From patchwork Wed Nov 9 02:50:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 13037106 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3DF0C4332F for ; Wed, 9 Nov 2022 02:50:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229913AbiKICuf (ORCPT ); Tue, 8 Nov 2022 21:50:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229667AbiKICue (ORCPT ); Tue, 8 Nov 2022 21:50:34 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFC381F61A; Tue, 8 Nov 2022 18:50:32 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=COwXzoOJifc0kBYkrsDthoC7PqTOtSdi1o8MWvrZGvg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RFw/Vm2E83YIgHtWCxE5pbYZhS4CloQ/BWpqQZOVwojSlxti2713CWbtT7DfN5yex g+GGsYBsuKhOCeD7QxLbnztD1C/IDyi5+pGFTD9AtpIONjJbQEGJyO1z11FSBTMNjk uEi8dEEMGzSajlt2uIl9vEakOIORMif0rUAKe1AA= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 1/3] certs: log more information on blacklist error Date: Wed, 9 Nov 2022 03:50:17 +0100 Message-Id: <20221109025019.1855-2-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221109025019.1855-1-linux@weissschuh.net> References: <20221109025019.1855-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=781; s=20211113; h=from:subject; bh=COwXzoOJifc0kBYkrsDthoC7PqTOtSdi1o8MWvrZGvg=; b=9x5DbFNV4IeM4Iy0DtoCRUoozHmclKCE+cEgSF4HGqidC0TEXqxiB6lTgA07FCcRuKVcFFgwwsn5 B8EN0PttAwXE0P3l+2gc7DGNn+b1Zq+W6/XVyg0ViLI7WWqXymfn X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Without this information these logs are not actionable. Fixes: 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring") Signed-off-by: Thomas Weißschuh --- certs/blacklist.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 41f10601cc72..6e260c4b6a19 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -192,7 +192,7 @@ static int mark_raw_hash_blacklisted(const char *hash) KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { - pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key)); + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); return PTR_ERR(key); } return 0; From patchwork Wed Nov 9 02:50:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 13037108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 62A2DC4167D for ; Wed, 9 Nov 2022 02:50:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229949AbiKICug (ORCPT ); Tue, 8 Nov 2022 21:50:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230041AbiKICuf (ORCPT ); Tue, 8 Nov 2022 21:50:35 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 253B51F9E0; Tue, 8 Nov 2022 18:50:34 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=233BTp1qcjOzql0dhORHYGs7Wq5WOY1ovusjn60vP/A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gvg2aRUlRtnPD1ft+cXSUo/Zs8u/wtM3kR2n4ZjvrLYTOaf+eQr3478AXBgfgtcbZ jBzcLoXgYwAFD7y71goq75WkjvW4HUsRxNsq5esZUWpYw8sp2KCGt0Ivk3+Ps+Tox1 y4OPNTxjB6F5tYGsCZ7y5452+e9ZUjkPczgz2ev8= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 2/3] KEYS: Add key_create() Date: Wed, 9 Nov 2022 03:50:18 +0100 Message-Id: <20221109025019.1855-3-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221109025019.1855-1-linux@weissschuh.net> References: <20221109025019.1855-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=7478; s=20211113; h=from:subject; bh=233BTp1qcjOzql0dhORHYGs7Wq5WOY1ovusjn60vP/A=; b=M29uzVeJh9KDc+GsHlHkuBqH80ld+ZcrMEUOp0kpS7GWmStL1oLs4Ylh5Kw/qgjZDJbP5jHzBKCl dNVBRqy7CotdiIxIBKPjDfbNUN8yzxCvz/ITfDz23Fvd8me1dqIY X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org This function works like key_create_or_update() but does not allow updating an existing key instead returning -EEXIST. This new function will be used by the blacklist keyring. Signed-off-by: Thomas Weißschuh --- include/linux/key.h | 8 +++ security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- 2 files changed, 120 insertions(+), 37 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..8dc7f7c3088b 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -386,6 +386,14 @@ extern int wait_for_key_construction(struct key *key, bool intr); extern int key_validate(const struct key *key); +extern key_ref_t key_create(key_ref_t keyring, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags); + extern key_ref_t key_create_or_update(key_ref_t keyring, const char *type, const char *description, diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..f84bcd8457f4 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -788,38 +788,18 @@ static inline key_ref_t __key_update(key_ref_t key_ref, goto out; } -/** - * key_create_or_update - Update or create and instantiate a key. - * @keyring_ref: A pointer to the destination keyring with possession flag. - * @type: The type of key. - * @description: The searchable description for the key. - * @payload: The data to use to instantiate or update the key. - * @plen: The length of @payload. - * @perm: The permissions mask for a new key. - * @flags: The quota flags for a new key. - * - * Search the destination keyring for a key of the same description and if one - * is found, update it, otherwise create and instantiate a new one and create a - * link to it from that keyring. - * - * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be - * concocted. - * - * Returns a pointer to the new key if successful, -ENODEV if the key type - * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the - * caller isn't permitted to modify the keyring or the LSM did not permit - * creation of the key. - * - * On success, the possession flag from the keyring ref will be tacked on to - * the key ref before it is returned. +/* + * Create or potentially update a key. The combined logic behind + * key_create_or_update() and key_create() */ -key_ref_t key_create_or_update(key_ref_t keyring_ref, - const char *type, - const char *description, - const void *payload, - size_t plen, - key_perm_t perm, - unsigned long flags) +static key_ref_t __key_create_or_update(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags, + bool allow_update) { struct keyring_index_key index_key = { .description = description, @@ -906,14 +886,23 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_link_end; } - /* if it's possible to update this type of key, search for an existing - * key of the same type and description in the destination keyring and - * update that instead if possible + /* if it's requested and possible to update this type of key, search + * for an existing key of the same type and description in the + * destination keyring and update that instead if possible */ - if (index_key.type->update) { + if (allow_update) { + if (index_key.type->update) { + key_ref = find_key_to_update(keyring_ref, &index_key); + if (key_ref) + goto found_matching_key; + } + } else { key_ref = find_key_to_update(keyring_ref, &index_key); - if (key_ref) - goto found_matching_key; + if (key_ref) { + key_ref_put(key_ref); + key_ref = ERR_PTR(-EEXIST); + goto error_link_end; + } } /* if the client doesn't provide, decide on the permissions we want */ @@ -985,8 +974,94 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_free_prep; } + +/** + * key_create_or_update - Update or create and instantiate a key. + * @keyring_ref: A pointer to the destination keyring with possession flag. + * @type: The type of key. + * @description: The searchable description for the key. + * @payload: The data to use to instantiate or update the key. + * @plen: The length of @payload. + * @perm: The permissions mask for a new key. + * @flags: The quota flags for a new key. + * + * Search the destination keyring for a key of the same description and if one + * is found, update it, otherwise create and instantiate a new one and create a + * link to it from that keyring. + * + * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be + * concocted. + * + * Returns a pointer to the new key if successful, -ENODEV if the key type + * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the + * caller isn't permitted to modify the keyring or the LSM did not permit + * creation of the key. + * + * On success, the possession flag from the keyring ref will be tacked on to + * the key ref before it is returned. + */ +key_ref_t key_create_or_update(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags) +{ + return __key_create_or_update(keyring_ref, + type, + description, + payload, + plen, + perm, + flags, + true); +} EXPORT_SYMBOL(key_create_or_update); +/** + * key_create - Create and instantiate a key. + * @keyring_ref: A pointer to the