From patchwork Fri May 31 00:39:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680982 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCA5A4405; Fri, 31 May 2024 00:41:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; cv=fail; b=mVzIQ+T6jNkaSFQrb/JfnrWtMR463q//IYEXdF5JsLUUiutLgNEH/VIXGxiFhe3w/boyWwmdxemBBrnd18DKuW5ukVBRgCWl02t0pXXY/uYOcxNljzdMTs58kxDZls4zoGiRw4T4YZgFHarRyy6qhkTn0ZhdndphaaSs71PPLKU= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; c=relaxed/simple; bh=GF4vGSeapOvgFn2kVLd2qCpV4w1dLINDA4qw7PXRRhM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Q6jgq0ZKfZlY9HXz/B6ChgRc5NFA4gT6IHTOD8p1D2LS0MUJpfUQPCX822G0ZWHN682wYzna1BdnGoiV9A1mJStJ5dFSBYSrlkFlHam0U9n6/L+Q6mN130oq8BgGnV5VGhdy0XY5P/21YBrjaJEd3uvElTD1aPymqyXvMbBUtfA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UEffSQ005706; Fri, 31 May 2024 00:40:01 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3Ddxiaq3H3Fq?= =?utf-8?q?3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=3D=3B_b=3DLn5/0ITy07SmGV9kFPyAz?= =?utf-8?q?k1jNuYheS5dhjOXtAPVtPl+aTcQx0jrHlZxr4CvHRgfCpN2_pPiLd8SBuvAGyvAH6?= =?utf-8?q?+ujCVtK5r4yeY3GUYtpo59UDyGpUnOP699FxPKp6vzZHpbnybrf_2C8FRwU1tFKU1?= =?utf-8?q?CjThG8AhVMaS/DbQr4r0ueuy5Pj+GIHqEYnGSxP/Vzg4jhxUmLlYsLj_THi8a2JtP?= =?utf-8?q?yePox+etwUFZw3jXDIevIBcX/0gEF5R3IgOAufNxOUk9cprGylzRxs6/Fzu_I0FYi?= =?utf-8?q?wukwQpfsZJTU1Vge7BZXTnlJVe9IJbNQLda0uJGDq2XQ8jkHLh9UZk0JNMVtVaW_9?= =?utf-8?q?w=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g4a61m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:01 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMfwEq026627; Fri, 31 May 2024 00:40:00 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098hkr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:00 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dzmXIxQ8OVmGBgP8hb3iA431xaY7Dq2EpxsRw41K0IKmMt7myO2xESmq+yKOr9ginjShqT/gvfaXoaZBAPRKrxr5L7iKvIkuqyIx53sfwHssKsoW0nMZWNyU5z7u1a8ip2M5ILRh2A+PqpBBvOGkbTQj2lO/TtEoyLpNKZqo7nyM5dDutE1UeXbVSPzMJGWXyqFN1wRJs7eWlp+nmlA5t4WQg1PBqK4VvXZJNwNOoGRCBGO+yJY6WH/SJDeKgQWfytBIPuJ573R4Co/3dmfnH3VJtGR+XP2APy5XwZiGEbMMP2T3/u32NajKonm0Ta3mbxI75x+MXkUHgujNJufWpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dxiaq3H3Fq3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=; b=GU+1bE6FBnCHQ+yUfKq144YfA9fkgd27RCZGYrR/HSo5KztvF3yvH81TGIPhCxtS7TCdCs1s0/EL8rTGPovDY74Wm+zu1br6UAkmQfwrfTezozs8+6aAJGWIrO4AOQI6XUe1Hl5ueLe1P9CZ1Rmwj6TmBynsZTOiac8oJ2D7/oRk27lpWryXXX4Jqf3PHRvBu2PkmZpf9JV+en1Hajcpw19FZgfVIfo1dlT4waxzGhUCHfV1DASfereraHHq9yqo448CTMogDTujW3Jw3stqHZ/kj/fhvFF61VeDnWUqPVtUTprY8NRzyYnNnqvHo+MosOZ6XZGJeQ4Aj0Jc0apKjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dxiaq3H3Fq3NhFKy9H6ozROysNx/PpOwBwQ5YeQurPY=; b=omZQVmE5xmH3ASOBl/ECOJd3/BMl2fP4TcW9ZJ8gtLQmKR6jZkMCAejxcAmN7a3oIapZoJH85jxtmubAyvFJMfLzP0dsMfurVVd8XtE286llu7e6XwP4vWlUcP8gQSlNk8P33sE1piznzbt1M8yPzf5hWXTxPIKpCzTDEuWu9OA= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:39:55 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:39:55 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 1/8] certs: Introduce ability to link to a system key Date: Thu, 30 May 2024 18:39:38 -0600 Message-ID: <20240531003945.44594-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR06CA0032.namprd06.prod.outlook.com (2603:10b6:a03:d4::45) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: d2ef8dc0-a1a9-47dc-dfff-08dc810a30f2 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: Uc5WXE1wv8rhS0TIgA7ykZ15a3/xAxt2HQHTRirgPMeKmy1bMAyt9ezIRxG2BdX1szKWOU5BqvUwDXpdR2r/3JgLp4uva7tvO/jV4xkL5TEYZ4GK7ILQjRabZ3aCqJZux4IW8k2gYOqJ3p6/D61PPuSd0MCqj6lziWH7LCJRHrTDpi/mZDy+uwiXr2+fSsgwSNs6Adx74+Ij66DQZ+VY1uv2DlwQvIvsgchtyyvHBPIeoFeC8yfkHNP5nTD1IhsImo0o7v5OdeRjrHN8axKrw9hH1ic3EpZpdvi9GZFmyM9WGecaZxvB0slkXQtuIlhpfaDYsVJOr8TeoAjIzyeauG9yVTscb0CKGusuIJopqtWxsMdNtlZd0QJhDx7R9hjg2W/bSJRnF5ft4obhEBUufGfQpGszo1/AqftLByPqsYME8yklEHbsD0u3G70oEy5DEmtOhp7kyGTtgfctkEpyD9BSA4y9j8VL/KSZE8Oualcj8dq8JIZDNHWvDWP3Uvd5AWN17n2aire+GvRb/t4W5YxZYyqfbx8mSBHnQYErgL959C6YdZZEdlfnr7Uho7Zvp63/ankSoXt7szDJTf4EzWARlOLdfk6Wg6qPkewcCfo9w3N6N8tqIAEgryVlSDGf/mnx4s/SBI38ugtEJ9e86SYx5SK7OiggdUP1puy1m8JXZzQGT9w9Q/rHSfp/ZQiFWgA30ODHIFVxwn7boK4jfFZtGIhBVRNEBQclSmriz6FBmw6kTWxnrd4SoEmN7vKC2hyp4II10PmMBqMmmKXIYJ2wc6qEt291i5BJegiTBlMXouxeQaG7oEOvYD0/4zCDrmJnBOK55iHyowv/XwgE1rOd+T8lOco6aUWONDrKEYXO0dGPuc3Oghd6rTolXIMj9X62vvMnAnrt5/2C1P3HTEiemluX1ShUaY2Bwk5CdDxT9NGnKnTNBWcxk38Yg5nkZvWPtYtjom1dL+ZA0qhWaDF6PcYvbLBJvhwQ1md3KF8fKofv44Y5Spo9+yZgaNjihGnKfHr2LD0mp07JBPzTKten/AkZgt31YzH0A7T63CwpXQJKaqdHb5YZl7w1UkdshO7k7Uef8JOameeV5KlOoQvO+wtZnYF/xylI7BNZKE7tMnIY2vEYp6F/70iezjeISzHUZnXVEqbQC/U9Exw2fpYpCYretch7k5Sl1jMJRPk15LJrkpPG2MYXF/WCpZdXMZxo9/uFYipv932FhygbzJgqFhLyMmx12AjjZWzyDcyv8kFVdSy+F9eiYTvT2B1v4x3BOv2+YDXbBUoMl8nZKA== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: tDM4MY9PNv7o06+CFtGovj8HPD4tQ1TmCicyLQSzYiTDQ3q4HE9DYXrbAdC8SGXOBO8OZ+4ltuGI89bfPGo1y7WSXOaw2dpHK9EegfJF21JRGb3u0xwRPsQy4As2oXyYIlJlIfe/Nb9rMVeEbBjKvu1JLRDzILiFL5AA7iffWoXlYFND4BIsTAyNEB3h2/+EGXolGcD+cIHNvhTOp+yNy2ejzaqrFuwHg/z04s3oOa8c1CPvONlQtd/G2c4KJj4KDb+7BusTCpAAnlHWVOoxAKLF0r4aRWQTfK7RlE3A9qFgCw/CdkGVXHyICusqbQGJJiz/dH1odz+if67wxTCp0SuDovJjJyrqRcthw39N0bFYV5DXKx5Pwnfl7YV8y9/if2s8nVCTjaou6UxoAmrqyrOYNFUI6E341FdQPk1AP6yav54BBB8yvgZ8iP0tfTNOu0QyvsWNcsWIMNC2clZq7ck0NA9mJeoikF3VgCJF4XWQyUsoy2P99Uw9TLfO+TPqY1RwOe2sCcsFMBMZ9vheLSEWerHd8doiCpbj7CdrMSnZma+x+/rGGYdwRMAEH15pCovqK8x0OE0IP09WCcxYWhzFfhF52yk9N5j7F5S5T1OfXkoCtGSJ1nxJCI3E7p+OX7/bM65ma32YwQK273Pkzc4zKYkDfM4Ins6SHH64r3NYe0eTfwIgF/IXQ7NpSw2ky0fvC3+JDSgt01olrPPwtsSxBNMn/gXxqXLZkz3Pq4PTEVM1zxZvs7DbynwkdoP66JvEDDXqeYa+AIjjxPFGVDKE/6zmldKv0VYgOR2/4e4+Vogr84AZwAbDDSAg+MlSQBDVOw6OCBlsqAMMJTJ16n3VOuEc9foFpE53BedY5Ers0vIOAmmIlw4tdvTq6xnZAisAeE7xD2u4JUu8Y+GcYBSf1kOn7YYsIPkgm7hcxUj9QmTEkXl7750e7+WKs/hqyHops/t0f3W6y41udBV9JYZGSnQj3h2WnKySE7N72tYzqO+kC7UwfMhtscGDpmfraSdaivOJtRIBDuXZrSqw9V11QFZ3SXvqEU8lp024/6dRFZjv0A5JNPzlLl6eweV2pE8ZySPknNROj9MAJQRzARZ5da1rGIPEvjNstJYOyoKkVKLEDvtp4dQloUBrv9YiCrxxROnCLCR8RdsoYN7lNLeAYKP/Ip1azTLB8r9uEUqLtfAjkbTFfKEbQgDmKbrazffdEdxQPAzYxo8tBntwMHfja9vzEmxDFaSOfoT27Ji0u+PhPDOMMdFAXaJ00SYGDU38y70jVODic/4YvmwRMLTTibhDPQW6FtQv2J1vVatA3POvqVpgXrLZx3/w0ZvGJCyHXdoJfFXTF2qIZsyCg4Z5/k/M0SgY8WKu9lpgjuZorO2V/QTHu/0j5H7eeOp6w73mX7Ca6I6A3R9UH2PIw1pmh9H/gqyZOCiNqIH+MyxWv4agG/kgS64skCNcqTca5wgFXS3gUzQUgHzbTd9EAeHQlef9EDEifE5N53WiBQkjwf3nsh0FIU5d0Kc0MBGDB7sgiJYZadKgZZhYP+WmcLcAGbDBt/CtGoEZm3x1VK1yzWh/lGePkWQCurV1yUXUVdvAxl29pgpq1H4YFPOTIw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: