnXac7coutGZpRegInAqgCWm9W7S7fIN4DzAScbnSROjMbZ37puhTOPD1Wvr9A5Swvu60ClsvnPbGtitG2yxh6sViIzlNd2DN7v5/Q5fF4NuWO6ghQHmXDkqimuC00T3R0ksZmuBk02iaduqTSAQnpmKssA2ehbItQW57ahWpQLRETsFzny2pDgEXpkGCaOBpjXkO/hqjCLoLGKHAr9nFe7RgJ1yTP1/9okCRiJe4+IT9GjQzxdJVIZ99y0CQlTDxFmmUoAYkfI/4gWX7gWCxiOcYQ8syKRfQ3FUuxTCzmJIaHOQoQ9fXWgDpLSRA== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b4ff3a0f-89d5-480d-671a-08d9fbaa619b X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 17:39:05.2097 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9khN0uTuUuQPBAOOtZXlptzTU95JZ7/JbPswEvl2nDz0RrrTBhjWQojMjRmMV0ShRIBynbnA4iS9brVZJuirnAQIZUOqGG4WBG3AePb6EG8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB2795 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10273 signatures=685966 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxscore=0 phishscore=0 bulkscore=0 adultscore=0 spamscore=0 suspectscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2203010091 X-Proofpoint-ORIG-GUID: DTfe0SagZZ-ueuPmSFFUF4DkdH71esQg X-Proofpoint-GUID: DTfe0SagZZ-ueuPmSFFUF4DkdH71esQg Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in a new public_key field call key_is_ca. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ include/crypto/public_key.h | 1 + 2 files changed, 10 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 2899ed80bb18..38c907f4ce27 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -583,6 +583,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_is_ca = true; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..0521241764b7 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; }; From patchwork Tue Mar 1 17:36:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12764979 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 120B8C433EF for ; Tue, 1 Mar 2022 17:39:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236607AbiCARk2 (ORCPT ); Tue, 1 Mar 2022 12:40:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234220AbiCARkZ (ORCPT ); Tue, 1 Mar 2022 12:40:25 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D6E82CC83; Tue, 1 Mar 2022 09:39:43 -0800 (PST) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 221GZcGH030728; Tue, 1 Mar 2022 17:39:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=x9+vCh16QwgR2f3jYYr/YM2OczhtAWKgrplmiF9iehY=; b=Gx0+CuzTOI4pmiLoetB0cdYfoQOrWYk8VOCbbccsxuqOrUELqHeY81akdxKXsrLgSeYW Hmx3SIUB1/GZ/4TUTEjRqGhoibOWbrwxNNYQf8x9lOITF4sHJSrfvHK6eOYh7L+cvgH2 KUNll/SXkHamp5BU/BCCBV3QyxjC88CSDM1HiD4Ld7RBYfO3HrWHpy54GoHWX2dBiaqV tiHlFC8vDm0TykNQIqfCDldutlIAld92LM/5gjLQNc7lMpEPpsmwU3rXAi7eoA8QQ2Iv vr7zg8yH5K8eTyiEwpyTotN60Wxno6DN86gxOU3O4DPwcd81g+xuei2hHtkclDDFBBuQ gQ== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3eh14bukrd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:11 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 221HZcpm006884; Tue, 1 Mar 2022 17:39:10 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2105.outbound.protection.outlook.com [104.47.70.105]) by userp3020.oracle.com with ESMTP id 