From patchwork Tue Feb 7 02:59:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130932 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F75DC64EC5 for ; Tue, 7 Feb 2023 03:00:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230103AbjBGDAh (ORCPT ); Mon, 6 Feb 2023 22:00:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51822 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229781AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03B593527D; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE5fY029679; Tue, 7 Feb 2023 03:00:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=WOYHaxbehtjloTMw3TE3ZEjX0YHMCq7mc1U1MYLJK4TVlKPYMK+AqdNWUsGLPW+aPkfw WBQaW3g0PJld+gCcE0YApINeIyMtDYfDUMVn08QvmPhaWEyap/1p7VABgMJ4Rb1rHgLI wl32geLy7aZ0qhaplyerV5HLBMqiuXZV7j4Dfay4oRD5uCI4ArLDzrqhMfQg92vngYWC jxWq3Xbbd3Lm6M6I4aRLgBRMRxYZfmQxApimPzaJvrc9QG1XAgfij8V3A9KeO0DuPURX Ozv5tJcc6L5KCQOt4ccauNZTpeouyR4eOy57xGLBwPW4j5O5zY0O/pfiu1nih1WpWpzo bA== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh3t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:00 +0000 Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3172s0fV020885; Tue, 7 Feb 2023 02:59:59 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2108.outbound.protection.outlook.com [104.47.70.108]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdt4yqfx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 02:59:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ly1LiiCQGyLJZIQb93lOJdJcE4tEKoS+vAsu6NVnarTpSJKjq7P8PIUxC5ztqcUiKmy2qnyi7bZHvtoTC40n37V9bk6HO9ihBymx9dkIYmDClRoCVTx4wDSIyJf+NJ+rcrkqs7NBq57mIwQhMRVGmuGfCi4N6BNw0Qpk7PRiJ8/0dnsmqjOqt8PL5fQ0p2Xd0yWD4DFHACQXwaZezQd//zQ+L01419TV/ETBsnwbmUGf2krkqve8kfTBpC462Z6BxiP5na1CRkWbjN4DMiAZYof0zVuZIZE5GfdTD7HfVD3HFaKQPBV1kQaQO+ejyBoMFAq1Sk73xns69WRxTSBfrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=FVq1bdASLyRIgu/ocro6cNWLf1oNLTr9Y0Tnz8Qla6q7gT9ZGQcsMQmMNTBxsyQ87qtW+aW7JnuycFOhLeL4NJpMiX4lv975hMKJ4VBhMMNVQinNDYQsbU3muW93KQaJGYnlJ2w03iGGG2i3DWVFTvBrty3EyjEGWn8DJfG2557qPTFwm6nfT+rYA/Pswi58aml5nwnjavxvOK60LwYSWREpobBItHih/EzgCcvmUZdHU/sO+q/0WXm9+HMYcvVfFO+ZIjSUI2GlbdAkSmkERc/VbcoBfWABVE5C6LqnURK8y/TWQJAfWWb9cwOyhxBuX8sHTGD0GmuaHCwrXIp+XA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0y0v3HYqXP8jxWz7DNC1natKc715TPpcOTI2z4B/XtY=; b=OMUvzHmGq68VHJcQ0eVHOhz2RUoRK27gCo7s0/U4dQ63A6SEZaKKz7vhrBzytIkkkRvUCt1BSJn6raIgSCFn5AMNYbaMrkEjYJjfIELNKvx0T7XOPj9ZCKJy7gN0Y29SbjMGtilRI9Y/fEWojaftQGpe+DLS/87evEy1hWwN56I= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 02:59:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 02:59:57 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 1/6] KEYS: Create static version of public_key_verify_signature Date: Mon, 6 Feb 2023 21:59:53 -0500 Message-Id: <20230207025958.974056-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN4PR0501CA0106.namprd05.prod.outlook.com (2603:10b6:803:42::23) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0sRGjkFbS4z7jFrsuqM+aQsSJsFhwZbkE5b3vVmwfjGPbvUyHhpYO91K9nmal/xmSCq8n2ZL/lDqz914SdMvKTBEu/VLXhTA428mwAgZKdooDXwNG0GP8o3eTkTkofxtntSiGdS7cEkD10K0mbdwQeL3nnKYGMQpUUwTudb5OFgkWOPRrEyn9G++cV4fNHSb2aKW/kjcbtO2BmL1R5E95hYNhYJwvAR4WiMGtzGHERCRB1D94bmSU3cC2GKAUlC/AMNFZUfqiNofVmK4NH3ENQIUDGgIicSbuh2SDpq/R19e4WICcdbnCt8X7ShnOQDRE14Q3KeFgP7dijpDgQ/QS2J+6D5p+PnxOLLRJKNhAp4YfCaGBzn2DooQHKw3Lu2OE1E8F7Bp2xKP7wervjHXvs3ar50uB4zUwQBPpqcq7g5CYSe+nnYvHmaMd0K/x79sVPQZwN4/itn74gfnFoOW/IIZQLZ687CbbUjSo2OyR/1/O+kSlr+M4ZHMk1Okw6JEjhW82/HyUwBSRe/CRZE3AtExK9VYM2vLoZBFzs3FBF2g0uabgbhTc+PjgAxS4gW44z3jJ44p9MEU5RN634610rhtwKdwYAoNChSk0kLrA25BJyQhl8K54Z/xqpR1bB1hZWAxXjrhUUx78IeFaGyiYw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(83380400001)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: J2sS36o6Ng7FeAOSogf7TSRV21RASDdi2ebF87/m6vtKosO4MRIOLTi1z2dXAohqbPoAOuqoMwu/vAA2IGo7imZ59yskQ6godpHmniYo0yj9a40+eWnvg6CvOLvXLf/0cV90COI8w6+D7wup8AItmIpZ0MT/n6R3fx1kzlbjlbR56HRHXs2YxVugBCRuPL6HwUZjs+ldAjQhj2wMyFvWMJe/avsWQ8ywjA4XweENQYSGoU2oCBtW9cD7oaxzT+F6FITDNf8vFEJR1N1ZADqVRB3LpqeIZqf0ADMtkLcfHjCxqFlPtcHw/Q2Lcn2WcNZNUQvNrMH3sZZ7Z3u919Ao10hYThOdIIBt4cbpX3VLmwTVC40D6p3DI7065nTkgLA/tWAXUrS9kjJW1ytfYytQA4k1M2H/7vEEqci2msjr09EZEW8kxnVIG4+nhLq/WtgGOWZDmeUZLkc1dphQD/NT5cfiK2U9T0Irqh4NY5hyDHFRke7FbFnWDQ53SdMdNqpZYKeu/sXmmJ8imqJE28meyyOLqXvCoGaoF5eVde9SM2AzcHaMSU8k0/i2x0n6L5zhd8MSknZF18r5N3rDhLdJL/xWySUnfpYTLNsdWrKr4P7Mh8hAHNrAasFhBXJLXH8yWvfWpv4d6S6zzS9dKvgnzYxE45bYDVkciPq4kVbkV7oz2SXzc8dtTUsCIAb0Zgh60daHlJq+q8Fz2GUWRfnDlrADeZXGNGiYr5sjldoGNL0nzjEKjvBhRqn+NYv0LA8dkuPMlhLgE5cCgk54cQ6yFF2K9HPtvOjQpkj5I7oj1ZZR9/mzcoFfK7wNXtPEQnSdm4aV45lfmpfe5Ibp/mt9W8YBNULHaBOhK8GDecFknKAdsLrHTd5pn4rr3Jy37rIN2BWN7EQ3f6aFDR1Ml6NNA9h00IYaBE1KR7QALi7IGhzj1a4NsjtPPOunz/hxy5XhyI9nid4/drUC0lpe8HrXDuD2ZWhJS/jWrCN2Rt4Cvjla8hevayKMMAxog7M5jBk75klGM+pzNlRvhCSfZ45d1Ep+vTCGKRAd/2UeYb1I7AYi85jjpLyTPN2lUkGfvdS5/WywaMwexbwnJzyXxtziNyDQF09eKM3f70uiEOUDW7JuVVif8LMQOqqHE9k/Q8INGIUZyO6VO46Nk2XlhVnQIvwmgVxB2QwvrHgj3cFhkofD3LR1w6W8Y+OuBUDVM+uKOLe+PVIcXty3enfYzF78+2pev4eTBzEbZTVQMsHBPM1CESieA1PRvRCcV02zX58DZ0iTFZih8qziOROYHcgJCQdOI1UeeUYe8iVsjFM1AjLD5J16DI0evMJWLWqsvZTvyIaOo6EFCcXma4hBqLtzwrft48wsiT0+osZdgI6rk/WyF1guRZPCqVJdY5Sr7lzmGF6tBHO1a8UzV1vUG/ZBt5u8jt5OQf+9Nm3pdUfRnKS2qh4ax9eWB37SJ7DACfblVmMZMGI1fXngskQ6PHI2FkP8YpRewmcUJO264uYNMsY/kJe7P9Vb/jMVjAL1jUTcbgGN7c2oLZG0OE4jiHHUKBd+3OxGoeYH529lyilLqvserZsWVB8I9sGO66i4EAkR6YfAoHnxe+JDlgIslPtJ4w5WdZLPA3gEN3ECXM1DebU= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: WBqPBZS04e66X53Mdh4e86Ym8g+ZFgXJkw0QXpBTzDYjW2Dtu9YcE6y/IiSnPvWldnuBXZuS9wxkrQZGErY3eUyrnsahci76DyboZbFYgqaq10DhSVHbchhqmPqauFFxrONR805119gKkuaGFFL7fOPaRpWW6B2ZL8xCnv8LrptGk6NwexUQuqFvZqjlBdL1ma0CXLJKs+3wz57ep66IWYbvm8CUGRU9nvIirb2sqO9eoEaB6TOvw38haqniIjmAYssdt+O8ByfZ8tQVZ1SKWXw4lb1oy5O1Cqcrrj4JiKWD3koXlWFqUotv4/ak/rk68sm139nbPerkAP4AcIZXjTza7v/Z36SJv+Dt2hcYLmPJdGOKFdOHpSRgPobeF7MiP21UOkLivVh1e0oLk78cmTj4Y8tOIt/l/02HWXexmv5z8Zy3NV/MRnCXrioGu9LcThpgh5HUGID6Fx2xkDv739g60FLF4h3D1EoSR2FFR8bdbbZD6IvlyZAyvb0/lgQBhEYJvE+wp8W/NfxQorFg5LeLbCGZo1KBc+EDxC3FgWHOYsix2enSMFPnxxjdoborwKL3MFbaSsz6rLeJhmgE3kgh9tFlcDA7h0PAtJWT/UFlrg6Kvx/6GiGGVUJk0/AtVHwmbN6bqnGkPMcH/vyDPaI7PTU9jImOgJ+4J50uwRwsBH/58tRFJvZNhyplQ7vTzTXI/pgsvtq9oZjQddxugtf3rDZKXGoJVOCtlDLMlCxZKUwTsqor6T/rZcjpQ4oBwMb69ikDsbRxNQ/w0u3Sf5GUElLyUWoC9iKLky9hETu7uHcYDpnnFuXEzQbNiOP2tw5ofTJys/n/gN8qN/QSlOR3jq/n0xZcr6FcXbO4f2YrLFVfsmU/uF2CS/XHfDqhgYZuC3YusirbyXMSmN1YW9CcXwRBjkgO71fP7dCb9i1hFeO8arfYU7cOouUOwH6p0D1EOpkChrGlE8Yj3BQEm/xkwrEhn2Dz9Mx0+H31AKtzkUvZTCFhgXfFpZqjqa7QJolvwvSAMMk9WMSw65GGSnQo4mf0QAG/rzCO75XSV8oz+s2+LM5wRkkiTpto6H29zwN+WfCp06Lf/qX6XHawO+bgx1gFUGzcf5nQ0v/9K/ZXe2e2x11vir2tfI9/VWZ5WATx0khSs/08i17TMxEQgxbL0mhk+2vGdUysReP/dJyfM16VkkxETsf2aUOYYjMo X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 853bf529-2564-48f3-20e7-08db08b7651e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 02:59:57.2817 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ULYbbP1SVjn+Q53VIDOd+njn0O+G00GDFUP9BM9PdZpiDwZLs9UxT3qYnpR9a1bawLJd9iBEC8L34NJrD8PWXTShGiktsem/tpBnPsaI0ks= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 bulkscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 X-Proofpoint-GUID: FwzrPyilwQvoN49w5FyeHdrZuayfPct1 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org The kernel test robot reports undefined reference to public_key_verify_signature when CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined. Create a static version in this case and return -EINVAL. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Reported-by: kernel test robot Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Petr Vorel --- include/crypto/public_key.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 68f7aa2a7e55..6d61695e1cde 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -80,7 +80,16 @@ extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); +#else +static inline +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + return -EINVAL; +} +#endif #endif /* _LINUX_PUBLIC_KEY_H */ From patchwork Tue Feb 7 02:59:54 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130933 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A255C05027 for ; Tue, 7 Feb 2023 03:00:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229478AbjBGDAi (ORCPT ); Mon, 6 Feb 2023 22:00:38 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229973AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B868B35278; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDwX7000337; Tue, 7 Feb 2023 03:00:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=lFGTNyJm3pD8OZKl+4ZiJpxIHrkbeN/yj+dRuEjW4UpwSr4iKYHXaVgon0v7Mc8GmAs+ 2LJHIMEi1mcPWje/oalQ3nCL8HhttUwnRSRZA7STC4ZDAt3UqzinxdnvZwseREIFqRtp 0DYd+UfcrqVTJ43TBi9a40tbWO0oFRrUasGfPKMzaYqo/G31JIORIQsKavk4DAUu7s4M CVlgWVirCziqVqCUGJt1tzIXaqM0wOvX2E/rZMcajkK13OQkqQ/7f3tG441O1qxJcK8B 2BxVIhA5yaiBvlvnZ9qCdTVOWjGnmyIvwQw5KTsix8xRCE1UvsDPjzE6F6gSRB3UveKq cA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgb6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:02 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3172039V037045; Tue, 7 Feb 2023 03:00:01 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8beu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:01 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W5u23QEeyvvFUHJFyWLOhc4889NsvNkyiXaUosiI3F8GNnSh2rP88bq7cXLPWKLO2Y6vrlvuEQwcX2awvn0ZlktB1xj/e/nLaTrx3BikffM+0LHdgsuOT0P54Wg23HgTZpKnkyalFKkuSTnJRKn738xFfMp158xB53yKst6T47UZZyLD3FDx2NOyTDoLPk10MSoS8otRp1+GtUaaYIHpDuh4IFG9tMqxOrFgdDauVIPwV3MbMBFkrqbA5UDJv/Hh6F461PYgF7boqbX45476lShNKqikHLfL/qoy45NIuKf9PuYcrT7nA7AgReZQXEdkHKNZKhWTPyC3OpByL93aeg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=HHXAKdUt9WwXkznduDHKOKy0ebkapvew8kvmD3RZSlE33rcWryjc4U/gMlqnuiDQ8dp0gWVi12KNMCUaHBds/6BhmkMZpIj/NOHy9YYYvHvPQwzRYpA8eky25XR07eXAzaS5VOqtrJ8rMKKVkwekpw54b9hU4U1F3Ue/9GSHwSZ/MzOi09d5B3b2j2fP2NcdAKrg2Gs76DzVc7X8vMnf5KI0lSnj52Wo4MYBQX4BvUgUAhMVp3MgrVfw3mndPOhL9VobqwtKyYetTYP4FE7BspF6RLa6jzbQZJEnf5mq1UJlEPa67vydCJtY9jPM2z13/CwoVsLe2k8pjfKh4o2yFQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OqiHEGMGIC+F47o4hpjg5RDQMq0JQ0n3vZjl4LplxXY=; b=Mt3ps9htHE8l0NWJzFCq8s9Xq6xkZfxY4AVyIPs4RArFrdtpB2YrVvI2r5hwe/qV2cooU+/lSgQ+A7tpEQ/N7Ez2UKRmAHnuWvKy9+1/VkgI5rSW+KBBoeow7pDkVuIMg6uWdcspV+qfZ5x5KoMk5f8jJKAkq+rkc6z45SlnVNk= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 02:59:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 02:59:59 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 2/6] KEYS: Add missing function documentation Date: Mon, 6 Feb 2023 21:59:54 -0500 Message-Id: <20230207025958.974056-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR05CA0030.namprd05.prod.outlook.com (2603:10b6:805:de::43) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 07014df5-10cd-407c-ce80-08db08b76677 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: UtwwbosltfefbWGx0izktrLDSKr6Y3BvcweENsYZM6VzOZQnW2cG4/YnU2Nt9qzVQGWtJqOjww3FTYs4aLG3+k0ZS6ebN6M2PiXyk4ZioQAfVzE9fzzxdDJxb7vI81RRpzT5AxRBPcgsfCuceswYnN+5zoPQPVOugoSsVopSP1QlcSeNEhF6GSr5eRx+tflVmj8jUx34nOM4wBslhyrWiDigRv24z6ZqLwcgexxhgBs4HdhiIrue0/nXCM5v6tr4INZdIFENIuK0QoOQ9BS1+1eQfrh3tvyBxCk+Xc1dY+wnlp4Ruh4whkuocji3VcAFkMLa96LfgrXJcbAhV2nagNXDZWWX1D/q0xmjnYz1ps1VkG2PB/F98IaWTe5lYNxbv6cGTWZGJzsmEA81iuiqWa0+Fk19wESyoFmPpMvYFPGJrlsOFTdtbpHNkLgn1+y5jT9ZWDoDUkLQZSgUI0Y1Xqq3uWQLLnMlT3i02X5kiBQbVXbBooD2prk/rBmL8/cp5fvK7s8AhwxZdNsz+mXqzwCh4STv5U7T1+TPsaYPfrpyXF0Rye1NHl0//OhzfOSIDrexpKAtbJ0tBSrOtdI7OI2PK90KjkwHJmHYQ2WFqauHW8rEz46nlo2r2GIaarIxeZopj1F8YNuH3GEvvACCdQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(83380400001)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lxW+UimtAsoK7RyQcCMnpZCcJVN6bEnQG5YEu6e0Hm6ZDaw1v1zBfYQ2hmHVVOn1SiPIs5IMu1DAsvlrODJZkIj7ONQ78FRxbJd2Hl68xWXdogWn42HSmFIuTXVDXlllxEZqwHstTjOOOtpNUTI7C/A3V0aqT71YdO3UoJ+6a4g6G1m+z14zT+kwudp/gJ8WxbwBVyCAyoh7ua8tIEYTILlLLsCOQZNb6FR9PPZwy3Rhi1SBpeODkhzDqUSUg3FT8dPgeUZJN27Tzez80DzJ1jP3SzAsys4RGaWqtC3pWjlWIiq+B7IcWoBsX+NyfjAKJhnr0K00w5GH03XfLkndQ50hft0NlvUdAU3m2nw2OrwTniIL+Oz3pDK+Xv5wsRyt16WGoTukqCx1iJ60+czSBHtErZprn1yRBN+4kxuIJ27Of5Gm8X/0P9FWmgTSd1IEf2rWjv8qaj5I3RCa5hbgmT2uvGl/LDd4NHOCLOXD/+GHvHnwolhZvMK+Wez5HYNk12qdn7NMQ/nWHdWTz/qX8C8VH9FZxm5xRQ9bZY7tjDkSQzdYxlaeSNHJOsiYxKkJ4NzTemcfmMPJA2EKq49HWufb+kvFav8XtXo89+Xz44si9IyjcqKl7RidchbzPINiBplNFjCSaTfwBY80mu3a55Snlbnip9rqhSw2LiXkcjk5I1EI7bvC55AnDhb4+wUnJgoIArt15JTXWQXGJ064wdCd69ZoxZqh7wwxIHWx6DD68xrZg3x+1jgnowUKBdQ1CnL6Bd0JEiLNP5/xb2B2cqu8J8atE5EZe82o2ihe8VwTdlLxufu0dBtKFkEwO4lTO2U+WkY6ZX/KcR20zrsfCdFzXb4rRLCPtPqRL/eixjPf27WkUmo0oXwgFgimpy0sUYJR3fy1kJ224DFqQi0KHNOLdql4sPU21uLw7fBpaL3Q1z/A12HZFYdxI2lLC87CMs+NqhJaBEYEMS53nKT7J4saNVCxafiSU9SlC1pEe/aQu7ouWbh4RVQR0NqWw7DotFn4/HlPyzRNZL3i2MyYgEaEPjjKkpJLEDehS80uTzUiXWYwf5EKATYtqMuOtVz6WdrO2EX5OVfqvh99ylc75MWDV4yUradcPHsFQ/MiMMw5qXa0lZUeBw310zqHJFhdmlYoPowJHfbKyditnAmgoPg+3GDrjVh4x9IJG03n+YfZwR3OYZPsfMr6ia9VgETnEy/ehphsz1TnoNUKwgWYHOmGP6fLqC9JQn/XigfCp2fdzNeQmeAu156Zm161BVIi9CB9mEWVfTrNq7oqfKTocP9aJGf1pDWLDSx8nJE9R873pmPJ2Z3J5Ieyf6vX/UWhlpz8WQYlMhM0CZcVvQx7sJDft/0iD5uWH0SI0Mq+q1uxh93gqSFE0NKWwKkkYD4xEhNSuYce2EYNsnmnE3XRVogGgT24nfuelNVnMrNhILrpvzQ/tkSySAodaaRQt0EDx0FWkHWit0tFzRAqn6UJz1mI5AIPBYR0X5AeWpn7ZV/K/Z/vzhKIbvVei22sUVUS0HQuEr1/+Oxmv2d/0nhRqCHh/2Jh5Wbe5SOMTNW/ZQEEG/ibl4O6knLGGntQ/Uy2DmjbzOxiuCo1m+GngmjILNmooZ7FQX9Dy3o4tJs2y1U= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: LfN2dktxyopmD9qv6EFDxafMpH2cL94N1QjNv5x/LaCQtBkQ18juZnxGrzxSp0p7ZXc/rgNaWQ05/h0RYz+Cir/kwJTFeTfbsJtQbFuCxiz/4Oo4eIg4//UjT1PPETqY1lvsoVuwsCV3lOHl02ZzGPwsTiTZ8EyHYmZIKGqI4rL5xylXSkY4yXPLI4lHHXjiW9Vf74mfEQ8Zwzs6H5u2N3ErDOgrM6SAYHw2m8QHeMCRQ7ouKzR1nNlWfWdLzSBbPFZt8SO8uvmdZgZsgs3+UCb7DYRYsg3KPGyjDhVqxm7l2bbC/GKpkDXomFFGpv25fcLoly3JA3CNP1FnzNr0DjHho7bKTy/IUykVoPhcuDJFa1PX4+euGJTcuU1ad/bYW+B51IPxXYMfXTT/dNjM8EF+UWJb5gIAAwW1eUVazSZhc1BP/mjH4JNAocsVUjLSdVrM7dzI8UM4Uihbqkl0AdRHA9hwfWVeJsGF+cjC9FwDVMDvP1AR54sDMc4aOcTZV9ZNrHfmsOWVWKE7SAvRumfX3ylKY4l2cemmSZS2wREM2r/aFWtQz4RbzpOqGzrxcETL3me/mNSVx8ZkB0o3VKKyruObD+cTKflNk5zUuze0v+7AvZKu5HLLs0V5roLs1gt3BBrMut7Jpxg/lejqiIJxL1Ml0terCOwb6v+0+tIMX3BDPe6lEWH49+7evh4MVRHGABfDhSqQbLWY5FIAFopLXcHK1ZgNQmW1x5JaEINPPcATAv5I5aamz8v6pIqTC1oJWVgF/3PGoLve/Rb4ul1+Ghm4+C37n/GEREci91l2dLBP5FqRI5Y7p47dhkvAg5YrkAQWqvNHa0Ncba6yp0tQMKlgLTYdns3ci3kLQRH6rjF+/2LWwqWXobrSB42htuJHObrXA9HxHV9dVx0adbxj+QpgrfSlimiq6sABAzT67M9D4TiL3Hg68QRMQXoukOsoWom7aDw5wjqVjvwB7GCJQnyjzqZ44LJO1noUiQLAQoPQHraIfQq/Coa9PqtTs3/jSkW3vgvUCla4rUMUxqPYl5BZNsMWCV2LNeB3y8XfwhRJ48KVw5CB5eA0peeXwx6Gxh6ZjkUsxnTpIaDfuYz+UJjtVeBEdsKnFY6f0dKQ4wLl1qmuouVl8GUu27JbV7/Je1iadcfnnIj5F/SyNNVQZIh+CSAqCxaCoNZ/8NV7QiOt+Y/snFn6KxvX+M4p X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 07014df5-10cd-407c-ce80-08db08b76677 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 02:59:59.5784 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: TIAgeVghJJ+bFD4N/lshS8tgy1OEKO+d2CLHHw687g4siAghaPSSJ3tTrTKWlaYbtX37acIU9ydGF08mdI4s2/NGPC75CmhE43mfOfcqj8E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: UEkSjHBguTn-ayK0QhJWhWn5wlYr1v9s X-Proofpoint-GUID: UEkSjHBguTn-ayK0QhJWhWn5wlYr1v9s Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Compiling with 'W=1' results in warnings that 'Function parameter or member not described' Add the missing parameters for restrict_link_by_builtin_and_secondary_trusted and restrict_link_to_builtin_trusted. Use /* instead of /** for get_builtin_and_secondary_restriction, since it is a static function. Fix wrong function name restrict_link_to_builtin_trusted. Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Eric Snowberg Reviewed-by: Petr Vorel Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- certs/system_keyring.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 5042cc54fa5e..e531b88bc570 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -33,7 +33,11 @@ extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; /** - * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * restrict_link_by_builtin_trusted - Restrict keyring addition by built in CA + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restriction_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in the built in system keyring. @@ -50,7 +54,11 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING /** * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring - * addition by both builtin and secondary keyrings + * addition by both builtin and secondary keyrings. + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @restrict_key: A ring of keys that can be used to vouch for the new cert. * * Restrict the addition of keys into a keyring based on the key-to-be-added * being vouched for by a key in either the built-in or the secondary system @@ -75,7 +83,7 @@ int restrict_link_by_builtin_and_secondary_trusted( secondary_trusted_keys); } -/** +/* * Allocate a struct key_restriction for the "builtin and secondary trust" * keyring. Only for use in system_trusted_keyring_init(). */ From patchwork Tue Feb 7 02:59:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130934 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CBF88C678D5 for ; Tue, 7 Feb 2023 03:00:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229787AbjBGDAj (ORCPT ); Mon, 6 Feb 2023 22:00:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51826 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230088AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB2473527B; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KE2Vu029647; Tue, 7 Feb 2023 03:00:04 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=F9/4OnParyIKyTL3kBF9H76yB2hXCEgtUnMIWvRh9wzWsgozP+S4ItQ765Cg832qH6Ic xw+8nsOPROaUkxYxTZYGdwZEpfpq1ShO7o5tac1moVfBWiSPlAjn9c1/1JQ9Y48tuy0X e97GSu93/FGPHX3wI8ac9FHdiHnE/M9MNKzquxkzJ6NiFmEWKQMtKfPBLzItPXSMytYZ VqL0fe91KC9hjvw/cQx31hvQxpFLqPwmaXlu3Pl9mLjhUk2dpe6zCMFkK0k2aPO9UKAy XiTFvAGhFqkK1qcXUk6cnqw86b9BvysUYs9xiQMCIhoY/SgSHKkc0HIIEnMhzgEVe0Lf TA== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhdsdmh40-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:04 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 31721H1b037579; Tue, 7 Feb 2023 03:00:03 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8bge-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:03 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=klQ/bpAAYeeHI848wY4hczFkrAX1SsJODmrhFCSyrpmjkhQnWAfzMHVdnutccy1c8P1mo3klB6AHRiLBnVcB3hqq7qCVNpjkJ5wLZ4wRSY1OOHDa8DS+IpLhdfg2RzFk+HFpdZK3YdZtltm778qSmg/ArbJ3AqnWWQ5+DQfvwgqSTJw4vRrjeucA3RdefjP181px6Hf9hW39QBiiKgam3XbDGbvCcU3bSBkdOrcX8lV0Hm6S+THr+3fHUo4raqGzHTXe4wcYHvQ3ENpYv3Qdne9KJbMkGRs7HNygoTxIfqmUtbixusqIvqbK3PEOPUGdU/Eiyzcry9p4DN2jNeJxww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=m9lMAnPY0z7mJFf/Jbkq2TiKmBicSBzUKroapNEmE0uJ2ALWxbC/EFjDBqDyf0YdFvBJMLgvcGjY42aTUL45gcgOvgOtd/YBwR4YM8i7sDBKkBdUohRcVxWCiju0L33Jc7Dt62teKanrz/1zxb8tP71cbXGjO4EWVHvj8giz4a7dnL6ZLIOfgI5aLZRqNlxkNsTj5RXOafb9FocjqNGEKVMWg50rID7sbjU5AmdKmYraJcKyf5vQJFThbr+009Bcsz73dAh5NqUYcZf/hH4HeHh4on2FGxxKyk+BYO0TmTBhYxPUZEk3cuhtv3FT8CKn3FfczQ39xpyIO6j9UxIGfg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uW+yc+tJh0+xmjPvPWeI9SuMsvznb//Yz139eJyuh8g=; b=rWtg9ZjrUY86Xp0E/jxKvy+Nik02Y/7clQNMKqfM5oK025jPxSWMn79In5aDccOyEVPP6U96FYb/fBkpWuT6YD063t4YqA0AAPzoxtz6G1pjIS5JSU9MAvqy7ehFVbbU3SIQS1ggRKWYuugw8w+o+M81I7sttOluZFkZwsV9f7g= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:01 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:01 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 3/6] KEYS: X.509: Parse Basic Constraints for CA Date: Mon, 6 Feb 2023 21:59:55 -0500 Message-Id: <20230207025958.974056-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SA9PR13CA0023.namprd13.prod.outlook.com (2603:10b6:806:21::28) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: U+8wT0o9uoRZ8mLvak1yfchmW2w28PeIIhh29H+aqUjs5w5X2JPDy+/qu0bqyWQj7vldy7Rnix+o6768blJ/EOFGxjluJhTMKeGq3hBOW/dypCQ/f1qTxyXV4Viartl9PmHiNx0GKGrKdqIt6kEkeXbimmPDKQXF6ptul+Oq+/AbusPn7gOCDfJr7V5WERMWQQI93ydcgL7w8NqIQUWietANO5xoITNnjjTwzds4ghBAf8wFcSE7MkxiqtuLV4J0UbYsc6RrQnDI682piAgEsU8T28WPeQveCpCT9x7BSFSDU4Iv9WQwhd9S4gLDbc2/nCQSuq5+ms4wv57xIudaNjiPGzCmaBTfH+w6cCXosvKV27dBYepQmNaElbN+z6hSlV3vpcEOoPt3UOESdXO1QirmYg2KpwlcstjCkHjond2rN+j6wcDnoyqaQkezjbq9xVDfkousv0SeLtSVf8s1zQc003ahay7/xu3tQU9p+uQgmcrCtjB+Y8EDYfQ6DeMkC37mksmWl/c2gmrfAydBalnkmE3YAM6H6EhjsG7jWK5/WtiAcmpFU03wh/7yW+r3VCC/mWhOKMO1gkORkUAEhcGKjbWsO4f/jAVf41voQq2k6v9vyffnUGNULF+4MIN6WpswOH1AU4lnMMxOnIPGrB4PBWMB7KULqgmQ85Xh76k= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(966005)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dL4bCwkQwoRxtcAYqJxZ09qN4o92s3rm+LwghkQgBJg8eifKCQydurZZqTSmzgg5AyUk48MP1hFWUAhBd7sHIC9/vexkclbFSPLMzhRUNZKtcd7fpZRhUouF3lFk97YwMko60WblB7lM9RBzAOVwJx/WfCYOvQUGo7kCE57Y9r/NFRWGmwGpKWQHZw965SAUmr4G21DK5Rb4l+nwIhIQwoPvHL8ZJzEB9qKXQ/cZ0/R0GhbCh5oOKb+3BE8lBvoETvBIQVapgS0d6YEFOoX2UYQYVATrPRfUWlFMKPTCCmBlZwwgCKzo3HeTH3SsSqOLnW/pjhRNHswtHOiSL+Xroas0l9Kqh6sQ8lisbGrOzd0PNZ10QURmrAMNYWCKhKfntSEvjCqoOaKO47lP1rmqABFU7GJzv4SqOdpTFLGJLuWsJfIBmyuKQQF6ahthQUbPSfqULkV1gLCm00/w9VnkTw5zy51ZWNy+RahjitXBMx7xP1h2HCq1cGgdYOPp6Wqp2jlTijCSo+4Ov+aYHrCkgMdVDYqrKe1zHnS3w5j3QKGJhyf12NgT+a1V4Nqkoosu1HfNOcXQ+35OfzAj2HOKDMX0N1ymIkRzrYiBtL3BWFxWwQ37F/Z79IY86E+OL16yunSt5FzZwri89fjArSjqDAEIeyl1iPyTpZC0jLXgpZ7kY+6m6sktOT0OkSs79xptuelJOimrGnjBVMUOTi5F5URATqr7iOaDiyuBbs7O5/QddFAqFT0irQT/IkwP2ozAPXJhGZ/XwlKh4W9+irfAfTJNpgnucDJAD5CLhVjrB0WF5yIaJnRAIOrh+PcFATPiaLt05xNUCR9qzoD6fkj70FLFo3pVhXJ25s5ZOnv9Q1PBYHZ8+LayLxo6BNbLDmMDplObO51qB2/+1S0oZAJ0GamF3cRlrmNPN5yPIoG1TcgNvW/573eHI557SJYe/NpRZYqdz2u351Q5WmQMdB+G+EQcWdvPmXhZOy6rDXiEkdQveyV6vy18HHeLdb2rQFKKQ/7UY14WzFp2ADbDZCEcj0QTKKMz2W+wsPSt3sUNqNV34H9rVPXRk40Q0YAfp76/MVuJDU4nss5UFkPVI08qi5saCuUMpXBGZBv5UtAse4EfYGaJPC4m6AY91dhHiD8YWmXDx49pcvDSMQucO6Z42ObfNWMGJzG+sNEQkkU7IPALoqnm/EH/JdRGVIpRNPSbI6ZujQAwvEHhNUjH1IaeVKu+0oDnU1ZCxUYr++KgxytuEcvLscH1WyZJ0LF44s2eC49zHIlVDp4WNTetvYJtrgJWOzCiu3g+IRkYq39AaTUozUFwJyJD0qHsNm1eNfMrlTGJozW+ylgmN0V8V867AdjHEnRC+6Fpz0sa0lnT05vG2+IQr542SJETexp5uQGPn0nFb25IEUdxMuDSOHbfY6DZssDy150n4cDzLYa+ze+YhWX/ptPCP9//EofjjnsdCF2DC82R9K0vAJ8UyhEdx5VwD2euMObXsCoraQhtkjUGfl17BCBd9SsT6rCW1deMG4z7mffJ7+E85TTViZY8b/batS/TUj4itqzjibdz3rb5mkYdJN9812uWde+uRChFUjA4TUYHIF7XF+wBAnYRRJ0XNKerw3MsjyV/v8f+Z/A= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: q/i9VJLpoKo5VrrlDpBEeB1fitO4cnZRK+iBVmtbaW1mOxkBLWPfghIvluJef28v9Ddm0V/BBNn+WoV+vVxDJ8z1Sl+uNTfl8bXZawq7D+mkeykH1JmZJwMKrHUd+oKe6LsYw8cqW70lvC5rPwBTUwAL0YHWyCBmblgzDnIL+Z1A535D9/egaxyo4eSRpCgl/gDFss0M58F2ARSPzBIQjZaymPvUGG8EDRJXHOqIDaHtaaMjeTWlwyFVR1PdZ4Cx0pM73LBpttwjhOpYKu9p97YReuEgBVitWNT6Pidv7TE+83gmtx5SbxEK3GkAUp3Z2r/x2Qe8xHV7x/OAYC3mytIFwt1MtK+bhEyUfd1RdsG1ddWo2IQ2J/djoLaNZll4dFZOl1Qe/C44d6KUB1iBtl9vTMS5mb9uphViMnSI7BqA7k7romXx+rrzyXO3vWX2dMmO6z7Vi2UGWrfwIr12ylrwkcuD3g4LKPJyT5E+6HSWtlyceASBUKXiyXkpUg14ZXKIRoXRPsl3jNOmpWz7FJQHOIxsigtj4LhxYidLvJENGXDhZtECjVoZF35/BqHG0GitqMr7oHAolRP9lP2d+9Kp6jf77c7hyxWo9EkNsS6HEszFHW+P2/UTlVMmZyo/rOr9nimVmkcqxQssrFxp13EwyJqUvoeri6IQA4QVyKgiYnDU2WQROk3CLoFDuulW/jrcpe+PxcUx2OiVbE5m3FqxYmUE2J/+cCxmMNL8rHbiUdff73HI3ERRDr9o6CkI3ezBLhTeELe5HGRDNe7aAB/mO383DBMD7kzABo2LfS8NeW+b5zpSqelnGQEadtiYpbcKHbM6drPh8vXFzhJgiSIR52jc7Uvv2+QSCxpo/9RH2tFY6cOYUYzcU+MEQ8xFXI7jn6Qmha/Dcv6clC+zap23TTPECjlgPONcHVhHCfwBNEB+lgYXK4FTWsYiephv7sKrn9SUm8shfA1xopzOK/8uGXoIPq4JL2uoEWdbm3enFp9AodUiP6tZekpGtkF7m7OWsgvX2WNIozOw+w8fxOfwxL/ZkFvCN+IjSiHvblmmhWVOrRZMlDurcwtlmAtmYHBb9n/mTOSEm87oyizbRinGnI+BQLqpckMZcq30pAHmg2VcVgrF2iU2JyBqeo7354DaCKkKGYXsDtGLLzluZmIJX7+Yy143YRfn9xaJPpOf11SbepiNm2n9rmSVhzk/ X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 206d5711-ffc0-43dc-81f7-08db08b767ab X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:01.5949 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: K+dNH3J+5iSGfe+ystJghODW/DSaCHj/QxHHELD36VpInzSq/LZaxGvrbPp69z6bf/gFEiV6BrgwCldQbCgbBVLUSUnEucEjXxEOREUeMd8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i X-Proofpoint-GUID: meLPCNklClGmx-uGJzixdNLKdoKjoH1i Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in the public_key. This will be used in a follow on patch that requires knowing if the public key is a CA. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen --- crypto/asymmetric_keys/x509_cert_parser.c | 22 ++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 24 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..77547d4bd94d 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + /* + * Get hold of the basicConstraints + * v[1] is the encoding size + * (Expect 0x2 or greater, making it 1 or more bytes) + * v[2] is the encoding type + * (Expect an ASN1_BOOL for the CA) + * v[3] is the contents of the ASN1_BOOL + * (Expect 1 if the CA is TRUE) + * vlen should match the entire extension size + */ + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (vlen < 2) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA; + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..c401762850f2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,8 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned long key_eflags; /* key extension flags */ +#define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ }; extern void public_key_free(struct public_key *key); From patchwork Tue Feb 7 02:59:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130935 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D002EC6FA95 for ; Tue, 7 Feb 2023 03:00:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229781AbjBGDAl (ORCPT ); Mon, 6 Feb 2023 22:00:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51830 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230082AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 561A736085; Mon, 6 Feb 2023 19:00:33 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDjXJ031540; Tue, 7 Feb 2023 03:00:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=C8u7KD6ZEh21xCT+g2PXndSG5s3Q6EkNsRv43jpUflIN3TIgZ8Bepv5prAjOGCWKWb3Y 4q67+eFBw5jWmuGePhlyNWs/zXTOwHA1QHoYQaRUy/crM8uZ5Yqih74emNWIefSk7N0x jr50xtLAmPyxNeCOBxP3SlFlOshwI7uj5a/cdAK0KawIQlAeLM35255oeI6diQwKrcif mC55sMqB76Sx7F+bgyBNhZGGFmfy+k6YayWp9VBkcBvCSAkI4JxwzqB5XHgmYiVrI9/g fXruDur3vXOIpV4L5aqNlWuuGSRy9qLnVfaMpu6/jlE0kUHLgWrBiGgQUDR0pN6XlTeF 1g== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgbb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:06 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171ama2037016; Tue, 7 Feb 2023 03:00:06 