daAoPpdVcY/6wuPdt52DSCHHSFPIqYGdVsIfzF2Tbes6ZFLzSME12wh4pohUrFsMfHDgNum/9+BX1PP2GzSzPdXi8GhjgkSCR1H61RAKyYkVih7p19Qn0mEgM6TameURT7a2OXRybchARuaJ/v25EnddoszUmO+t8mxuw2PSDUmLTQVeVf2nN3r4MjpivEAxZLz6VHo7XuLQncUKESZRRDr+i2EXjBt4lpaGFMojbZy9CApIJCrd7fwjBbyYp5PRfNMktvEnJUYP7mBzdQ8iN9Q0oGuJ6OWxZ1LO59uw+CgouNMk91imFTnbN154cYNoVl0XTv4vLh0Gm0og8jPsvk8Wzd59vlKsAI0AUxWhCXcPY10r0pMq2Zj7N28fUZZzY+EI/J2ErkaiJxfgtKEnq6n/kxg3E9Y/H+/yi6YilYxOYOC3FkrmBxNrwkHH4pCoHS4fRGMFn0EPSUdOQDpfWCxZB7M1FtHSgWA9h9Ir0hTdfD5b3YJZc2oa1+7tXwv7R6ggMT8k4KW0XZBvemZowBKw4S6/RlutFVqYdlJms1cFhpU81CpcfQIyOYIB/Tk3Z00m37hK8IeuFHYeWSzZs1E/vQm/Ko+jWOlPpx3b25o= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d2ef8dc0-a1a9-47dc-dfff-08dc810a30f2 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:39:55.2397 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4cNwofvojJqIbdy3jSQdGes6RVFXtso5A03VBcL/dYTci3po4qkCZ4JREY9cBbe176DlFzmbvmg8Z/b2i1MDFF57vgciE803YaP92WjKXLU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: cZNSQUa0p7ntgEWo6e5yWTgiWunZA6_k X-Proofpoint-ORIG-GUID: cZNSQUa0p7ntgEWo6e5yWTgiWunZA6_k Introduce a new function to allow a keyring to link to a key contained within one of the system keyrings (builtin, secondary, or platform). Depending on how the kernel is built, if the machine keyring is available, it will be checked as well, since it is linked to the secondary keyring. If the asymmetric key id matches a key within one of these system keyrings, the matching key is linked into the passed in keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 31 +++++++++++++++++++++++++++++++ include/keys/system_keyring.h | 7 ++++++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 9de610bf1f4b..94e47b6b3333 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -426,3 +426,34 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +/** + * system_key_link - Link to a system key + * @keyring: The keyring to link into + * @id: The asymmetric key id to look for in the system keyring + */ +int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + struct key *system_keyring; + struct key *key; + +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + system_keyring = secondary_trusted_keys; +#else + system_keyring = builtin_trusted_keys; +#endif + + key = find_asymmetric_key(system_keyring, id, NULL, NULL, false); + if (!IS_ERR(key)) + goto found; + + key = find_asymmetric_key(platform_trusted_keys, id, NULL, NULL, false); + if (!IS_ERR(key)) + goto found; + + return -ENOKEY; + +found: + key_link(keyring, key); + return 0; +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 8365adf842ef..b47ac8e2001a 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -9,6 +9,7 @@ #define _KEYS_SYSTEM_KEYRING_H #include +struct asymmetric_key_id; enum blacklist_hash_type { /* TBSCertificate hash */ @@ -28,7 +29,7 @@ int restrict_link_by_digsig_builtin(struct key *dest_keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int system_key_link(struct key *keyring, struct asymmetric_key_id *id); #else #define restrict_link_by_builtin_trusted restrict_link_reject #define restrict_link_by_digsig_builtin restrict_link_reject @@ -38,6 +39,10 @@ static inline __init int load_module_cert(struct key *keyring) return 0; } +static inline int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + return 0; +} #endif #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING From patchwork Fri May 31 00:39:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680983 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 10310A3F; Fri, 31 May 2024 00:41:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.165.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; cv=fail; b=rJAYNjsubuFKlBCAhEK0aW2pmcXz0Ujc2MBwWHfEPCPAI5eBf4XKeCuyhG/ySrQTm8Xll5oxpIKyZWqYcziDTyony3EzmY1r5tG6xtLlY50dThJ8P6l0FWRGMnm6O/KoZbWw93TZVJdAWJTTAVybMb2HAzG4SWZB1frsKZOB9gA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116102; c=relaxed/simple; bh=fuWLNigJGiWMPKRRps2geJFw9gTMutwzxmoXwBEEjlQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=AkGqzGhxlFJogTIxthX6do2zi9RjYXjoZfYIlx9vZPWGSDJTHTnblvZCDbangW+ia2tSnIWW6DQWDbOThWw5CuZMFRv0mE10EhQFh6SYyNiOoJL3p570zSiyYJV+/0nDvV/M/EW37ywpaC3bWKQX8vJQlZL7TE3R2s0Br9W0MQg= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFc6x4005731; Fri, 31 May 2024 00:40:04 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DCMJG2C7kHQ?= =?utf-8?q?0cDcQSto/qM9dJp+gobr2qbkHTuCkBK58=3D=3B_b=3DYAQVxC8qVXVP1Co3ESiu+?= =?utf-8?q?hoNfEDtJbvWjGQ1i6/o7eAdU49gHNDffmoycZe4p78NH/kt_DJ+haBQx6MdNnLvIA?= =?utf-8?q?Zv4dyehsqFBpeY5bOhk9cRdN0xiLzVk5K+dczIeVCSnMwHRCvEc_FYun/4Gg7muRk?= =?utf-8?q?mTZ49YNPa+shBLCiCahpMWtakbB5ryHxni6G2U4bcviI6lZAUgOKilC_QfBH5iZLz?= =?utf-8?q?lQdx5wLoGpc8qyWNB1d8TSv01ePaN8iweZ7w77fQy5hbDA3PPrWoOCoHa0C_05MtH?= =?utf-8?q?xJYFHKr7A/70sZYmOyt+8RNYmrHJakkbkJjxqCvgvJw/pt7JJO8balhWAylGXWe_U?