3efdnn7cg4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GQf5dUJxvWligoEs5IIvhmv+8qHU3meGZSapDbei5gUCRfN+/Q5S2E51oTlPEha4v5MhmYuFI6v3aG+/aHmMBGXVC68Ce8/7Et/WFbhMt6rNrBAfE8HUl4Jsoeqm3P4avSX2itwKLsWvB7vyREq9SysAl1/KmG4F22oAqpIsHURP29bfTLzUKgou9vYFCH1oeruJbFQ8kCnwatlY9rhqH0JmSiiyUrA9QBy82qDFhf0IZykBFbyfkQXM1DWFYM9BEWZLS6Yvu2B0XjV1AoUKzHs0O6XEDn1y7vFQXiKll216S0+GOlljQi3hQCzhq4LmUQ2X84B9BdwunlNX2jKu3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=x9+vCh16QwgR2f3jYYr/YM2OczhtAWKgrplmiF9iehY=; b=apXNcCFQRxUqBXly/RJqNUbdF6GmRPbqDhh9qJ+eZ9kXxqMFXBxwgB6xRnCwKzLB924KaIRNUwesNqTtHXhncDTZizKECv8IUIiSP2duCB7+2hzupMKSyLwoIbS5d5gygzHbktbhm1sMW+9f9Ealg1K8wYpDvNJbjPqXWTDwyOg3amUIKp4AAgVfZnZAZHUdue+QIfyJ3A66Clq3wWeLUsK/5dfiNXE0Ltgt28QDzlGhbEdQiVzoAy4OgPSRRZ4pAnZwWvPOQ120YL4FVJR71W65YSRdbsX7LJSv4f3UaeZ9RfPgR6dL0hBgrtcH+vHVjvk15BMqRRAMJSvBE72puQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=x9+vCh16QwgR2f3jYYr/YM2OczhtAWKgrplmiF9iehY=; b=ADRaGES70lbiCzck5iUbbWYROtuwTksBgJE7BIsP9ilqbgPPoXH2z/64mzoN960rdH4DImipAJO5cmWGyjEjlDLaTJ3HlnjwfVTq0Ru/nr5XaH7vrJm84n0VsBKq8N6ym5L02LQENzeqY6c+IDQJNcvCuTsJVhMTVdBfXL8rQ5w= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DM6PR10MB2795.namprd10.prod.outlook.com (2603:10b6:5:70::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue, 1 Mar 2022 17:39:07 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150%4]) with mapi id 15.20.5017.027; Tue, 1 Mar 2022 17:39:07 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, stefanb@linux.ibm.com, nayna@linux.ibm.com, mic@linux.microsoft.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 3/4] KEYS: CA link restriction Date: Tue, 1 Mar 2022 12:36:50 -0500 Message-Id: <20220301173651.3435350-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220301173651.3435350-1-eric.snowberg@oracle.com> References: <20220301173651.3435350-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0194.namprd11.prod.outlook.com (2603:10b6:806:1bc::19) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2ae1e43d-e350-4e11-05ee-08d9fbaa62bc X-MS-TrafficTypeDiagnostic: DM6PR10MB2795:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: c7lo/B+0+vaN2JtyV2cenAGccZUX/j+oYHpAOyT65WATYXEfVJDdhVexC7yzsI4Bsz0nJcGo32dwtLxuG89ya+prhWmfD2FLDNHmdOWLefEX31wyirSWtcwX5yy05fRI/GmY8uLaiPRXU5qgQok3BAsFQskky3MNBVE2GtObON7fa+DxcfO1TaW5askUC3i1eNnwPgnzEdMgsXTl6y1CEimsdXJg6vIP+HYbwGhBlJCe9vqPyQd7lf4Gbe8YJQrJT6DXBFloceGD4EZghohDDGqVKbzUQvqkJVrhFXCHXFhw0C0Lr/XDpS1arVApUyi9YUUdP+78dJCCPi6pb4VMO/qFfCfC+148JKaj+sVYyZrUptlQbpKs7ToKxLOaSXPpshHwySIylioqfG0sn248WQSAcellw+oG6sP7J9xOXQN88r33ahuAjzmBJi0hNoFwP4HsUz43ypW2fsPpkhRVkzPxrsujm6hIrNgIjtkyezQHz8GyIoXUJasUE90PZwSZkOtnUAComwka98yyebtUNE1d5x4Dxyj+04OTWRZG8s/hxhsdZ4YfFJ1vObG9uC7zmLNLGxKDKqEHBpeTUyEdIAFUaDPgbKu+NGxz66IX3FZOsJlJ5Hlnfg7LA8O4DAAxTfrvhWCd0FA65qH8R7Hn7NT3zQxdlf0xV7yOa1cTzENJHz/+mYsnuVlx8BRXP80rGQf9USldWIAWxL5HfrP8/g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(1076003)(6512007)(6666004)(6506007)(52116002)(508600001)(2616005)(36756003)(86362001)(316002)(26005)(66946007)(4326008)(66476007)(66556008)(8676002)(186003)(44832011)(8936002)(6486002)(5660300002)(38350700002)(38100700002)(2906002)(7416002)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: CDlKv1X4bzhCO0b6+SwHas8IiN8qcV7gRhusb9gbZoF5Ja12jBmjqkoiVMjyPqI7cPtvvJY4R5X1VIQV+w6SFkD5MFp+q4a4xC3pTaUEsN1Tc1ZC0/Pc9DjVqaT86OJVo+jVF49SkPnjA8YM0uBm9FQLtus5dsHm8pIxq/MVUYzdHtwSRCwOGPVzrQzfZUxBsjfHffwxJV3+BpsegdUgW4eYSL2ImdwX/VA7Aa8jH0qHEfwmP5CbWgm0mrZxtsa+6M2sVtY51FZN91ifzZFo5dVLboESrB5DTeCfelr1wgKRWuUfWEA533SYrljAZwutshVLc+tVcVBeDIf2xBpt54IWxS3Z89pepk2corVvDNs9rSDmzDEodo0+HMhXrUvxA5YQ9xsdmOtl/ZA2RuvBHAdOLApAEwGdj6Zapthcp7jNs9f76pTNcXGojNHl3iVTIc4uNBO+d1C5Q3zMGrWesApMk5qkmMi+jAX7Qex+q0a5MhKTqAFg1X6TmaymJFaVaTjbAz5kuuBDe7rvOH+O13ZjtAf5EbTO9I8WMT4XCqdR+XywDQXFP7RV+i03YOVmL1bm7fRwaN4eNojJpwsaN6QVku9638L5p0mg1QLAW3V4t0JMVEdNMPPLzQfvgXyEAzbEEfcJ8I9aN/fhhaiJPBjX09M9WfJ7k1mmNowNNLiICXFy9SiaavprI/EOxachPFOHEJyikd9shCoFra/WxYZ3RJjaRG7ysqyExgOm5bTIVS+72BF8r5uATcHJ/1YnvKFvx+Fs9iK5T+nIyILwAJ1XLu+WPRVeHNyVczPpJiQugifS59DZ8T6KiP2CPfcvV90AKiS6xa2iH950yRGWRQTXV1hQoLSx3e/y1sUfP2LJK7f3FZFABmtlobmlWCAUqXzHoHGoOw7V3662DTXq+bDCdS4Njv9PpImWtrwAgByeBhyoW2zhqGMyL6636vCLxyAzWW9SMJLUMAOu4dURBkmYhxafV4BGtoUp105/eFZAcMST4LQigVYzc6Uxl584B1C7p9JMZjtqnw4U0lfkY7G8tN/JIhbO7eb7KuczbrTbO3WQz+4/s/sQKns+CsVzkH8jKk32JvEOfMmBoo+GsniCNFk7Asbg3pMhXCDiu3TVBNKMwHTOUA9K2iGJ4lv3ULCTpzAH/L8+CQ81OjtJpqlA9XgtWfTpvYljW4oFlyCGAoRSRplZSgOgSyq6q2xj25V98eg+ao1d8Y10rpAVS7oURC3/b2WLpB5MrVdxgs0NjVorWlR4xTEzXL0uWQkvruyyYFn1V3CbFb9lG2FYM1uQRfVLOpy7oKBvRz2wdMQ5oZaeXvvuuy5VgQ7rYgovqDNQNqP+kSpn/2nmlCMLJn7PfMCfMTf3181EQtKsW1HafNQs2C0xELer+kq9+6U6m6PKm/B6fNAX5m+HMWPgxY9G0DT7ALS03v8uY2eqi2TDcPqeqj9XASC6a1zUzc50ngcBksJ4Ee0lUG9TSSEuxFQlHd6ReWt7dXYwKw806QyXxBULwqK3Vm46cGjx9PeYgzNW2H1Dvb6nhxd2sC+dil3xlSKLdjbyIfY/Uz476mjOJJtZRL600V8XwG8qBJ3ggrGc8xUHlDwKEwCXKFnYPmuYps/msiOHhzaWK5TTelDBp7+jQ2KQcNA7Ob6KDZ6Crh64jPIS4f2osQizmCIsNg== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ae1e43d-e350-4e11-05ee-08d9fbaa62bc X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 17:39:07.5711 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: G4vRXeW/c761uY/0VfnDLQS8qi+rY5C+8bp53cmOSDqpWIK1oeWJJ8Kk300cjctvHEx3rknYXeLxwmit3gZhye+R+k54xeLnRuHZP+pdtlc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB2795 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10273 signatures=685966 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 adultscore=0 phishscore=0 spamscore=0 suspectscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2203010091 X-Proofpoint-GUID: yLZKYDvTu9KgyTg2Gw8bLZGwHa_8B9KM X-Proofpoint-ORIG-GUID: yLZKYDvTu9KgyTg2Gw8bLZGwHa_8B9KM Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 43 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 +++++++++++ 2 files changed, 58 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..49bb2ea7f609 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,49 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key_signature *sig; + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + sig = payload->data[asym_auth]; + if (!sig) + return -ENOPKG; + + if (!sig->auth_ids[0] && !sig->auth_ids[1]) + return -ENOKEY; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + if (!pkey->key_is_ca) + return -ENOKEY; + + return public_key_verify_signature(pkey, sig); +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 0521241764b7..5eadb182a400 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -72,6 +72,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Tue Mar 1 17:36:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 12764980 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 757E3C433FE for ; Tue, 1 Mar 2022 17:39:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236620AbiCARkd (ORCPT ); Tue, 1 Mar 2022 12:40:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236577AbiCARk1 (ORCPT ); Tue, 1 Mar 2022 12:40:27 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 208072E6BC; Tue, 1 Mar 2022 09:39:46 -0800 (PST) Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 221GanMt030718; Tue, 1 Mar 2022 17:39:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2021-07-09; bh=TITRB1aPkAbT8oW7Zmx8pVIhc1z9aC1GC5o2A/kMoAw=; b=INipUm+7AJs2O6dPKNNXmW/HYi3RODN0xOkvc+rs2mVD2Bp6ThBqJlg5Ol27F9/SHfw6 KCGCtaFl+jfKfBudqlsdtTVqyDA+gg9JpQMxEixJhWJn3Y872Qlp2N55WJiak392QIuD LFq5UsS0SWpM4mtruQc4nsglxv/w5KQwRtlfZPp7eBF28QasjdbkueW8QL8Qp20TUzo5 P6udY3cdfs2VVWZXbYixaX+figWJ9LWqgA8spY1m1LktnUrbuEhydBLCjJ2V01quL85k FtEiLpJPXUdOZR1nkU8z3fqhHo/6WCqh4h/atf2ZGthHYp0TGnhwmMD10lcPPzEm5ler XA== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 3eh14bukre-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:14 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.1.2/8.16.1.2) with SMTP id 221HaGli075131; Tue, 1 Mar 2022 17:39:12 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by userp3030.oracle.com with ESMTP id 3ef9axv7hc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 01 Mar 2022 17:39:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Shxmnxgb+OsnGCJz9xD9+JHcM6sjxbgw3liV+FPkvsQj+e17FhkH0zaBYo0KuRrGXM2Ua+Xwg8JzzZV6GibhilMcbZM+rMikx4SPFDhE1rENuDDKsrtXjCyR6j7Zu5dSoIXm45mKz/PBC8adMvCmtR2uKN/0AnwJQhoYMU57q63Ul+J7hAr+uHfoHT7jP9Y4sAVoWOo20m0K351VgBWAhOUZQgzs3ia2PDCJcqooQzV/9y0FfyDXWHj8FfWlZzd5kV5eKH5X0Q2jhKIVXKX006YPm+CBEtvY9HDEhfAU7kvJGZdXYa+EIwEuQY9S77/WgENowIC4pyMFO4e9TkHPJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TITRB1aPkAbT8oW7Zmx8pVIhc1z9aC1GC5o2A/kMoAw=; b=aaHMYj7OeGHexTLnB8neIPh/7TD0Fpp7Y7GDfCOirOjFB3HL9rNhRT8R5Bf1HNW2wPHzdR5tMHoFQfhQpLwhsbwLYcJ4gciGcL1f3bKftXKdvLZISY5fX64aD8DroctvrLoAznmLvGZi9uLArxZ7dJpUrxA4QUxoxv5IFPDd70hu9Jp2ELL512QcP352fO9IXrVrrLe+nnbtguVLVUc4ZjPgUneyt/NV6YaBVMzh8ozWGNbJZHbfFYdawBkQQVacfOcwSZmv43DE+GUYJ7R7SI/C3pFxNQ2riSgfFmZ/84ywnYBlHELSvtn8wX2Flat7NnhFPn9X8TS59IxYRslwVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TITRB1aPkAbT8oW7Zmx8pVIhc1z9aC1GC5o2A/kMoAw=; b=XePyFGC9lsFj9Ql3M3EO/8UTpoQPcVogKXOw3hFy06p1l1vsn9GBqjiOuA8Ezz1T6fPjx0axsSAQWCoKSK2XtJEQj/TkFC9HXAwCe4vtn8WWC8rGH807eDqfd5YDWnTKyXMNvfAmllNW56D6q0IY5XLUOTqU+e6i2Mjp/OMbBZs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DM6PR10MB2795.namprd10.prod.outlook.com (2603:10b6:5:70::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.24; Tue, 1 Mar 2022 17:39:09 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::49ae:9ccb:2e59:8150%4]) with mapi id 15.20.5017.027; Tue, 1 Mar 2022 17:39:09 +0000 From: Eric Snowberg To: zohar@linux.ibm.com, jarkko@kernel.org, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, jmorris@namei.org, serge@hallyn.com, eric.snowberg@oracle.com, stefanb@linux.ibm.com, nayna@linux.ibm.com, mic@linux.microsoft.com, konrad.wilk@oracle.