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3nhdtb8bjy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AfKht6PLnnLkzQUB25d1Pwzro0sN62Qh20AHaQUY1r7FmuMVI/YzHybMuACwjnjDDtcuhjEX9S3OUWwF4kSEyoz+Q3MV9bntNy9qQUUELSydYhgcKPvv1mAXKDSGD5Et+36kLVDmXxWIR5qjfkGMPOuY8P13bOOzQR7Oeazg7b+wWIlr06PfdrinzRwvJH3/4sNriDXwt1bxh4U6+e4NgAJjaFBYwTDXr1c7dOPSgEzsoRh994sy6wzjobLJfENrCDDxj0TqFfC66perd2OfzxPhC5uwnTCm4aZwnn52JYDSicwwqJi0ZxIj0qAx5n8fGikt0outG9QW0W700mfg3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=NEKz9Ck14+4tZhiGJhPJpWir9UuggfudjufNfpaJ1+g6EsJeV+JC5Fcv5j2jSIekKTfSUtd4NMqNmBi30zG0NCniq+7ZCWBxNDGFXr4fwchXO+Ozk/WYSI3A/p9aY9OpPLBnZBiqK5+f8ex1wIcYYv6zTULS1YZ4A+me2hfbH7o2asOI5AdbtMhROhutQ586mTXA6Kvf+VKtJuOGcQHy4PQrRK0Sws59r9qKGW7VapkjfOFqWlKRbvXEEHhXBKKyRNJD6a03he5pWNAONUvp8TNzMsHsiNzoU1yQ4s2UOmuiuVQmRO9FNM6FYWqgGMdkSMLBsYuox7sYZLjjB0/zhQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LA7bGMGKwu1TbO8yClBXJUvW+8G3XGhyMcSJzULBAuY=; b=Wh9X0aGw/EcWFLU4090ppYyO5Wl0wzJ4Ezf6hzzAH8VypuJS/V0PejnuazG0CkA/FUaYL9FESqhbvi/7bJfu1A6YrFgcmQFY47oMWOC4D4YO7VQdYcPfthxFJs2bif4J/HS4lstnRtsUuvpyqn3YEtTHUZFGDebSY6yBDMYvBHU= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:03 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:03 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 4/6] KEYS: X.509: Parse Key Usage Date: Mon, 6 Feb 2023 21:59:56 -0500 Message-Id: <20230207025958.974056-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SN6PR05CA0031.namprd05.prod.outlook.com (2603:10b6:805:de::44) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 01c58e9a-35cb-4a76-54cb-08db08b768f4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: defctE4eGs0+zAebrihL/YVnk1yLHgesWggDOizD59f1tzBSBiZwFaMM588WDUycfdOljWYuVmyr8+KfifotDaNycdR4qjC3/bJAf0+jOd0hmAagwXyxSoZLGuR1GbujFmZNUxCBo+NwwtVUvVuGSzletVe7JB4jdRHkN9Z3L7vVtjC4yeXbMEiQ3pfzv4SUFUNuXCR5cNBQG58CwIdg/jdLWi/IztAljlCUnkV6hvvEYCejP0kkh53ISfd+N75IEykRVD08VbCbrqXlfndhozXMCeL3sXu9CHUgpvYpN64g2hJO1y3ikt/ahLY0zFrjG9887TqDH2sr3UjsKWOVX/rdq+6bZvRji0zJkJbPqEBkNU2KSTrCecEfewY2gSJkj5B03Nr2FWhNhE83C1QcxajesF7fap/uDnKo8Ho+jqM9tFTEKwFpSoYK8eXXeGppeFGAt3+TExtcV2+UMzNvWWklmgqAKzMOTmbx4vx1W2n0bBTF/5Z9/YsI5ach8HExJ1IUDxmpYC9A4U3tqgVfu3bw6/54PxWgu2FYmXBBBRjpXCVNpPf5YqA1kA19gNMyh3/L5gKsXvt/frqP5VhDoppMJBG5WJgT+eIAyPDJBWPzytycUTpMO9P76bJlu/yCBC6yVvb2I3yvW9ag4CoR4dg7RbEeGEeuqKfd0FoctyY= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(966005)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 84bbNMkANS6wKPLLb5DClmzUM3nTkFxrcVT1UFn4CoF2hiGlgzr4J0Xg1hwtHT8WA2xUy71sPCZxxWfkNmcz/ExUUpmNuKOzQFMVGH8twsjbHk5CgNUezcePGIfyhlssumIFZie11086eINt1JxitoRmzDK+SMAowOUioeN3nPcYkbhHPonA6mu3SKuA5Z1fNZZ4am8wJBrQwjBHa4vLyV5ypXhh/WToPvic2m8sSQCpfLdm6Idjk+/FmWPjWJi98iAc4UpkDzrz+a03gblOZCx79GOjDJDPAqhSYdQqJOQbYT6tHbWH7+MJUlrqC7/Gbbme1aTWfBMZtMWM0gJVwgC/ReAzJUiUD/UQ0VJ7vF0ZoCrGOrID/DpWNfXNeBnmCs9JeIcRiWTEB1JlyTV4nHoVW5L+D64oz8wTR75Y63eaqwov2kUTD535FiEoRFEhsIoNtelfdWx7NEHwKG/7Twfr3WJmh7gqckFt9WwKjaDrVZPrWe3uIVD73ZUpWgdOPQgLTV8ROf9bYlyHwQf1jg3H987lvA4FUwZmVJ/i3FUlKgwUOQmMG/MPjHQTOZq+CK9XaUv5RJq8I5SMaxVrWjwToYEPgwAOS+Oha1RwMHeQdpauu21kdupzs3N5YueHIpTIofSrvHWtQsUBv08UDPGE0YpbPYRhsqfmVHpi8ai4tgFj/RugeoDzqPuY3a385N1Zvtb8/L2ZUdF7GY7P3+WYC8A8cyJu1sR9+qIOt+zsg2wEOcirjkEhXYkioaFFX+NTGLORC/7NiVsIPF8TUkdgf/w40I6askFd82acYXm5plhWlSXFLOfSEBkKNpZ1XpQCJQvhg++79PyAJixsEW1THJka47ODjJTMOJFxxSk3pFXQDeWTKixCj+41ea/upnKKTDACpaDBP29ON+tPygtP1SrDdXf6Fiw11XFrLqRBMAAe+2Hlkamv72YObPN43IFYTHpPHeRzfv3W2FasM6BdL7Dal9BCkymxny4gKs885AdSXlEhoZrBhVAOl1RbSxeIs+F7bsvJ7DYVUDw2gaFLzCkkk+LeiixDLpHQFNuZSJWhnU7tGRwyw3nEoyHKWjI7CNrRooIMbdVZEqW97iYWBpXvuCm4uEdM6FLm2JdmGcIyqpxL4kx1X7QiMwDkLPc1DoEarSEcuEaRa3D2P9OGrHUO+dP9qycUNLmKA/qP/pegUfTIX5xrQbDOSRPoSO4yBmdjA04CiyMiJFoNmlN2nuGkw0rvirHrkXSseBBeGoILTx3qWRNj3eN+9hcdFgbdqzNbthUHoaPU423Igp2odZQZXLs8tX8WL5mjRclJEEw50Uo31pwVmOi+5euIlsUhXF14ddzpnovWkd10oNxOdasM7V6uJp3RBxVFyZ5+LutZoWHKDfA6bGI+PMUJjY8tzfjylSpiySxLL8INv9k4ivVVYxURTSjwjdKDCZNtXvDvTE6oBHlm+wMgb0UvrSqi9sHioSfYwQef2yTL89VQDuALY9Dw454MwfZCvJ/PXTTXdDDWFfzh5bqlQbxk4xRzgWUBh6o2DesOpha/TjyAwMB9sYXeR3/GTOljHo2J7BRxDQJrLZLkPv6L0ykXARkq+C3rvIJ4BPiXcNaA+yEpzCqmpBsXfQAqXmGc/zs= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jvF5gQEbm3QD/IAWi//ct8tt2PW+d8c6O8bm1sabI3pe9KNRAtSvVruzXM20agmREkwPhTdbO5l+V+eoo1TAgmfaBDIkbxpXLH/HXGYeWZxwjlh4iAO9V2tjTKEWPC6k6UaJtj/44fypLhyg0Qx5vMAQvxzk9ULeqqkByt3tTV2jJj4aAOEmw/HKFMzdXvMtJPlq5NcfK/e3N+guHjPg9oRKfua+XupmHpyabPE+BY1E1Z1LcRA1XJ9y13Ven/hE3VxcEmbM4EdsW69axu2NO2WMcVV7joDBgYyymgokEy1h7PGXQOyyaOyYZDqMGyX8DiZ9jXUrvhYOf1JCE5tF68658ui4NMWzdrrE7PvYEhAaNJFPMSI7fdGhSjUDuby47OERxEyG+rpZt9FlezsKf4YXek2oR47rnyNC7D7+Fd7FIpo7lirO9BjvVzQlhfgiigDt7VIficfaXtg+YzluqbnbZLkJBoKROTBC+daF5pmsc+sjPDcJFxVUSksqZMiAKbaKsuGPe4/7xl9v8kOvoBxSLS7ef7d3IfE8Ug0Ng2f+a55wUHrC2JBo8GZcs8Mfm+cRABrgWvf/oDeKC8dqYPSp7DeA3XO6cPXaFHdc99qsnZ/GVM4yFPpyuxs7uvZxUc8thYGAXQ8tf+doZCK8e9nEpx2sd17DdP6fUn/XcmEaeIkPsVh5q3ZCA0CIGstRxv6rlnNkPu1HvFfQsAHrhHwuLZvW7cHHH2VQ/nw5+3AgYxwPAl0PGgEYuH1mtf67p9LeeHTRHdydSG/J65w70fDUdDVpD5Io7bjX4fmy7gG4axKZRfoQKYBIeDKfBPM/y8HxYwjWIa4dWclBt56TtZJIqyhn5LLFOLdLz8HzcLh3pWgrfJqLiaVk504tf1rPyJNGMCMy2q/5bPUFfUjpneUEBQBDayvEi6qNZRpJNC1HY0bRBQH9pzmq951dorymqcX19Ipdw9nkYGR8Z5zKD8YF5IzCAmAPibtxjQmt2lT0buN3HWUPmWgQXvCw99i9zIdPi0Lj90xDuTZ7CYwOrZIHRG+qYJMcGxTHVnKwmljZoJNPjs4X+MpKC6O2/9tp3Rfk2Houudzub2ihLBsRcOi4BVgtnW2l+DSoWyMIOW+v43ZBPtdxFhkrZpQPnFOq8cSmpVq4Xkp2ySJ1X6i1FOU3JpDr2JpcOg2+ojFoMAox3FWHgsPjeAi79aMEAJUz X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 01c58e9a-35cb-4a76-54cb-08db08b768f4 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:03.7499 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dR+5mv+6bLM2Mioc5GS1wfhB884RzAlswwFV1bg61lodZieVyBSD1QRVdwIncqaTkHeV/Cumq5m66qsT5J+lZCQ9ZPVrWUwBqgbaleZnw3c= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 suspectscore=0 adultscore=0 malwarescore=0 mlxscore=0 phishscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: UWofzCrLamhGpQn9uehEeHLka52SyX9e X-Proofpoint-GUID: UWofzCrLamhGpQn9uehEeHLka52SyX9e Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign or digitalSignature is set, store it in the public_key structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Link: https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3 Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/x509_cert_parser.c | 28 +++++++++++++++++++++++ include/crypto/public_key.h | 2 ++ 2 files changed, 30 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 77547d4bd94d..0a7049b470c1 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,34 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing when v[1] = 0x02) + * v[3] and possibly v[4] contain the bit string + * + * From RFC 5280 4.2.1.3: + * 0x04 is where keyCertSign lands in this bit string + * 0x80 is where digitalSignature lands in this bit string + */ + if (v[0] != ASN1_BTS) + return -EBADMSG; + if (vlen < 4) + return -EBADMSG; + if (v[2] >= 8) + return -EBADMSG; + if (v[3] & 0x80) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_DIGITALSIG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index c401762850f2..03c3fb990d59 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -30,6 +30,8 @@ struct public_key { const char *pkey_algo; unsigned long key_eflags; /* key extension flags */ #define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ +#define KEY_EFLAG_DIGITALSIG 1 /* set if the digitalSignature usage is set */ +#define KEY_EFLAG_KEYCERTSIGN 2 /* set if the keyCertSign usage is set */ }; extern void public_key_free(struct public_key *key); From patchwork Tue Feb 7 02:59:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130931 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 867D1C636D3 for ; Tue, 7 Feb 2023 03:00:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230070AbjBGDAf (ORCPT ); Mon, 6 Feb 2023 22:00:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229667AbjBGDAe (ORCPT ); Mon, 6 Feb 2023 22:00:34 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B788035274; Mon, 6 Feb 2023 19:00:32 -0800 (PST) Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDwXA000337; Tue, 7 Feb 2023 03:00:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=rqp8Egf65d75X8eNjPbLKQ/RgQ2/d0ko/EZRxqT5AuPB1AZTt5MJSivSW5IK74hNS16g fn4d7Pav+WcStKN5ea0MkhY16UV1C25Gvsz39TxaHeXJYLGzqGYtwZgNQhDxx52QR1gC B5pfrGyaERSKBPbIUi0+9MhQHshSPPYsQSClWYhmxo/jnVl7svW9gVN1EdGNtlianAQ9 N3a2i5b1V5xi1SW4hXlRQSDceq6qtRtRebHUIhk2KWndR7TGR5tmmeUpI2dxy2RnAsjk 33b5xoAcpxEKKGVJELe5Cxxr9m0nxvlk9xzwal8ma/WsCTXktLWM6ukQTJjgq3I7+Z/Y uA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nhe53cgbd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:09 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171j1pp016849; Tue, 7 Feb 2023 03:00:08 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2109.outbound.protection.outlook.com [104.47.70.109]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3njrb9gdwa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z1kzupdTCuLlGJVts4NimD2JudFDJkZE6Tw9o+BmsgolleNYu/cJnjPDRNsrW81LwMlLRgmpgVblUYqvjCo9Go5dzEHvB1yneGdAtw6z21VtEknER6xQnaTrL4VlNVD5N2KxMTYKx4OmrnLBKpyJyhg9fWxIMA9AbTKCSTUDZJugpdJYdAXkujLjIfdK21U8WcQaRWEQNibXYTHySBrf2cyAAVyepmqflaUMWdhXJvGh6CpcYbZYXFmGtB6aopV3Or1Sc4ryh29XQZ+dlWDuuOM1SjD+pCbq/fxCcR6wBvGUzsQAwgdnBaFMSh4Bh9jJr01CGCTHKY2DGlFvgCOhqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=iG6ec/9LQu2nnyLAMjoAaiWvYmc9IZbmEnW7wHvL+mur/avCwqwe3ZljzY5mb0snkfkKD0+N4MqjL2lIhji6xunO/VQOz3BKTnzXMp8UGDqVd6A0Rj0l8S9s1PE3BggKdDJRNtJj1/N/1Fj1OTfKCWwEvNjs/oe99TV/v2bz4FgbSFxoj7gSLQQSbOL1l/tO/sLmkYWPf1gaidmPibjEA7auq9ROpX3dgKLPGTUQxgk7qKwMwKouHU/90bnucbTrz5V6T1B/ut74VVSbvLhG8jDAVuyEMhlE9tVFg1F8e3kMhrGt3mSm+2pXmCDZNLqpofW078rvCmzLNjNrUv79JQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wIu+q9h8z/Kogj1ozDaVRFus2hpb64zL4tMk1ASDduI=; b=xN0PsTY6iCbk2oG0RPG0LJ/VjsruhFQoiXKFTXKQWNCLYA1cIxO7U9ptwAWd+8PhFVPQEJdPMUfFVO/KqRzKd2SyhKgfinXoaii8hkVlPrk2bXbK3tMg3CS2HVGopvK3x32JAxCkQvU85cAphVKmucyFPIgVC8Ky7vnepOeZcqE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by SA2PR10MB4602.namprd10.prod.outlook.com (2603:10b6:806:f8::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.7; Tue, 7 Feb 2023 03:00:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:06 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 5/6] KEYS: CA link restriction Date: Mon, 6 Feb 2023 21:59:57 -0500 Message-Id: <20230207025958.974056-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DM6PR07CA0082.namprd07.prod.outlook.com (2603:10b6:5:337::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|SA2PR10MB4602:EE_ X-MS-Office365-Filtering-Correlation-Id: 332d71cf-823a-4383-54cd-08db08b76a36 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OMfTydL3WIbwoSxBCbcHHQwhy57VqHAK9qcdNpP75cTbghO53XyVFcKqZLk2j/mxNazJ2tYWhorQsD3q6MSKX8BNOR0viEz9W0zR4Afk2NU2yz8XwvVBsMNjhVvsA2e5GC6h2N6waCjAqgdPdLbIbEw2gjYRnWcILiaRwRJ1k0SrYiudRBkGfVuuaG+zUzlg3HMlo/cKwmSzXee6Op9XOlFaJ1qKDYwYAk2Txp9N3NiLEAj7sD71tmyY4iRHEvwmr4PliQJW9/CUedMj1Oz7lrttT7OfTBmSenzjcNDlUl6/oXM06dT8PH4VVUCgNdDSB8UGyDfrYMy3+3Qj4kDComTqS1pYCwYY3/T+BRZ5/ic9ZM0gjqPWHfkCF9EH3pMaHzCOH5Oo1el8ap8SQDyGTlZoUagg/nUDDWaJNgmGRI0JxMtttO+algM9GO1Lf5CKPScgbJId6voPsVI8d0CMY/2vwHgkZ1zlkssE/uDMQu/QwwPuhcqqVE6OnMcaDqjnZTYV5+b2DVOPwgn1hjfT9G+eJ0WAUa+NlwvQRFYiBLF93Xp0jMVLb8ba7DI+OxQ+F3OqikIpaQLdehgXdEUqWoXiOnuPdUwplu2/tr3LAlNuPhdIdegly3hSgGgt1WWUuFekabRgYTPbkIGgsUh0aA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(396003)(346002)(39860400002)(136003)(376002)(366004)(451199018)(66476007)(7416002)(6506007)(36756003)(38100700002)(316002)(186003)(6512007)(6666004)(6486002)(478600001)(44832011)(86362001)(1076003)(8936002)(5660300002)(4326008)(66946007)(2616005)(66556008)(41300700001)(2906002)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ChwuYrUuVKMkkPxPApFwmJBudqrXZ4oQ3FUQ0eXGXgTzKON56G6LqPDONC21Oi67nYJgHmYrJzZerDaLGNNSM5olvb0dWM+GCjRqVfoaiYayMx4/8Dt5lsEDZ3pu9OA9l93t898xT4cja3gvqbS5osDT2bZ8UwDASUKIwKJa6QYO2vysnJ3NkbNvddVriWz4L7dcUcHjawV1Ur0VpQ86OuJzGg5T+VYka7gWiDCxjhtC4ggwQc+GF6qD3kULgSiQXyATQdnUxOCGCWN3PMWcf0Ra4Bcgoy6IubyCZf1JejzTeV1/cWA8GreISQm/Y1up8DpI2v370/Ec8U/pUPorkpfu7JjIFsiIZnFZLuzVcr1QbFm1Qrj8MuaSC7QOrALFw7t8QgM6+poFazgXgiEgW7jzm4MUV1lFSXluXK084RT//erFHuCriVHc6T93dWJVRwwcHcQH0BNm2cQzve4nG+KBVhwv4aa3j8r4GFLgdnt19weuQ+ITZIPqOdMlrjjCZ+kqaBHPm3poCcdwLvCWSqwQDvG9RO/RZ7RXywYD1BbV5NXEa8hx8DF5NzaWjAvGunIRMjRdHibZwylwqHSHrgvF08IGeMpU62lYPrr1kNToxPg+LCWHnll/cIBwcXCWtX42EMNVDmJnQ3CJUAeytGdEIb21yK7AlLkrmaoXZP/podEkUaktxlWWYdIBnb0RxasaK43Syr5ZzRoPuF1yv42HchQtvsIAgZGc2359j1bx7yjns+aLck3qyymtMzndwdBdS2rAzSGIVAuIeEbehvMtVjs/uyGWVBi9ySUVIFl+IfIXZ/QPb9awN2HzW5VO5PefYlu70AA6Mt2n2MB58YhbGqwRxr/GpJWZnQQtqDM+PtErNfzKZ4f4vqTe5xhr2z6R5YaWBRh0q6sZr145TFkemxa9cny+OY6VL4ojQudS/6cf0LXKh7kdvHrB1/Ah44jyfhA+bKCaRTeOsmqsBzMOpxyyOngT+qSg183saUCyudwc16Yn0xWst3VK/3Mk1p6eXTSROd0fatXB8JM93cmHQ369HRidtSaR6AoYR+acze6Be9v5n5+rbAgiYTw0Y/DSDwZWLln+6AFyVb/gnw8BjL4cGW8LPWF4q5/Rg7YeNp/KhcnF6e0fDzVl2P7J2DHB6MpI9/aZ67nWa8XBvV5mBfsm1iZPnLXomSvcjZw79QAAe2ILseGNAdHT0OumJCBDNtYMRaI3fAvEI0xJVg7+WlM6EDMdvn5Umpp/aeLO3js/+JlNTE/gu2Xg0OycROGsXOEgsHYy1ZOSeGu3NdmeMWtbhEL4rzxZGJQ80ZuIDM6ALbZbqUwk+BnJqDiledBPxVrnux1wNegMj08Pa1j+GgjBJ9xS+tpXLGV49qcQ86o3l+6OlKOCwYmPdS/Ux1+HLzY50yqKZyx8vufgNOhiGxvFYIGayNeiFAbJgGUFblI2SytStjj/EKc43nDJhus9o6390vC1ycapGxjVaBtlPYZB3cLddL0vMCHQLSTFCBQzVDbK2EBqEmlNzP0Sha12rjgQwELdIHk6hMi35XSawHvSykbtCq/9K+cNi1k2eq+9eqXCF+hKpgtNFPzEC0RVFuZfHtO3Sa5anNL0fcjg1IJ7xlqOoXn9qOQD4Tg= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: MxTOBZXqKesH/VB7kkdbhkjJUaSiNmdOSqy9jH/YvLFdkrdg7ZWslQSeMSpJJM9U1RZ9Jl1j6hHAmJ9UY4jZzzwZXCOS1E3SslQzgeNOFOq6O3L3Ow80HyNO/sd8fDhDTJef34OT4SXrY8UiOuwYP8Kx8RuTf7rp9N5FmE3eh+ZnqgsbTukEbgxPO8PpRaRtrtYcvnPOEXgCJFGRthnmk2S8m4Bp62dhmLKlr5byB8dfsQ+2mQjfobFLCzGMCNXN2pgV+skS8oZZZnxS6H5QTIc6MbMmHOWSBaSUdEtuazZKCY8752v3LndJNbdjOyrFkxnyr2scdhhPJZK1gN4QTxNpQbY+jpfx6fxeqSKLxnFG113uimN1wkFFOcT9q7FsjhvBIR+cFb1h8wlrjBzBnIaXCLN0FIYyGQlX9UE8bG7KPm+yCe+VqJVdlIMI0RFNt0vHdIvBjcPuEqIAZerVtVwdMyp57wVywi6vCGlbldhBt7ubtPpFmRfEkYbTNalUGscsrLwK0G4XdtgYcs1QtchwYtYPZfNZ0VFYqbY7y1fp3y2W1fbZ2Pr6zxmaD98EWDbYzze60R9LX75Z6ZQiMclB9sRUt0anyYqCQoPZCpfV+vwmUHrZaZkMM/z/XZLX1zm3Vy9zmRTsEuvENfolOU3o5cgPcrre0aSEu9LP9UcB7wwIdlh6skGxLCPSygWvZO1DH8pa2+zq9oeeFRKNXphzf9PPUd97mz6n5ckLBb0qgeg27TgwZvoOE5IFp2V76EKBoaDqmqdMdfWvNEm/1qDqdfLqGzyLI7KnCWmYyxwDbEuLBLMkM5F/0CegRgVMDnoGKXtHw5jBsD3DPVAFxlwn9YCRdCKcmJIYuGsfpK7PHWuXQnyQnhQ8CYbMKHZBUXORoD6ka34voiCZi6l8jWREr2wCsh1koO39np21Xu+F823D3TTZBQWb+/CC8gX+s4azwHXP/7wx4sn8zFTpG4hQkl21scZVR0DTGSxsUAPa2K7aUBxhXGWAVf66B3mQZpAR+YLNq2SVWFb0cvIh8Whpj98AhUCm+FdFGC6FbpcacXhbM5RlNQAXJqiK1p0+8PzaW98zGQzCwMVDPm9vd/CmcJ2CsCfmoyRYZjcRTEFSD/wzmellc54RrXFnNYyqtRVtCqN1nb6QDcwWChMzPOKB/jBlZlUj2r+XJk2FzsbJNmjTPJ/y1mk7yE9s9AOh X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 332d71cf-823a-4383-54cd-08db08b76a36 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:05.8758 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: PB1naSyTqHhRfoJnv2+mAAFdSnfLa+qds1gjCTWcxA0QWGOALk2qelddJ+q7OejURO51ZxFdfhvLQiTMO3vqtUQnjx2vpLoWe28gF2JF4hk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR10MB4602 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-ORIG-GUID: IHHapfLFoQRipky72kSkBb5dVjXRQpAl X-Proofpoint-GUID: IHHapfLFoQRipky72kSkBb5dVjXRQpAl Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg Reviewed-by: Mimi Zohar --- crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 ++++++++++++ 2 files changed, 53 insertions(+) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..48457c6f33f9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY; + + return 0; +} + static bool match_either_id(const struct asymmetric_key_id **pair, const struct asymmetric_key_id *single) { diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 03c3fb990d59..653992a6e941 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring, const union key_payload *payload, struct key *trusted); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *); From patchwork Tue Feb 7 02:59:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13130936 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16065C64EC7 for ; Tue, 7 Feb 2023 03:00:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230016AbjBGDAm (ORCPT ); Mon, 6 Feb 2023 22:00:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230079AbjBGDAg (ORCPT ); Mon, 6 Feb 2023 22:00:36 -0500 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D5F736084; Mon, 6 Feb 2023 19:00:33 -0800 (PST) Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 316KDr83003908; Tue, 7 Feb 2023 03:00:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=t7nCvIdLZ6td36h0LjPIcZkf543oZwPjG6f3h8phAKwOIaiS9DBkg5wVLmRbfCmRJmqb t6XB4ANkX+zV5oeP9pG3x8x2+3B0aQAhGaw/15ZRmQtQ8Xbvd7e3Yk2oC+seqFyGOokI DfprdpASPm6esQcbZyt4sDkG3AdCFQSv7tg8aWxUSr/xHBioxPxjEvOCUlLmbCBE1jMh +lXhvp7qZrFCEzLJ/y9TsgcNNyCGRUU5KICXLsXMPh67w56yAV+pCyB+CIBHIp3MeghF fnh1SQbBUVnNKgVEsHIgSCog0mv7sVA4ryUGhpbYc2PUwPFZnxozSRk/86gMiuc6QgFt lA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nheytvg8f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:11 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 3171xPwO016811; Tue, 7 Feb 2023 03:00:11 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3njrb9gdyu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 07 Feb 2023 03:00:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W27Ar1eLHSbld3csnCOpK0dHRtqPZTjii5xA3+OS65d+hAd/XjeEcUJ62bIYnPFPp7qBZciIGPORSTuHaS6+CHkEWZ/Yp2oZ2F1uCMundE//ojvxUukQ9tkjeR8E5aJpIrnDXzCx/yEFEL0Di/BI0Y40DUfPZkfCnORXKcVfUxdy4Rz20bxdaF4q6CDoKIS5BX4E6gdTUpRyUVdvsRdjs6os/mBTqfyOqOCJCu8CIwr3TYBy0jjTCWMJ4dVZ2YlAg6NRsC6jW0s9SFTT1VX7zsYP9Ku7UwdL6WUkQvP79ughRae785f9Fozcl0TLR0jmRR92RS0SR3Z911mXIQcxVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=iwuiO7Iwb5cMMlzG7JWdZT3Z5Nz4VVIFxkuc36wM/bOl4WkuBnQF8fRyQ4fmg8YRQhzgiPkHbOWsSErTuq87FPlqhXbm5L4E8tyXSECaKgWXkn7Pow0tlNSryZx7aLtdbVqmdL/NphmxFznJqwN96IE22o7+WOQcvBjWc9d4WbCsPhVQQyIEgyReS5RhHIPmkY8N1j3dRT3kV0L3CxTEtps9gZT9llLqneGJCSuXRf/ceMnSNoWs6pnowY8Stt+VoIYNrudMYbvGU6nwQj1FUnOfwLFaQ/hQa9nygA/5M4RIYUMcnsEWeOgrhs5/c9aKqXeB3MXQxAoylgHmHuWGqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EWZBsvPxemBmF1VZIFtk6vQ49Y2/Q8Jbq2XiObN0fUs=; b=CtsVnMkM7b/OzPVFdIQFsy8zyc2c3vKhhAsjRXA77wqbk8aAgAxdtISITRIE8zJWrH8eAGvlBt0cmfdaGJZCQ9EKYuUOmc4mUUhJeEXZRH2Wt92/Z7Zw4bT3fvj2NO5mGWo260nZtNndP43/UGd1FUt/DRogCW2fo7bFloZ1A0M= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BN0PR10MB5031.namprd10.prod.outlook.com (2603:10b6:408:117::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.15; Tue, 7 Feb 2023 03:00:08 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::7c66:aec8:b4fd:4554%9]) with mapi id 15.20.6086.011; Tue, 7 Feb 2023 03:00:07 +0000 From: Eric Snowberg To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, tadeusz.struk@intel.com, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 6/6] integrity: machine keyring CA configuration Date: Mon, 6 Feb 2023 21:59:58 -0500 Message-Id: <20230207025958.974056-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230207025958.974056-1-eric.snowberg@oracle.com> References: <20230207025958.974056-1-eric.snowberg@oracle.com> X-ClientProxiedBy: DS7PR06CA0015.namprd06.prod.outlook.com (2603:10b6:8:2a::26) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BN0PR10MB5031:EE_ X-MS-Office365-Filtering-Correlation-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 29mRbXdp06dEl7gO7yASuUIygUAaB9qJyNa3EUriIFKk6IZqAobL5iQhUvWmg46uHnMvKSL19rQsIjulL24zDng6y/vl2X6z1LU2ZjHCr7JUplycW9Xf+iJFtT/7LEPh7p+zTXnyMeBlvqU+gWWjQKG91vNTAGh/ozUNP2470g7nacIVq4y4U4WPYoxtnr6V0LCJ85Ru05XetMb9GQ70DV9EfrlfBqpisHZoQL0OshUddoxqqPTvVG7j3MkeVNTyBVokjuQOMB48ZMMXtqdGvaagjVHaq6hYvIscFwk2eippL+KG6IdObp39ckjejW401izQDVsm6ZrFDuSE+hMdrgNUl7kO8TSjOylqolS/dTDikKUznoxRBfT2cd5uI2g+wWMwq5rHCLEW/5Z0NEADLno0twH7WepIsIjbl+XVsn+rYequF0FuW491EsfqKDvC2t1XNUt9QsX2vKTYwZLTvey0aOd7jXXpOv8mZ4VFS9i3lSvTRWC7Bv2zR8ZOkf+AEdhCxPVtRmQUaztXyfS/wG/hn46YgW1NqxrUeYOoW7sySNgq5mvSfzjw1lSQ1kClWm4zBzWv3qpNbsj42wfXuXFKa/MEKpGWfCOpDa65jKe8T8jgLs32ntDry96jAHmPjtRFdyS3+t1MwpSG1WKHFA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(346002)(136003)(39860400002)(376002)(366004)(396003)(451199018)(36756003)(316002)(186003)(86362001)(6512007)(66556008)(44832011)(2906002)(7416002)(41300700001)(5660300002)(8676002)(4326008)(66476007)(478600001)(6486002)(8936002)(2616005)(6506007)(6666004)(1076003)(38100700002)(66946007)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: w24MofaSWFQCACOLIu0DWfM99gWTbrquxbT5Uv9u/N/bbuM+uKMzcG/swK/bS/QXeG8F8FU2okriGg9b/zdIlJVk7DarTj4T1Bp1TFx7mPXzdSlk8bTVD3WYgQXPjwe2TUATkgrO9rAWYmBu2rLE4AltsndJ8KthQ4hMzK1h8gMrK3eAH620ZNdx+ZY6wdRNU/RdZ2wsq8/vQIbq1vhvsOOaRiuX5jhH4Yr26FnE5tHk4SmAxFXSE+l/oDkdaBe+JGWFPzvRfXoVHG/9AX8djrBsT+wF4L7+kw9irLmSH4oRE5233y8MK98+iJvSjxDUH6FLIJjQyIZDLT8g31DeFjmQEJk/RfT2IZ8HJKhE2oVqENbZS43cbKGkNRHpuqvBAO0JnO96WlfgANqNvkQbk1FkPlTSotLKNZ7pl2TkMhVSCdHWxzzmtPS3uFB+dFGywiS1ArqPN9BVOC+6hGbc3VQCu7/Jun15V0b1oR1rr8smDtNUZHK/QcNpteW8EkrgVJ2RyJhj7V6od00Ss5PsNl94EYC0qcWJ14xlQVf3QqQOIOUnu9+AcaPfQFyMb53VTqFi3r7FDzFdG8qLiDh7YGkxAGRjZpDuK8W8z6M6bCgjBpDJVQVtOumsKLfgWJAM8B1M+odl90rlwmmqYQ8yMafq3eB9jRV2uU4++tbQCnE6Ra6gB1K4rK6EXJPBc+jX1re9V1Zepw9E3/KB5cojX8F4NwyjyYzlVu4XqnIqomQ6JnKLFK5D0aG2nFEu5lhKiRrgG5SE10HV/RN0PRu9bPR3xb+rfe8RtfX8IbY9ZnHi+F7YTruGA1gJMDK2Ad7XkUjhtl9IzDqxoR31bOl9PY/ym1FOel6WWyjq22aAUfvmaizYWUZ7Ia6fG+eqbHebTYv7B8UX+/ZFvxk/AyTCHrvogz1en818FshpG8qtp95qHT6ZRnDF7sud8l9Fz+rcYyHUyoS7OdmEnnUWKX+1OSZ3ylNHAcGo3UT1oQoqBWstXRpIX1uyR9ZylW5xvt9W28SKeqTm+8k0Hb6+JWvvMKvizYLqFSU0Z+nNDdV2B+4ZWRQTi786K7z44XErtaZpYCEotIBJYjkyi971x5MRnoxUTyFfuChszQnopdkEafi7wFtfZQEsO6fn4t1+JIl+W2mnXAdyoKr9HOobJAzxhub7Xnnu0lNkkRZgCs3bedsxho+pM7sUiw/gfn4LGjSuEUn9ccsM9fxx36yWv3bp99xFV7/gaaK6DdkoIB57MUEB/mirwzAy8Uxwnz3iwCsMF17PCa3rxnD/03OUX+ivFx9+dtRei5u23IY6lzbkLEEM6r3cI3HhT4XzTxmUenfPn+JKdXyc/XMrQDH3Gp9oeRS0HkbAm3WhgPL+bT/mRPLQ0h0OMYh72j3R4knHFR1iyN3JScOC8YU1rCMYO59/wt0UdNQzn1s+8Oae8KF+M+TnFs5xuQqPWJO/7Ahwv23hIE6d0p9kWY6ItymGrpB2oODGI0yaplBpZFMP1HDaO7wrgf0pb91Lo9+Sl8YADPtMY0A3hTG135VMxdbpy7YwV7FkTlxVtuDSiaCq+qoiYTGkyuMIH7GlNh/dz/Ded+bR6XXswAaVEciXFPqKJ5pfWvbz/6JJW84iNm/CLGyX8cE= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: QiMGiuKaGOyaRSzXk907MAl+l4zAbEZI2Roxt+CeGDLMj6TGmdRao11awXb5GeJodAhSmPOk9Xl6g6W3jia3SgyS14EO4IBVx1DNEQvxJm56t8XktZhc/oo3f57J46X92cY3HPc5/o7U60ONRo8FadT6TjkiJUSwcopO34HakqZn0zTqMLWxWmGSEgygsIhmFwCjSA3OOgpLoyKnrWbf8Tbq9TpeQc/e/VxAapg8tYaQz2kZtvUnpn5m2qWnUWCV3QdeZpZ/cPPHwEf3iQ9Zv6biYXTaWtjpcwqO4BOjTak4+IUOWDjVSQGruJdO8McgGGiuW9ydwKuSYgJpUjclzkOxbc68mtcbxCePlL8UyxAF04ZR4Rbpr6koLhfyZiNxSl8VMcC7Q261sN5Gr468FUlkccU3s984+rPdqCxYrwvPETHLd4dl0d3LaWI6pjS/4RZUvSW1RNWv/RcDkwUDrBWWnzMHXluLB1E0jeggYT+pVNGazdHukktTvgKF4c63KYb1BJmYveQdjs9Ncydh2i8uVLNY/vz4lwuVAFnj9J8sZDtGcvffRHf+EW56mDOBZfychSCr7ngM4VBXBUhzUXsS2ZxRuluccZjjOOgq3V7+dhuu3osoL1rCGXzzUJtSSXZ7PuMiAyc16rwGg/M/MU/kHLAHhbCqQlQTLirkKt/Qhx6DI3s7RlNwrIujCua0DVgyXOdHHM3JkQoyPs3/M0nwusbQzbPSYgKEfdgcLoGwAzXo3QrJuyeOMvNUnB0iCKBnb4qFzPRH9ej6zgVpR01bGMz+kmc9trESxtL5NDHpCPFvTDLMKQ4hQzgLY9VmyOrGUbQm7PMsSs4Nn7jy+9L2L5ViFqFhfjV8401HjSQIXLXY7cvyFN7a9VLkBGBNdQKQtNZ4NerFMq9+IQ+raH2Vxn9yoACvq8m0BCOXt2T6n+q378CnXlf/0UhkLRQ9CpEl9bnkOlA2jba6yN8i+0ZajsA7KkmEV6eydcBJojD/s8VYKdzvdk/vNuHulS9ChVm0QXZ3eiOHnLlF+JxWUhwtLfyTEyD3F7CRnGjmIsBmw1Gpj6qsn3q37PGozi7jQXyLS12sZiQ/pHunI8cg/SMu8ehEuCmgvMbFgy1xKJJyIbYxVZfhlgDvmXy/VhML1jpeBdEcI5Rstlwsutb2u6JM0p2H5n3eXtzcSH4xN+OZyKLhdTySemwczJNNzZDi X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: f85e3044-95f5-4df5-b1de-08db08b76b48 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2023 03:00:07.6561 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oz0SJvs3qOevgNPxY2F8nVk6Bhcifx2SYsYipxk1VEwkCGwgLURvCGbZdkYC26fe5OgD0YtoxNr354glqjnex1Fv0a2IgvnHDICLLo2ulEw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR10MB5031 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.122.1 definitions=2023-02-06_07,2023-02-06_03,2022-06-22_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 malwarescore=0 suspectscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2302070025 X-Proofpoint-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp X-Proofpoint-ORIG-GUID: 8Fb72HKU8Rcxz84R_kZJLPVsZWkciBkp Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add a machine keyring CA restriction menu option to control the type of keys that may be added to it. The options include none, min and max restrictions. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/restrict.c | 2 ++ security/integrity/Kconfig | 39 ++++++++++++++++++++++++++++++- security/integrity/digsig.c | 8 +++++-- 3 files changed, 46 insertions(+), 3 deletions(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 48457c6f33f9..633021ea7901 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -140,6 +140,8 @@ int restrict_link_by_ca(struct key *dest_keyring, return -ENOKEY; if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) return -ENOKEY; + if (IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN)) + return 0; if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) return -ENOKEY; diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..eba6fd59fd16 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,13 +68,50 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +choice + prompt "Enforce Machine Keyring CA Restrictions" + default INTEGRITY_CA_MACHINE_KEYRING_NONE + depends on INTEGRITY_MACHINE_KEYRING + help + The .machine keyring can be configured to enforce CA restriction + on any key added to it. The options include none, min and max + restrictions. By default no restrictions are in place and all + Machine Owner Keys (MOK) are added to the machine keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_NONE + bool "No restrictions" + help + When no restrictions are selected, all Machine Owner Keys (MOK) + are added to the machine keyring. MOK keys do not require the + CA bit to be set. The key usage field is ignored. This is the + default setting. + +config INTEGRITY_CA_MACHINE_KEYRING_MIN + bool "Only CA keys (with or without DigitialSignature usage set)" + help + When min is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will also be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_MAX + bool "Only CA keys" + help + When max is selected, only load CA keys into the machine keyring. + The CA bit must be set along with the keyCertSign Usage field. + Keys containing the digitialSignature Usage field will not be + loaded. The remaining MOK keys are loaded into the .platform + keyring. + +endchoice + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f2193c531f4a..3385f534f1da 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE))) { restriction = NULL; goto out; } @@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services