= =?utf-8?q?g=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g4a61q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:04 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMfwEr026627; Fri, 31 May 2024 00:40:03 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098hkr-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:03 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W4khnpPTtrfEgNn9dHKuNwVFOSM4Ow+rfykvZ4Ue4TaA3Go/UEat+IVsNVHlEPX/JcdhUy7mlXrTqnfRpCr6PJeirDR1wX3Dk/zDsNRyiH2O1Tu7dlWh/ec1/vynmwEJotkS8852zTHCuPnEuzkmJLVyJvvuPovuaWSn7nUVGAWM/EowvSh/yYJFq0eymtnO9gOwNnBqrCj5R2adTR4ehtkOLl9h1VtD/ZeRlqc5QYegMrIPejTvv6Pldg6SzKDTuBpoBIk9QCZxXZzpRfoGC+IjCjfGenwbH8Qc0TZX11d7SyYrdI78WduBvnDGLLapcMtfSdFzV0r3ggrtIckxGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CMJG2C7kHQ0cDcQSto/qM9dJp+gobr2qbkHTuCkBK58=; b=XeaUTzU7kz0Kwo9TLy8YOCVImIgUelETU+h7TEjXR+5BgfDjyNnskMe+582hBPKs5sDbVEbt16l6Zi1ccRybUcJQyIcJMUA0mql3wJmOJfTtcqiLJ5jXUpkYa0816Wx6Ib8f151CMihgokfAWYtNKSu7LUAlbhgoKXLNx2eOSN0XLjIRupN49an3HPWbtaEkaQLhsIeNImH3qkeJpK7x74KmfAoUlf6dSKfvktojXUZpN03XT0upxhVx6Qidtv5rTWpuTwzmObxPTeEpyusCuOMsg5nrMsVytTMztfke/6OsbEI4brQ1HSBpFhA/hHsGTdipJJsO22efSy3FkwgEaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CMJG2C7kHQ0cDcQSto/qM9dJp+gobr2qbkHTuCkBK58=; b=lYoKhyIVUHqcjbgsmLlbWvBJThik77U2vLCW0Aym/r63rFMRPvsb4kFrOda25bWQKGKvlX5uOYzSn7qAwLEfe8OttCJNt9O8pId76+bUow8L48xGvQB5VS9bkzMCYLE71EuL8/REJmPh2QigEWWcNiKNH0B836QVY1tp9thCXFs= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:39:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:39:57 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 2/8] clavis: Introduce a new system keyring called clavis Date: Thu, 30 May 2024 18:39:39 -0600 Message-ID: <20240531003945.44594-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR02CA0025.namprd02.prod.outlook.com (2603:10b6:a02:ee::38) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: e4e6d531-44c5-4f93-8f58-08dc810a3202 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: 2/wFU/aijUrHHQbJXz0998PQ1m8z2IoGGfMU3FvVF794LimV2hnqr7QZlbG/RaxRrHZKI6AaSqH8Egj/1E/n458M656Tefh5w9ulp+oesK1Rg+x0DHiQkBpSFH+3Qbv/v1zbIiT9VLCa3nUf41ttQa5OFOJ/hJjsSqvtiCV+xCx6zpNCEYXZWT9ETzlzuwzXmmrmeWtq1AxaY1ffAU2xeCXMrgTDs9wuFqgaOJsEpvDkZ2t7HV1p6FnIB8COpcnTFeqEgxiXYgLoieUbnqPyUzhTnVOn+COpfl4N+j/WTxbytEhWBORWRBsMZF2h35Nzv/7kJflw2eLYk//+RdhbZcpt4eYeumOc5XiqXw2ERXjc9XTnnu8pH6OFlkcjQ+ckSL2pEZWzZ+2gM+/YKgNpBPCGgecedxiADYDfQrr0yVWTUPwdkXlPVe/HD9segcAx/gxAAcpde/QGPdfBIvYH2lluvGlzQVAca80jSFSLcrxuEQEKcMT/QhqD9K1h6E63TSw7Tu2ZrgAaVYxHOHLDnxpCTSgHm3DUzva43L+AA/G9iTpvYrb8WUhT9w/YbdoaxTWHNK8dMvifahJxER7LU9eMieMLCEVW9vTCLrQ/e/qlWyEBbQCpJHN2UaCOdDj7YwhcGTZVr95ykAwYDCduTJejzr/no/NibDq5T3teTkHHQKqGtao13kB/4U1Q9zTL87UxRbIYKQKRpzA/3GF+MUb6YnzAuuxgkwsE2GAh1Gjlga7Xub9ZB9INHYR0O7GOuKKJLYU3AQ4+/PotmY090UB1gTk/+PZkAzjEYlElmL2DVLDxc2O02ouDeEuSwiNZZVkQAp6nmYQVqUArY3UDJk9PEVKccrFOwS+zuxuI4TmUWMdksH5DrnYeuH3uw/uyNT7zdYIiVduwGKBIQTuTymODyRWWMzRD6oTAvRzs4Kv7gmW9RG73gYmOOZVxoP/ygDSFToX5fVZd12df5UJgCq3K0bklmYbKReZthtAjFAFVJ/2h9tr7Nvvs3+zzEX9bf6b3nXtyycnHl/2s7rHOC5VFvV3ViCUAmk1caS8d6b/VeQwDmSYz/Ye0m8R31uTTT9mFOFW9A+OafGBpovgZo878hHrMbGLCDciNcEPq1AhdyHPKP3iHuaVphfIs3bjDOqyp6TS2OI4Yg/8K2HzXayfB7FjmkL7DyeagsTA9Y7C2WJFrY+9xxiV7bGI9V8wqSFU9kh6bjq3OAYuqWwpxFjCa/LbKtfHI369+w3+/gV1QHRLF9Ldp2zMUu90hcmsqgfv7KgUA0EcB09+t/0um0g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +BbiMVPAf74C3csWw/Y+lslwfA7zvKOkRNyOF4HH/6qHAdW6SRMKMK1IM1YV0wo/ZCgH3HtRTVU3PlPWOLU4kUmKMCLFLlu1ZZfPqSR3LLHv++BA9V+fwNXQ1p6rFTCKPfMQggtgfGtG88dH/vYWaM2LEZwLhJyWr8FXsFkdpdV5q6Vz53FJZoNWUx6qpqGAI5eKhAz5zbYFoc6FhGMjzyrOPTHxIn1VtZkLjmFLjZRon5MxtzDbvhEj9t4xE4G16WXN/mT+1JMY/bjzkYgZvEmeCZPAsnMxxYrgi8Sz+/p7kOsxGUnF5a+ys2qbqW3uR+eXdkdbh/oABREJZOouRFSTppdQA5tTxNycLeo7wLD9/zagvyFJ8/yQqEwJG/2AF2PqBczsnERNh2Wa6VDvU5HfmgoOmcSzIHjgE5tvFAt/NBhs0wTgR4iIEE1azIGBEh+4h5n1tj/W/dtAnqg9SycCzdKQ0jtTp+0AwFZjn2V+Ll1cyVMfM3IPBgMOCeyOp3qiyrcbSnA6h4hEqaeO45/fjs89jCMQdPwpfJgCjKhHsiGlTC8bjV5FfHTh1nU0ha1LygC7fk/8Sb0cKv1zSaa3K5orkguHTS+/I7+AJAYB/dhDqdvtuOvW1Ui78U7obQ3NAt/sTeKBbSQgYaO1o8or97obCIEF2hN9Sll9zB5WPS7xPJTHANV3GaN5mNOKFAsySp73GgL+Ub+X5bZXFkflTHL+2XoxXgO/zTxZ2S71A0sN0hsFIwWE6jrkPE7/3tgoEJEhwmhqHo0ESBbq669Ib+uuUNKrm2ykUTjbXqiPH3Zdp16HG5x0CwzDh7A5CNgKzAkPtn8V1TBaTezoGkBX5royBKb3zHzB0y0S5dJJj3hpdm4297OUhRRi9oc2ev6/B9oYBj5r75FEY3gVGRIM86fk12xOmOJfWKuTinkPiYtUMQuQPo6TIBeuFqGqjvNWFDlW4yY2BLiljzKEYHdBoqb/Iis5iTEHgykzlMLYAx5hBjtgEViaUIZK2Tmr8qy4+rdPPdTcdxxtutaMyt6oQec+GqQ8YkivRiOlki+9MTVThIiYIVGnzbxoYKNi3/ZZF/uDh94imfl96UODKKnqjRI/1duVPaLtU1C9Xy+GnXSQs95PgkYDXvxF2II+tsEAaT7VaFMqD1DWWUWFh1s/wMm5g8zJ6HPuDfk2x909qO03pc3wgU4O37lvuRvvmtwL2dokN8toEArtxND0+Xy8TbyXeVbBMzGDFxVc2EMcp8BgNghgoqKQ5Pibr7+A4CbzOqOfFuDl2DH4pWCX+Jvt/vxZynk7EhoVUWM+qPw7iir1R4/vZsBCGRcltsojdgkX3qF0bWkoNDM95IZ3FykHz1p6ZTmbelGk3nC0eFc7mynp0TP9kROqmalrhOYAhS8YhSs05g3EkMERTlQ15/Zbmz13fze55CSm/jTxpb8x/xN8QbjBk00fh5BJAxE2kjfoKWYIUcAsfm3TvYx4aemWsocEIkEwFGPddJomX3RDfBSCms6ruDnRgdz/jHcaXAWs2YUQxoKQlyCCZNWwnJFZ3HvDpngHh+c0jGFBPOqkKySPOnJ2rf61zJbif5UksuWCJdomVhoGZeqiNuWC1Q== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: qBvq3YTLJ2eBf8dnxlooH5PcDHxC6fDRdOhupSHdrXJbYDeqQx5sD/IG1ybi/do3DtXWOCZY6K5BS8Dr0t90C6upBbkQ002nlMG9+7dy/3DiMsMd9sf6q6AUicuUzTFnCgbBEXkydQVOLmq+zcBwr4Wcaly3Rnx1qh8fstoHcJxI9vElDEfdOJjuko3cCgaJILCVvtSwsGtBk5F7gEgjE7IQADPmReqnTtL3TVNz++KDPlHTWWeuNWBwBWCZ9wbO5iDwMnnW6ZZcg9hitGNC1nsZcHHyXPjq/VQXQSxOieMM6ASr/eiT0JDp+CUdOCUieOnXsj30h4eQOORIYYFzPNJ+g2ZZVfS4d8IHbJz7y0YgkXJcMJQ/ubook1rxZeDMK3S9ci1oerXfqjJE2jMMlue6q3KywDXxZEbvPESg31r+JzX1Ee4+Y0ldQyBWqTPdfXP7dEno1m+kJRYRB7RsQRH1oOfqJFrDnvWIkPozZ4vf20WlMUtc3bayXRacKstDbx0azDo+hVTw0YIFXypyYhoTTv6sv8KU6k9KHGdy37nz8P+TosuNcjOasJp93xzX7qOMl2ACgttQHxr7n+UiE6rVZtZiDHe51Mk/2UEU9yg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e4e6d531-44c5-4f93-8f58-08dc810a3202 