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH 4/4] integrity: CA enforcement in machine keyring Date: Tue, 1 Mar 2022 12:36:51 -0500 Message-Id: <20220301173651.3435350-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20220301173651.3435350-1-eric.snowberg@oracle.com> References: <20220301173651.3435350-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA0PR11CA0194.namprd11.prod.outlook.com (2603:10b6:806:1bc::19) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4976faac-0623-4b24-3fac-08d9fbaa6430 X-MS-TrafficTypeDiagnostic: DM6PR10MB2795:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: p3jnFQUOSE6D1IzK4kZq5xvCOUdoYwQribauWMeGW/uOIyy5PighXmkGzcjee/KXmKTqu4m+Klq9hcLSFe4axvZwDUupdqtiO3PRQdGNKCyzkVxPy9ODLZV3TSWFdC1jWJTBuOY3UwLH92+1qyfcj8lYVb0EGzw65wk5udLvG06ISvycWDdG6gJgCEw9ycKr5mbnvkGTssMifFGNp4aJ6dE2gpMTJkxwLVO+HM3bQqQw1CizAA543D/a77NJRiX1czjXxsAtyPgJTN8K6j9VXfyXnCdZD3nNiy2/C2PimXse9Vv5j4MbhHE5e7c7RoCT+83NU71l9cyS1TBbp0wxKuxEbQtPONtGR0XK13mKy1Z+xBSyGqUppYSjl2aWEByD1pstPNroOYq+JNlYV8AGSAPTzqjnm8YmnVfQpPiGcsLQQAnammqdgET2r/xOA+04IpE8dgAculw6LNLf0WDJiHjJYjg3siQLZohcW3qFMneGVQP+2J4BYq7shHAKyFhbMmIMiSrPdz6fEP+YHn+OL0pawOaCjDENmnnuC49MK7+wyyZeTf0YgztQIKxnTrXQeAi1kCKjVjFvI1MaThIX0zkDwyaahk80txAQJ4TPf7ofO2Eiog9lRIzM9sDXdC6QUGnZZSxlZMwxyO+ZnQaahOCMBNckukEl2grOVNymkEuMTYgaBrICxq0SemzhqInIrgPbzecZXCs1z+MN4ifjsg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(1076003)(6512007)(6666004)(6506007)(52116002)(508600001)(2616005)(36756003)(86362001)(316002)(26005)(66946007)(4326008)(66476007)(66556008)(8676002)(186003)(44832011)(8936002)(6486002)(5660300002)(38350700002)(38100700002)(2906002)(7416002)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bx/Q8vjnlRvuPx5WOCzPkzcQQSLLtyGpBzhNn4ybRIzdAshiIEfjvLw9dXRn2GXi3kJZfNOSP5LXXERh81IN/3vw1QERh6efhMVF9TAbJIkselmuNKl6YdZBpXru1HsFY1HzALlN5cfoUpb7m2V6qLHUsMFliWIuiVxcS04WTZ2SjQ5bsyZpFEDhGoyEZGUr40vHib6aHvcOEJ2/fCy+03levoIfd0W3S2FRpMfVZ89NyQUHNY013u+TVyBeuCM1OHikCNsZWKAwKyn2+X2wI1IKv1Gmf7o6fm2LBB7mGGKLJ7dGiWg5Ir+m4br3T6Iws6oiDgliqUoAO02vXohM369mEp0lfbKx50TSQmwGY9jAkjW5QQuiTobjyE2Qj/Jigmch9VYoTl6cFOINQ5svB4iHVt5s9KcfHkSH9kdvjh9aDWMVD4I48ouL+n1hgu0nhWnUevL9wzau/ikGwUM/QAhw1pV6LWg7hgP6dt3hfOWFyQN1JtucJxudQdrrcKNSNYOVGk3GWyfOo4YOv4TbBGtqlBlkTPB8MEFdABTj9QX8wXNDhAA6e1Mdm68PlJhJ9N2DD4soTeHuH1OEqNMLEyd/y2GbzOVLkOmoo0MN2BKYVnTngIZAGnNog4tKXarAOW0Bn229tirLYtinZ4xdRF5tqJuKP0sXtlCElk6eotm6fuB8NNkyM/Nj+K6K42emgeKXsMn1JNVSY0kUybDSVh3GtRLVU12Z+XuadweBYk2r1PZY0n6qFazCMmm5rT7P2z3lVcCNsZCaleV67pl7jj6wcozZAcsMBClnooc+9EUYb+tEMbFTWVBlvl99+FamBaKhs+dGxZIl+CjMzDBNRUwb5lvqP4B+RXH9q7XSIfuWzWsGJTDep++ZF1Hq+0iD1GIGP57VGgU+J9VQP7bZSg7g5Q9I9N7a3sb20mUfUSFE+9iBsBKhkuZG/xPgPGleJokkD0MVwKZPN1yAF2Vsaq5us9qHQ0QmmiSqvjxeX3bXP6YxZYVaQ6L3uXRdQHfufD64e09CgTZ0wBagO3RpJgqf5I8D/e21Z6XE3UqXDPgRPuEC/BMIZRpX7yJdgax5fkBxw4BZC3YKrYwpY2T6c4ApoXNCL4O91ld8W3Xwu5nX/sxrT/btX9lMkPDCD37DDLvJsxQV5yuK06ZUZNV4AU8xL95A480f94cJJyHBUJNPhTnUPWN5XMWvpRp5eLN80PFGGi0hhpPYiCXxpvhkyjFMuzY9S4saak/h7MdAMCMRfwLZgwT3PVF15aMN+hoFc6Y3qe7KPXz/d0wfmwtr8vR2Y3iUgkEa/kLhGnwQANK7QWZsYSpXo4pArreaXMISvixXYqdurugY1grW1jOXBa7+s8bMxupT96LVeVIkPUwnTR9gSuGjNPP9DbB0Gk+a9NmI8pLmclyPy/3tn2Oav/ED5QnFXnB6yJIl6Ti8SvPecwdf00HG05NPmqEvaKtzvDvhChevsI+Alcww69RW3jTILCTYFhLEZ4EoM8XY8RD/cScNShumotGg/pDhr0+xt1uyvpzD30EnGHLjZ9YR2lpZMsbqiIYH88aA+eBpvDJoZC6436/S9gSJ31Fe9kT3GDmN6yvKb77YYwSZSU+5yN3HQYNPr1V5VGjqmfwlZ3FZrV3Irsx8FePExYKGZgtKPvgEy1YBoB207CdrXuMAzH/2nYMbF6qYmBA0Te7azrw= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4976faac-0623-4b24-3fac-08d9fbaa6430 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Mar 2022 