destination keyring with possession flag. + * @type: The type of key. + * @description: The searchable description for the key. + * @payload: The data to use to instantiate or update the key. + * @plen: The length of @payload. + * @perm: The permissions mask for a new key. + * @flags: The quota flags for a new key. + * + * Create and instantiate a new key and link to it from the destination keyring. + * + * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be + * concocted. + * + * Returns a pointer to the new key if successful, -EEXIST if a key with the + * same description already exists, -ENODEV if the key type wasn't available, + * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't + * permitted to modify the keyring or the LSM did not permit creation of the + * key. + * + * On success, the possession flag from the keyring ref will be tacked on to + * the key ref before it is returned. + */ +key_ref_t key_create(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags) +{ + return __key_create_or_update(keyring_ref, + type, + description, + payload, + plen, + perm, + flags, + false); +} +EXPORT_SYMBOL(key_create); + /** * key_update - Update a key's contents. * @key_ref: The pointer (plus possession flag) to the key. From patchwork Wed Nov 9 02:50:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 13037107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20FB6C4321E for ; Wed, 9 Nov 2022 02:50:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230062AbiKICuf (ORCPT ); Tue, 8 Nov 2022 21:50:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229705AbiKICue (ORCPT ); Tue, 8 Nov 2022 21:50:34 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFCFA1F62F; Tue, 8 Nov 2022 18:50:32 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=5ie3Yn8WEIYoQFT16uM/WFQsRiA4aQakHFCHCuSu24o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S4RyJ1wzsu+CpZMBbNLMM2Rag3TXO+Xb3KPkzsImCQFf5lvbhoyLEXMvCLg+y4W4P s5eZT9wXxoZDpGbOcLoHawu1teXnAudH1mwzGMMXEy1x3Gm9jXVBZh0duYW9j9jTQj x4kZPMShWc4wEdNpenaPh88pLrVCr8Ta8dsMZghY= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 3/3] certs: don't try to update blacklist keys Date: Wed, 9 Nov 2022 03:50:19 +0100 Message-Id: <20221109025019.1855-4-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221109025019.1855-1-linux@weissschuh.net> References: <20221109025019.1855-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=1899; s=20211113; h=from:subject; bh=5ie3Yn8WEIYoQFT16uM/WFQsRiA4aQakHFCHCuSu24o=; b=OUVFxglzNA9V+JeUq6PfXkiyi8NjbHyOn/P067eIM9yuQtAu1elOs+T/uDNnoy72YvI6yHQrLyma IEfj5nx7Dt2CnrEBvK0SE2q0NTMjoP3maKxCmE9wV84O9Uf12dvH X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org When the same key is blacklisted repeatedly we don't want to log an error. These duplicates can be provided by buggy firmware. Instead of spamming the bootlog with errors we use a warning that can still be seen by OEMs when testing. Also extend BLACKLIST_KEY_PERM as otherwise the EACCES will shadow the EEXIST. Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/ Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Signed-off-by: Thomas Weißschuh --- certs/blacklist.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 6e260c4b6a19..ac8e3166b6d7 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -26,7 +26,7 @@ */ #define MAX_HASH_LEN 128 -#define BLACKLIST_KEY_PERM (KEY_POS_SEARCH | KEY_POS_VIEW | \ +#define BLACKLIST_KEY_PERM (KEY_POS_WRITE | KEY_POS_SEARCH | KEY_POS_VIEW | \ KEY_USR_SEARCH | KEY_USR_VIEW) static const char tbs_prefix[] = "tbs"; @@ -183,16 +183,19 @@ static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; - key = key_create_or_update(make_key_ref(blacklist_keyring, true), - "blacklist", - hash, - NULL, - 0, - BLACKLIST_KEY_PERM, - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN); + key = key_create(make_key_ref(blacklist_keyring, true), + "blacklist", + hash, + NULL, + 0, + BLACKLIST_KEY_PERM, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { - pr_err("Problem blacklisting hash %s: %pe\n", hash, key); + if (PTR_ERR(key) == -EEXIST) + pr_warn("Duplicate blacklisted hash %s\n", hash); + else + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); return PTR_ERR(key); } return 0;