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:39:56.9822 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Y/PKxEsqgLsUF3mQ/OMpxtn3NgdVQUYv1Xi8oky/SqsGC9Q5ozxrEGELrN45FTl5PSzmYqLn4gfCDzOTzjqvqs6mmefOwfqD/0HmJuOmcUU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: z83kbeWcYAJ0bCo1pPwtInD1CMiBskJI X-Proofpoint-ORIG-GUID: z83kbeWcYAJ0bCo1pPwtInD1CMiBskJI Introduce a new system keyring called clavis. This keyring shall contain a single asymmetric key. This key shall be a linked to a key already contained in one of the system keyrings (builtin, secondary, or platform). The only way to add this key is during boot by passing in the asymmetric key id within the new "clavis=" boot param. If a matching key is found in one of the system keyrings, a link shall be created. This keyring will be used in the future by the new Clavis LSM. Signed-off-by: Eric Snowberg --- .../admin-guide/kernel-parameters.txt | 6 ++ include/linux/integrity.h | 8 ++ security/Kconfig | 1 + security/Makefile | 1 + security/clavis/Kconfig | 9 ++ security/clavis/Makefile | 3 + security/clavis/clavis_keyring.c | 90 +++++++++++++++++++ security/integrity/iint.c | 2 + 8 files changed, 120 insertions(+) create mode 100644 security/clavis/Kconfig create mode 100644 security/clavis/Makefile create mode 100644 security/clavis/clavis_keyring.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 500cfa776225..4d505535ea3b 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -624,6 +624,12 @@ cio_ignore= [S390] See Documentation/arch/s390/common_io.rst for details. + clavis= [SECURITY,EARLY] + Identifies a specific key contained in one of the system + keyrings (builtin, secondary, or platform) to be used as + the Clavis root of trust. + Format: { } + clearcpuid=X[,X...] [X86] Disable CPUID feature X for the kernel. See arch/x86/include/asm/cpufeatures.h for the valid bit diff --git a/include/linux/integrity.h b/include/linux/integrity.h index f5842372359b..afa3acaa32d9 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -23,6 +23,14 @@ enum integrity_status { #ifdef CONFIG_INTEGRITY extern void __init integrity_load_keys(void); +#ifdef CONFIG_SECURITY_CLAVIS +void late_init_clavis_setup(void); +#else +static inline void late_init_clavis_setup(void) +{ +} +#endif + #else static inline void integrity_load_keys(void) { diff --git a/security/Kconfig b/security/Kconfig index 412e76f1575d..b9ad8e580b96 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -192,6 +192,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/clavis/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index 59f238490665..add35a92bd8a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -25,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_CLAVIS) += clavis/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig new file mode 100644 index 000000000000..ce65b29ef11e --- /dev/null +++ b/security/clavis/Kconfig @@ -0,0 +1,9 @@ +config SECURITY_CLAVIS + bool "Clavis keyring" + depends on SECURITY + help + Enable the clavis keyring. This keyring shall contain a single asymmetric key. + This key shall be linked to a key already contained in one of the system + keyrings (builtin, secondary, or platform). The only way to add this key + is during boot by passing in the asymmetric key id within the "clavis=" boot + param. This keyring is required by the Clavis LSM. diff --git a/security/clavis/Makefile b/security/clavis/Makefile new file mode 100644 index 000000000000..16c451f45f37 --- /dev/null +++ b/security/clavis/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c new file mode 100644 index 000000000000..e92b8bd4ad5b --- /dev/null +++ b/security/clavis/clavis_keyring.c @@ -0,0 +1,90 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include + +static struct key *clavis_keyring; +static struct asymmetric_key_id *setup_keyid; + +#define MAX_BIN_KID 32 + +static struct { + struct asymmetric_key_id id; + unsigned char data[MAX_BIN_KID]; +} setup_key; + +static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_type *type, + const union key_payload *payload, struct key *restrict_key) +{ + static bool first_pass = true; + + /* + * Allow a single asymmetric key into this keyring. This key is used as the + * root of trust for anything added afterwards. + */ + if (type == &key_type_asymmetric && dest_keyring == clavis_keyring && first_pass) { + first_pass = false; + return 0; + } + + return -EOPNOTSUPP; +} + +static int __init clavis_param(char *kid) +{ + struct asymmetric_key_id *p = &setup_key.id; + int error, hex_len, ascii_len = strlen(kid); + + if (!kid) + return 1; + + hex_len = ascii_len / 2; + + if (hex_len > sizeof(setup_key.data)) + return 1; + + p->len = hex_len; + error = hex2bin(p->data, kid, p->len); + + if (error < 0) { + pr_err("Unparsable clavis key id\n"); + } else { + setup_keyid = p; + pr_info("clavis key id: %s\n", kid); + } + + return 1; +} +__setup("clavis=", clavis_param); + +static int __init clavis_keyring_init(void) +{ + struct key_restriction *restriction; + + restriction = kzalloc(sizeof(*restriction), GFP_KERNEL); + if (!restriction) + panic("Can't allocate clavis keyring restriction\n"); + restriction->check = restrict_link_for_clavis; + clavis_keyring = + keyring_alloc(".clavis", GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_WRITE | + KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | KEY_USR_WRITE, + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_SET_KEEP, + restriction, NULL); + + if (IS_ERR(clavis_keyring)) + panic("Can't allocate clavis keyring\n"); + + return 0; +} + +void __init late_init_clavis_setup(void) +{ + if (!setup_keyid) + return; + + clavis_keyring_init(); + system_key_link(clavis_keyring, setup_keyid); +} diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 