17:39:09.6980 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SPA4rIq/9I4XN3n2zXcfALBxRDtViIOnhuiYYtFq7AzgbwptmZ3xRbd7GofHtGbvbyUnJgz18KK9guUXDJ5Zm4iM/lm/XVGdF+C7T6YeWk4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR10MB2795 X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10273 signatures=685966 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 bulkscore=0 malwarescore=0 mlxscore=0 phishscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2201110000 definitions=main-2203010091 X-Proofpoint-GUID: wQhYRWLiBi3U2pplMMepdnvZCx4Up2X5 X-Proofpoint-ORIG-GUID: wQhYRWLiBi3U2pplMMepdnvZCx4Up2X5 Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org When INTEGRITY_MACHINE_KEYRING is set, all Machine Owner Keys (MOK) are loaded into the machine keyring. Add a new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED option where only MOK CA keys are added. Set the restriction check to restrict_link_by_ca. This will only allow CA keys into the machine keyring. Unlike when INTEGRITY_MACHINE_KEYRING is enabled, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY may also be enabled, allowing IMA to use keys in the machine keyring as another trust anchor. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 9 +++++--- include/keys/system_keyring.h | 3 ++- security/integrity/Kconfig | 21 +++++++++++++++++++ security/integrity/Makefile | 1 + security/integrity/digsig.c | 14 ++++++++++--- security/integrity/integrity.h | 3 ++- .../platform_certs/keyring_handler.c | 4 +++- 7 files changed, 46 insertions(+), 9 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 05b66ce9d1c9..0811b44cf3bf 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -22,7 +22,8 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif -#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +#if defined(CONFIG_INTEGRITY_MACHINE_KEYRING) || \ + defined(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED) static struct key *machine_trusted_keys; #endif #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING @@ -89,7 +90,8 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void if (!restriction) panic("Can't allocate secondary trusted keyring restriction\n"); - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) || + IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED)) restriction->check = restrict_link_by_builtin_secondary_and_machine; else restriction->check = restrict_link_by_builtin_and_secondary_trusted; @@ -97,7 +99,8 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } #endif -#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +#if defined(CONFIG_INTEGRITY_MACHINE_KEYRING) || \ + defined(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED) void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..e4a6574bbcb6 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -45,7 +45,8 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif -#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +#if defined(CONFIG_INTEGRITY_MACHINE_KEYRING) || \ + defined(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED) extern int restrict_link_by_builtin_secondary_and_machine( struct key *dest_keyring, const struct key_type *type, diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..14c927eea5ee 