068ac6c2ae1e..87a8bfc0662f 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -36,6 +36,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, */ void __init integrity_load_keys(void) { + late_init_clavis_setup(); + ima_load_x509(); if (!IS_ENABLED(CONFIG_IMA_LOAD_X509)) From patchwork Fri May 31 00:39:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680985 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 835A84A35; Fri, 31 May 2024 00:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; cv=fail; b=gBSEfUDnqMobS937OLXn7cL5yG34u19NsJSZtzNjyzS6eogQ+0NLUBOGi4QdA+sKQbYYZigUrYZhbOKrdf3mo+jUAuXoABZ4+B3p/2EHGX8ZW5YRXW17KruFskPEwDY3qIlzaEg9CMWlfhK/caHilt43Mr4fMDlef2XP2KOguK4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; c=relaxed/simple; bh=DlvA/E2nmcmS5xGecWd8k1c8IFxOI4w3YHhOPOyp6WE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Tq0fHIImZeBqZTqcN7LsU4Y4YdoPpbHJPwuuxygQTFwoSHfHup6GoV7OcHKEMGv4lPZTxYpf13ywHh1vQ6cleI6jjahQMRo013dJXpxfJ56yJlPj1PDls5bcHFdI7VgHzd0Yt3NIfq46Qx3DrWC5eJ873obIFM8xsUHmFrBLnjs= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFOGVq001930; Fri, 31 May 2024 00:40:06 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3D0Om8nLy28U?= =?utf-8?q?yHmr6YMUm1fRB69CMsmRI0/fB6KqLCaic=3D=3B_b=3DOJJ4anwAYGbrdWHPYDsYu?= =?utf-8?q?Ex3xRL+Dqq+E4ogJVJKMV8MYa+LUt6vTi7mn0wnvFwdXkyR_cGAtLAobqNHqv8Tls?= =?utf-8?q?4Qq1ltbx0QL6QtLA0H36TRw7Dvz87ILmuFJdrxJh/D9B9GIDLSn_x3xE7XO7Q7oIg?= =?utf-8?q?UMZbzkGzYwbvP1DYpMBlSOYPkVgqrp+yOMnnJJYPkZAh9sMm/wnhaFZ_Me2fNGHCj?= =?utf-8?q?CUQ9XBQ3Ah96uZ+icw6IHg+f86KVGYo78aksCfm8MxTTzuPHqbNYqJt7Oin_X+Shk?= =?utf-8?q?IAcHBCXhArOYrgE1aaOEXHOLyFAVSxUb2HenYx8+vqF76+qp/UTUu7DWVNM5QnZ_j?= =?utf-8?q?Q=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8fcj64c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:05 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMfwEu026627; Fri, 31 May 2024 00:40:04 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098hkr-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VX6+1+darxCn3+pXXPgbubExsqLOaDSpPGmYsyWuzqpkF01lUu4c+tmPhEAqcjSaeHlRJLL7iiF7Ie+S7osUxMJew6pP6poQqoFta4e73DO7vf6WBihl8SlTBxEYeRM9Iq61O48gvcir1BYAKA7/qKTDvufo1hQ/7wrNJUwdUiXkH3VGxfHX7NHUiuCn/70+n+pbULGhgCR0SVJAT5w41jV0XYicAByFVZEqtxDBWFPw6PnE8UjJ7n6v1cCohaJH7AAPsng+C2Q82/gnAFpazWkWDXi1f8Z3BzA0SLWIDK5OsVBSyeg2iWkyExE5vV2Y4QwCC/YMwWg9qL+XfRlVyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0Om8nLy28UyHmr6YMUm1fRB69CMsmRI0/fB6KqLCaic=; b=cN+r76Y+TZIqoLw50ZxL7XB1H1r1H1XzvJcGERPdNhxPDMJkRcwLJ2AdmaEzGIe4wImsjS6Dy3xwBwoeMtsJ8AtoRhTKnm9Z/8bGWomt4txItZmURL2soY3JNmgTi+pTdD1UrcSv3Yv4iZR7E4Gy/ChzqCRnOKy+kkp+YxJHeZcplZEkMk/AVfZXJb3m5yuqMaHkuvd6kMhU6I4TMWnHEueZZw9/rIVZj1OHNLlfgC3AZUJprMtoFCfPtNzfTPrUArQZXtYBeU+d8YdgMKbg4YtGUOt2IKuhQ2T2DYsnpqEwZ9XtSj9s8DHJMQPFu2EkNLlq9VzALAfkywpCwF9HPA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0Om8nLy28UyHmr6YMUm1fRB69CMsmRI0/fB6KqLCaic=; b=rxOboEIf31ULuq45xJkEVvFK7RQibleWHf7BF42YXnR0lk1hfkSeCcoG+Qfs/AC+Tko8mha6SZ1n/AlAsw9l0Si046eK9VD4s0jvd+CxAzQ0MsKqEprg+BErT/T9Y0fwrAahpTTgXbGICx2JRrpPPkqRNjIAoemkcjPowiWT0qo= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:39:59 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:39:58 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 3/8] efi: Make clavis boot param persist across kexec Date: Thu, 30 May 2024 18:39:40 -0600 Message-ID: <20240531003945.44594-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR06CA0031.namprd06.prod.outlook.com (2603:10b6:a03:d4::44) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: d971ca9c-1119-4c3c-9bc2-08dc810a3328 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: dmWN0vGyisNCJVymIIPz0zYXDbZswqs81YhfvTx6IUdmLMiv1JtJOElECedlbzSLCoTbKdkTXVsV6JVOpKWuyp6ubWYgquhsgjVBQ4oIwGBSFsmX71K0EzTQ8dpxmybxvQMFHt/30/DcG5kmT1hahyLnZCNlbX9ZxZUDyQKkXLCjLAKKE/Y+LbOgbg2oPJJKEr1M0tF8r8OvYIxpQUvMVzkZuz1WnyJCWcMcN58qSgnIy3rNRlCmWrlf8+Q8NG25Xe1q5QNuwrUa8IT4J+FWDtFYzCy+YSFGfw8zd6GRNy1Ia7sgYFT2GFDr5kBZrWFPvZJmgVJtxXyfaV831APaiByUCXdfg81lajbor9RGjiYK4mIOfbuWOgA5ZDlubCMshwt1T8V2XbJjWtOy3dRMajl1aXLZH6h8of39SYu7mEXsnUf80KCwS51v6kns8Ejm7atcef1vMG08gZqjwGbzBQhV7aEtd9grPcOfg/+81FHji4yoojhGBS7GtYStA4VLZwmTq2hMbvE1dARxFLIvShENfqVW664imu0z0LGsipFojoSrKA2sCIHPbKlH46U7ZoUMjkHurSe+zrNFdERu2U1H+Ic95xm2xjUrxVVZQkZIpsI+VrY5V2ZRT0V+L9kqgHQunaBDmtzodoNHmXRsvrVpO0Jzku4Kt1sZMb5MHAJdx4hjKtjh21Wc3Pt7O2RYf7Q8UXfnG0+PuQri9gtHOe3LzIH7biAy1yKzh8Oakw3MxzUD55z1lswU0oSWi/0Ylyqb7u2y1zCU7msSd1I/z9805wbF374Nsea5jVpBs5oIGGXyAe3HopEwaBqrRob1PkUo0squYP/v+EboNUhVMF4/w5YRWsX8mR+GMWPUk39DmiheH4GHi8iOZqbFMPpVUXIp/JCXrkZd5/VuDiAQ6EpquZCPE+jRVU7HZ0EgvFo8u2ir3rk18uH51hxgt3PlYfxktn15vhz1Xk2X4F0nstp54r8/93hYnTSRgw/s7zb2aj6rFHpsVEFZDM+sk8l2O6X8ISvtwG1wFF81pVuimAZNIDUsnFY8tiBOMktX7TRcQvbpJb6zwFNrkcU1AYLmVHd/4aGXvtfkAzQrmsbQZmCug2cfbYcRfBcSJpEtnLvKERZUyHqOBYa1NBtEQZyKZFAwiD4dYnEtxBX1gPPjb2VXSekCM+JzOXu7FLCzjJVg5cSfMpziJmhAU7LH/cuj1HSPcwjgTI3JMYZ4byN9MJTLMo4SLEr9bhmJegVUlus9l5wdBMjGIl9WTbyRooAuAHk5a+X0VmocufGOLhP/Yw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: ClYOcwfDqEXVuYRPg6wxYRrikJrX+BoCPDpUH8NbJvYh39bv7s2ysDr7MzuoiUoZO29sWe0o//OacLSvwhME1NX3KIUfS2dXXNhHiNFR93KJxq84OMx1Vb9D/wtAutEIGIIlrkUdKEyu2LIDxzLvt43DY1mhGsZvwe22BtcTdThu/2ToaV23Mr/ALbZf4uFoPs6eq6pcrcyIFsALoNfFe1HUvJRtjlsR9HQowCqbJ8Cr8byGKOzfQ4JJgzBeyoUhNZjoiT3WZqCBWnqOlbh1IwQvOjWhV+KlQIQTWAr5axmKym+ywViD0qC4imiIz9b1mzunRWdLqfyP/BnwqRVOBEwo46EaUfrNyeKv08hR3zynL0EqYI+evmgUmHmHsrVGTmNshZr9Z/0yWKANMP3ZF2VZuQ37HG9bUGJWW5xnKvWtIVOGaJYYpYEImifASggoHeKShN8ffNbTkvQOzYwDPcUpZ86BHN486NVb4ZX/YX0h+00hD6eJVJZ164Zygu032wCDBeYsUtKWGodQSo98O3hgmr7J/FQq/wgE3l82fuZqdIbdWuyuRj9/ERaC7sEXxGKbUhQHj2Tl0RCE1B40EZKNmW6qiQkwK8JYCbHJTvyIdClLgWR9A19wDCPjiaHQ58W2P3sgYm50YHF4DYk5kAYpA5hdZeoX8HaXjxcFGqD61JC878QlA3+dkxhGDfDpJOwVttM0Qbr3SXM9KJqo6cr+VQMBQps4xinfODTYPh6TByxno8eEvT/61aV1ACXrjfOYPS8CokFxAMajwAg3uFf8Gm9yfHH9uvoPE5egIfb6/JsUvkQYb13ZOw/d2x6sL6nfGHgYux84ja+hlW7TAagcok8vjS+ME6gDsIX1/Q952miXcLI2MuU65rd27kVNaetdiMCUFE2mWjZQZQskS2VZOaCc7K2K52MvUUtR3dOWLEknUwWztxhBjmwFgs9uFm81cgNLhYf39FPU9rKbsf5AQKaBOHB0RssB/dWhnNW76fbx/T5FVe3Z4D2/7TLLKON28SeKggsYkXWPU4AAsu2BhVf/bGo7Gsjpwei6oSpvNjdTs1gazIpCuPNZdou6nPw1EX78vJBm7XugjQuSTFImmh2I9rsHyxvFCjhFAsrc6/gZsSc8fqyMLNiJAclLsvnr0sLQMph/zBggVsCOmoCFS3VTBD8JVu8cQlLlgtgwcwSPeRFqrkWxrxHU4d1M22ZEEsjGmxt4au+DM4PZw0uPBlmf3zuQbiUHVlsmPzYg3BrouPbPBa0mqmHFy6mKlOb6FDiLyM96Uq0R2gJbWHtK0t6Gr0wFC5ZDjQlUTU+KWSFAvzTGYXZhwanlrBSkZISzYjjjS4H4hCDWqQ5mbY4KMUwC1YINsVqrBPOi1QQewKjNO9rD22t2WF6H3Lw02Eqgv4gE5A2CxZjfAzGmahuKjXvx/zFSVsqY4UvKYAaIbHTkiEqz6nq1p7PhDvmNMOqr0piFsTdLxDXwElG/Ul4+M3bi7IpHl3RizTmF9SeVJF3JN7XSH+oc3vJcc5/NgLfgUYES5HtzpFvshlxZB/9RDI7GAtx7xl608yI5bkrRwB1sTSz7kFx7mkJ7hpzeAe3LfDnohb/TlqiRUyl3IQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: UWEIHULXnGAyyO0U0n229lGTu11y7UZCMU6snaGnwSWLiViWp5OilVFFNUlVzD+kC/W7Zd/MOcvK3wgcPSKAVUrFOu1KJAzH5gc/UJMQIeIHmCTkPGNp7C92Jv3I8NoQRE0IXPt8pCyxue+14Owj2kv5Nh5+qE6hIl+oH3ZMga3jTCEGKB9ZF5Hw9Fv1rVU+8xdOFpYduf1biIpuBP6mfdiikn1dQMP8l0ZEjTz9dGtnUbogw61D/dVbtIsa4ZnGNJlp8HIErCGFPFKjmwuqqN2KnesWOcdKaXcBMJ+bkcso0r+BxqJK32R/KQjfAbW1/kvSDaxfrQQyNwH2FbmFQI3A2+QXEyvDsfHA7fEFKbyJo3A5YgLuuz3ahtQbHVSGcJ0Lc+hsYE5KrJzQZECQCdI6eoCgjOqh89G7kvS5c4ee3M7tim0gTiogWs+bfA7cNw3oaGFe2b6fD+4NPCZjrA+fJIuS7dliTMtsbv5Ny78FAettCGMNE1reTqfer4z77vFCrw3mN3h0P+lWAkO7z6H9s1p00GAMhhmbv6smzS6JbBJlcEbLKszP6ETFcmG7Km7kWZxLwMml2+LeE8SLyNg6uWiUCfBp2xEs8O09D5o= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d971ca9c-1119-4c3c-9bc2-08dc810a3328 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:39:58.9067 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ngGIFn8Cla4W2CsOpeVg417VbbEyIvxH+oST3NZGNbr02l3aC7qvH5vuDP9DhsxFvD6wh7eZMBb4XjGs6IYkzjyu9SqXKN/eGDS1OzTe1lY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: bJzAoP1C6DrSybsYNatkBz4vE_yfYIJx X-Proofpoint-ORIG-GUID: bJzAoP1C6DrSybsYNatkBz4vE_yfYIJx Add the ability for the clavis boot param to persist across kexec. This is done by creating a RT variable before ExitBootServices is called. The new variable is called Clavis with a new GUID 193ccef6-348b-4f1f-a81b-0ea4b899dbf2. This variable does not have NVRAM set, signifying it was created during the Boot Services phase. This variable will persist across a kexec, however it will not persist across a power on reset. This same type of functionality is currently used within EFI shim to mirror MOK variables into the kernel. It is being used here so the clavis boot param can not be changed via kexec. If a different clavis boot param is used, the one stored in the RT variable will be used instead. Enforcement of which boot param to use will be done in a follow on patch. Signed-off-by: Eric Snowberg --- drivers/firmware/efi/Kconfig | 12 +++++++ drivers/firmware/efi/libstub/Makefile | 1 + drivers/firmware/efi/libstub/clavis.c | 33 +++++++++++++++++++ .../firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 2 ++ drivers/firmware/efi/libstub/efistub.h | 8 +++++ drivers/firmware/efi/libstub/x86-stub.c | 2 ++ include/linux/efi.h | 1 + 8 files changed, 61 insertions(+) create mode 100644 drivers/firmware/efi/libstub/clavis.c diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 72f2537d90ca..8dcb5326d05d 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -186,6 +186,18 @@ config RESET_ATTACK_MITIGATION have been evicted, since otherwise it will trigger even on clean reboots. +config EARLY_CLAVIS + bool "Early clavis" + depends on EFI_STUB + help + Allow the clavis boot param to persist across kexec. This will create a + variable called Clavis with a 193ccef6-348b-4f1f-a81b-0ea4b899dbf2 GUID. + This variable does not have NVRAM set, signifying it was created during + the Boot Services phase. This variable will persist across a kexec, + however it will not persist across a power on reset. During kexec, if + a different clavis boot param is used, the one stored in the RT variable + will be used instead. + config EFI_RCI2_TABLE bool "EFI Runtime Configuration Interface Table Version 2 Support" depends on X86 || COMPILE_TEST diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index 06f0428a723c..4ceb055fc01c 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -74,6 +74,7 @@ $(obj)/lib-%.o: $(srctree)/lib/%.c FORCE lib-$(CONFIG_EFI_GENERIC_STUB) += efi-stub.o string.o intrinsics.o systable.o \ screen_info.o efi-stub-entry.o +lib-$(CONFIG_EARLY_CLAVIS) += clavis.o lib-$(CONFIG_ARM) += arm32-stub.o lib-$(CONFIG_ARM64) += kaslr.o arm64.o arm64-stub.o smbios.o lib-$(CONFIG_X86) += x86-stub.o diff --git a/drivers/firmware/efi/libstub/clavis.c b/drivers/firmware/efi/libstub/clavis.c new file mode 100644 index 000000000000..3a715e87a13a --- /dev/null +++ b/drivers/firmware/efi/libstub/clavis.c @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include "efistub.h" + +#define MAX_PARAM_LENGTH 64 +static const efi_char16_t clavis_param_name[] = L"Clavis"; +static const efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID; +static unsigned char param_data[MAX_PARAM_LENGTH]; +static size_t param_len; + +void efi_parse_clavis(char *option) +{ + if (!option) + return; + + param_len = strnlen(option, MAX_PARAM_LENGTH); + memcpy(param_data, option, param_len); +} + +void efi_setup_clavis(void) +{ + efi_status_t error; + + if (param_len) { + error = set_efi_var(clavis_param_name, &clavis_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + param_len, ¶m_data); + } + + if (error) + efi_err("Failed to set