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -62,6 +62,14 @@ config INTEGRITY_PLATFORM_KEYRING provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. + +choice + prompt "Machine keyring" + default INTEGRITY_MACHINE_NONE + +config INTEGRITY_MACHINE_NONE + bool "Do not enable the Machine Owner Keyring" + config INTEGRITY_MACHINE_KEYRING bool "Provide a keyring to which Machine Owner Keys may be added" depends on SECONDARY_TRUSTED_KEYRING @@ -75,6 +83,19 @@ config INTEGRITY_MACHINE_KEYRING in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_MACHINE_KEYRING_CA_ENFORCED + bool "Provide a keyring to which Machine Owner CA Keys may be added" + depends on SECONDARY_TRUSTED_KEYRING + depends on INTEGRITY_ASYMMETRIC_KEYS + depends on SYSTEM_BLACKLIST_KEYRING + depends on LOAD_UEFI_KEYS + help + If set, provide a keyring to which CA Machine Owner Keys (MOK) may + be added. This keyring shall contain just CA MOK keys. Unlike keys + in the platform keyring, keys contained in the .machine keyring will + be trusted within the kernel. +endchoice + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/Makefile b/security/integrity/Makefile index d0ffe37dc1d6..370ee63774c3 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -11,6 +11,7 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING) += platform_certs/machine_keyring.o +integrity-$(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED) += platform_certs/machine_keyring.o integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index c8c8a4a4e7a0..041edd9744db 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -34,7 +34,11 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { }; #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED +#define restrict_link_to_ima restrict_link_by_builtin_secondary_and_machine +#else #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted +#endif #else #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif @@ -130,19 +134,23 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))) { restriction = NULL; goto out; } - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) && + id != INTEGRITY_KEYRING_MACHINE) return 0; restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 2e214c761158..ca4d72fbd045 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -285,7 +285,8 @@ static inline void __init add_to_platform_keyring(const char *source, } #endif -#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING +#if defined(CONFIG_INTEGRITY_MACHINE_KEYRING) || \ + defined(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED) void __init add_to_machine_keyring(const char *source, const void *data, size_t len); bool __init trust_moklist(void); #else diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index a2464f3e66cc..9c456ad0ab67 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,7 +61,9 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) { if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { - if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) + if ((IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) || + IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING_CA_ENFORCED)) && + trust_moklist()) return add_to_machine_keyring; else return add_to_platform_keyring;