Clavis\n"); +} diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index de659f6a815f..3c45eaec325d 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -100,6 +100,8 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); + } else if (!strcmp(param, "clavis") && val) { + efi_parse_clavis(val); } } efi_bs_call(free_pool, buf); diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 958a680e0660..c15cd0d9e71f 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -183,6 +183,8 @@ efi_status_t efi_stub_common(efi_handle_t handle, install_memreserve_table(); + efi_setup_clavis(); + status = efi_boot_kernel(handle, image, image_addr, cmdline_ptr); free_screen_info(si); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index 27abb4ce0291..e43c4fb5aa97 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -1142,6 +1142,14 @@ static inline void efi_enable_reset_attack_mitigation(void) { } #endif +#ifdef CONFIG_EARLY_CLAVIS +void efi_parse_clavis(char *option); +void efi_setup_clavis(void); +#else +static inline void efi_parse_clavis(char *option) { } +static inline void efi_setup_clavis(void) { } +#endif + void efi_retrieve_eventlog(void); struct screen_info *alloc_screen_info(void); diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index 1983fd3bf392..9457fc531cb4 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -975,6 +975,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle, setup_unaccepted_memory(); + efi_setup_clavis(); + status = exit_boot(boot_params, handle); if (status != EFI_SUCCESS) { efi_err("exit_boot() failed!\n"); diff --git a/include/linux/efi.h b/include/linux/efi.h index 418e555459da..6887d4712c77 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -422,6 +422,7 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_UNACCEPTED_MEM_TABLE_GUID EFI_GUID(0xd5d1de3c, 0x105c, 0x44f9, 0x9e, 0xa9, 0xbc, 0xef, 0x98, 0x12, 0x00, 0x31) #define RISCV_EFI_BOOT_PROTOCOL_GUID EFI_GUID(0xccd15fec, 0x6f73, 0x4eec, 0x83, 0x95, 0x3e, 0x69, 0xe4, 0xb9, 0x40, 0xbf) +#define LINUX_EFI_CLAVIS_GUID EFI_GUID(0x193ccef6, 0x348b, 0x4f1f, 0xa8, 0x1b, 0x0e, 0xa4, 0xb8, 0x99, 0xdb, 0xf2) /* * This GUID may be installed onto the kernel image's handle as a NULL protocol From patchwork Fri May 31 00:39:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680981 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2B3A51C01; Fri, 31 May 2024 00:41:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116101; cv=fail; b=PSrjsVWWbhTUTvO/soeEMAdKOYg9ZvnHoa+v29uwuH5DQ+VaFOoT5zUUKbbFwrL9tkqet96SbKnyn3GajVVb9mc4DnX3KAWITeOxm9ZjaGAQO+Gtiuzfd9MpfUcXdeibBMf2btjhVRdRh05kRhnULm7U9sAuhNiCxvLIgn48P7A= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116101; c=relaxed/simple; bh=Sd0cwxyJY6h6wY/6nyui2VL2EdFETwmMpOyo5EuAF+M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=GPLfVPX7y9c+IDQ8lne8rYT/a8Nc9jL4XISAeaXidnPvz4Tf+vqilaMx2RLzIsW44P59lW6Xm2gQY09B9e50xtunGBKVSEECpjcYAvbqlI9VU+8Xq2oeMcNDcCVkp5SVs0mnsnib18fQkdFUoNeHhW/6LUHIs3Fv7J61aGyqSd0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFTf6h001883; Fri, 31 May 2024 00:40:08 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DQSLMKUNClh?= =?utf-8?q?/CEDQrZ+3i0A/uuUmEr6AYabeAfEGWS14=3D=3B_b=3DH4eQ9QGQSQjSIrEkHbdDF?= =?utf-8?q?bPCjI+FMdlsuX6fhpZ5z2c1KGsWUcaWrAQw8KNl3bYsrrAn_263+OkbCOZJ8q//Nb?= =?utf-8?q?iIyjoFKN0fW7lKrXutindR6AE5rIGBr4DlWQR4/AkJNwPLUPDxo_+0AKqxfzNZczf?= =?utf-8?q?pPl/fl4IVBisYgdnU69Z/ZeXuGXPfhDijfHChXv+cFDMr50UVSoETrI_7EhZd8fJD?= =?utf-8?q?OHZsYbGqPM5z43/AJCpCxbF+l+INUQJlc8SlaB4a9WSteY46EeIqHld6tq2_YzJYT?= =?utf-8?q?7uUunYOzYsOkHMfwusK3dnMlhwBOJwnsRTmakDLwFs5usDCzcOH0X3TW1Pbm5KX_K?= =?utf-8?q?A=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8kba716-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:08 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMfwEv026627; Fri, 31 May 2024 00:40:07 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098hkr-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:07 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=niGLYvfjv54daH7q5c5MyhXF2K25KlIjqO/z3IOpXNJmoeOYpRKn0Is7/mmN/3ZIjpf4Q9tja0srWOZG5J0qHPSiqyHPoozY8Cgc45o0oVR7G1Z8DFpQ7pHPdZFI8U0nWdn4CPfivTrfc1AMY5Yfz0aFsS0e/3CJm3wwFWdN+HRE65mj9QJJaV3yi/nZ851fuzER/KNs4hPDVeP6bbxFOLKtiC/CwgWuULl/2z0Yy4cxFQj4MoxEO3+tvcIo47mfdE3qqQFT9KzdLvIQQ1hqoERGjthgSmdh5NvuIGHO1OTpYHSsVdrlL2tGVOAL0hK3G9/zOVp4StDWjYUAjVwo6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QSLMKUNClh/CEDQrZ+3i0A/uuUmEr6AYabeAfEGWS14=; b=aNUwiQ04dQb0dl+bDuHJXuFIZ2f7fu3ETqpx8VkJKu/4i1M7C/B96r7WCp4uKLs0ps1Csbzy4VDw6+8NmzuXW46IVyf+miw0FvT+ceqjUgGGPFL0nTImurTNCkFaYPcNP8D1lnIq8bTuL/Zbpym7BrTcg3WkOUXAr3OyRn832LOg1qUTM51LmYMTwrk3KTNLo66VGnq3rdV5x6jApeaKQL0BlTfvQgYZMDDqQUr8E8v72kIi8Am0YC4NipIDxbB8u/OgLJTX1KmApJnVgGmQyD7OIPWfbES8+Xv9kuRjF4aFvDx1S8Dhm9cudC/O8383g7hMLTyREHuNU5Sk2Rg4/Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QSLMKUNClh/CEDQrZ+3i0A/uuUmEr6AYabeAfEGWS14=; b=WAjxfKHt4344MfeRmTIBIX7ncLXAtYknOKtsIcpUV+TJNxJjxAwPr2OziNrMlBs/puLJfQH+mZ9k253C6v6NQA/vspPyX08vxU6l9MZDoatxY3e34juZhnTWwX1adzeWn5uPjBqEWqPpAyF53HD6OvF32yTixkm9ee61sFTqXfw= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:00 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:00 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 4/8] clavis: Prevent clavis boot param from changing during kexec Date: Thu, 30 May 2024 18:39:41 -0600 Message-ID: <20240531003945.44594-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR02CA0003.namprd02.prod.outlook.com (2603:10b6:a02:ee::16) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: 203683a2-130b-433f-7ef8-08dc810a342e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: lMsCURNOhz+ZJJ22B3a5zimfet9XPNdtJG/pQeoJz7au9Sz7w7jls2WJkCkb8M9ThvySVfbB8gxHAdbP+q4z35DG75mvAKrk1pHt4uAoW34DveyKOzrelTm33S06VSvUmhnde1NkBRUdJzTi7hccyhbJYq5/KUlD4uTfz/Cf7zUEA0PruVRk3h8frSDV1X/tYjRwArhNDWM9lwugKLrJTYscMU0AFpii4OsfCe1vPyDGm6hmA+W+dbf9OnTxe26kUBCNMSiMHkxjCli8qYSjGg656YuzS4CCGNUqE3Mb99xSuF28MmlQpTEdG2Yqtq6B3eIOGrQVAP65jDJvYEx/NewoiCbVoUzDO8lvCmJSdi4SB7qTTV/PZier7vAIKyc0aARcDaStTCzdF335lcY0fbM96GV6v10FWveSfsOq3HEOz+GcI0iAb3pfDbsUpVJyQa0IM96SS/hQ5q11QFVP3OBBvj6Cd3uXTk96G2Xgc+2W/nagm+rlPlmzwZk7nK4VrHKuLRdEvb5CzHDjwXcIrAm3+yOJ0W/vEK0I1O5j4CkU7RcE92R8LHJuHPySSspTFwY4pDMWw6vSVxeOkJGEpCG6zMivo3S9QMj2jJZrr76R3GDnhpCxQDW2zATcsKOh+TLOhwniPIdH4VsKILCa+IF92gVhANM0zdPU00jFFALLzED1rGh0+xVS+ukDV3h6Ij5LHzq/Y49cqvAPdFo8k4VUx9chQ/gcy2MxeRbRvl+04fMzbKyEvHQqmvBxrFA1nkvkWXzDxaWaBrZTKPZDeicyv4eV4wcp2Yx/N+5gJpFp/Zg1EJgWteLIhHcYWEL5Y7O1NUTejYiyvNrvHA63/nDS3qQRDThXsTw1fLU/T4ctA4PEtF8mf2xK5fdAMtkhXFn6QLUZZmhsRUl2meV8olgpZRivsMlpvDg6d6oJmruM/s/KXqkyoQdCvA0Fb/iCfRpA4z0179g7L7K1F5apS/h3RRS28P8i0c2W7XnlPrvKEzKSfKX8xQLXvpNJbjMYf7TnMycJUDd2Lt8Htnk4ED8p/8J2nZFGQSWKHcFcRNnvVk2uP9Uu/4Fpg/N8Bel53Q0z+wQ5sV7SB5gfjB51I1aFQEGkKBUG6ZV51XeTlM+fXkIVbqkzXTl6cS1iEWlJNEncsUJmXDEtmIlccxgtMGo984DStJPe99+SNorB4DNYJQnAikLiBYVdtbM39ggepegECA1y+gzMdlXCJ4e4qnjZOn2B7r9JYDLLH475DSAV7aUi1SyBzRX4OoN5n0vO2PPhilgCLikAUBin4y3tLQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Z5K/UmZHj0KYEQ8slim0x3lgPHb7fFLpCdAMzWhOU3vOgJ32nnkuI24HqM1NdM5G0KLEhyZ0dN8mgi50duvnLW/TlBXYh2/pl1XQ2TPc9ZNmiz2Ky3HjbsPCa4OoDH0IVvLMtXSHLJDnY/n7WKeII6P4OusfyXg9y7y7xlL+ylD09lrsSUxCP86xG3q5+r+EWt2vSPEdhXWtxCMeJWqAg0uo8/IKfBxMEbtaoTI5GsPO97X1d7Y39ILqFB+hSRh/hi471Av306WUgW+20NCkh5mVUn1eeafmNpue/7Si3p7UGlXUO9MDWMcXrVxaaE4BHnrew9r55foTtRyLXRz1AJFkXyvp6reK/sMH2bondh+uMryblDv9hffk13mP8VT/YMpfRSFarBm8ktuB7sgv4HsGjnT6RVbke0qxxP3vh5dkDP2LKNRpEM2Re9auLDU/ZABUTzeBsHN9AhJn013sMgA7DSnS0SMoG0df9eIIY0/YWkpvPfF2mbSQ8mMiENlP0VvmqF6CnPyzqqz7iY7oDNS2nFKAavyfoc/XJuRXa6S070PRielOYDxb8QSqM7i/CHnBpUoYwGRPCiDt0T2W+E5a+SUYDPTJfPoGocSuzS336bZCFddj8+HIfrN99kyGKYHG6UP8sFENZmRwVhzknWd+3j0OtllfcxIWKxVtr3BPbqCA33TqPnz5HYbSklh1Z8235wfZH4DU+vCuCsevaiAEsxGf/mfGkF7W64HSedXje58Vey+N70++SDsB3RzrHnTBHEcBvTlBjvVRVVuXjROg0X4pJMaJJUy+5PTnpPUrJDYkyK9sJJfCK0YqjLurv0Mx3g3PwlW9/1GR48WEAd6N4CisGUiR4+RuXwJPZ45DL7jI/NGqregXITtegsEhEYrS2SWuYPfWHIVdRPZlTGK4ETz7756KEz0/DDNUtp5dne4YE6hfFpQlFd8UqnPwtdK+OVFc/tNDLpArJMHKcff9KmOJRivvX3R2a9uqlTLPNYaMtjzsHBYuHrUBvpUTJf0wSnKKq3Bk6q7RyNQWQFbPNHMWZgQwgEuWEzsUTSivW6bnhDG3A271BwH3Jng46uYZ4GCTynK8zwz7LuxlROECpqhkYhXBThVs0u/XTUNJ/w+/MT1eqEKgo8PSTE3g4GQKwBKUruleTZxdTD2DPdKI//gKGubVF711coOE4WPDwRvH4byxzJBfs9UH1Wwp2ef+nRR5EjH8nwyZF+PJ5cv+L/LY0cx4EJAG5M1NMKLV7HL2qE3O6D6B5hmuo1X9fuxIwYOysvUdplsXBlBJwMOuGM2Cof8VJ9JzeZ5fWzTdSU3e4GxtbZPerL7IbKYTwBZ8ckSksPS/YOh/aOMJzWOyNG6oSMJxJLuttZIbZYO5fGUztGPUAuDoVxo8ciI3KkBTbM332fH1wnx0YYJerKwaK3J5YYE1vXdRHvfAMnplGBKRkBLA6mAUq1lfuvXINONBQjx1q+h9DenwUDuVvGBsJnqENxZNfPUqXrUu3FwPSKL0FXlod8mYk9x7mcjjCavIk2/naDztuDW/3fE+8XQjUo81hwqDpwT06vZ8Mz+GorVaoWrWiR1mESQsJDTpZeh3u3M7V5bVAgB9OUB/7g== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: fAm1ExtXINbdEf3RcnYo1wSxEaHDyhL8nR5/YmTj4xKClTTvRWPBVouFpPnL/BDCEMCFPsmXkX+ewQvMjgGfSipD5iXX1Kfy2yWKb77bcPS6X2Z9wertO/w9EFqymEjrQLHCfsMNCMxweT+fvjRUNj8Q6Xs7v/bFI2qHuIIDJQnlP421xCGD4cTDhpzP4ecHiMFEAFn/7k742PBi16iv/U1U2gNMm3+Sm83mX6lM5TKD15cC04mKvshU13Ko7nE4BUfZqHjX2tfiX/5odKUt3jZPUtmoTs2iPVYLTU4GsyxRbjeTPv1kze4xGwM/xHXS2xwUy9GqEBsZj6Qf7zh8uVYw0ZQh36/mkjhy5tNe9QQcOJq6wScDn4vFp31gJqhy4N82HD+HDCW1n7YDshCT102oGuDOIJBszK2C4PMP7VkXv4S14dcPO58IH14TtABlkitzdWIbIk72AN1Uj4r42xpsY2qcTreUYV2qD62384d6v8QN8NUP1hSY0V/ZgAPKUlm5l2Ib4/h7BTLANBOqeCWX093jhAFfbAZ4UVQpu9E77lrObAldMfQSeEz6QOjXUr3SDv6LazkoDSAQMxnNKvD9KcK42EjtYDQP4xAU1VQ= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 203683a2-130b-433f-7ef8-08dc810a342e X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:00.6416 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aFYhyUYLtQp6VCJHEowhAgtR0gzoCAfHVIlXLPRbBllnPO0O0WP+HgK7eteSxHja03IzKP8bI2FZOTfR+sLGUCYYw6uroJwBcBfbZeFUy6M= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: uu5oTWAKubcqvPBfuB6EWL1eXVJWZJ9N X-Proofpoint-ORIG-GUID: uu5oTWAKubcqvPBfuB6EWL1eXVJWZJ9N Use the new Clavis EFI RT variable to validate the clavis boot param didn't change during a reboot. If the boot param is different or missing, use the one stored in EFI instead. This will prevent a pivot in the root of trust for the upcoming Clavis LSM. Signed-off-by: Eric Snowberg --- security/clavis/Makefile | 3 ++ security/clavis/clavis.h | 16 ++++++++++ security/clavis/clavis_efi.c | 50 ++++++++++++++++++++++++++++++++ security/clavis/clavis_keyring.c | 17 +++++++++-- 4 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 security/clavis/clavis.h create mode 100644 security/clavis/clavis_efi.c diff --git a/security/clavis/Makefile b/security/clavis/Makefile index 16c451f45f37..2b2b3bc8eef4 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -1,3 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o +ifeq ($(CONFIG_EFI),y) +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o +endif diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h new file mode 100644 index 000000000000..708dd0b1cc76 --- /dev/null +++ b/security/clavis/clavis.h @@ -0,0 +1,16 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SECURITY_CLAVIS_H_ +#define _SECURITY_CLAVIS_H_ + +struct asymmetric_key_id; + +#ifdef CONFIG_EFI +int clavis_efi_param(struct asymmetric_key_id *kid, int len); +#else +static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len) +{ + return -EINVAL; +} +#endif + +#endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_efi.c b/security/clavis/clavis_efi.c new file mode 100644 index 000000000000..7bc8ef03794a --- /dev/null +++ b/security/clavis/clavis_efi.c @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include "clavis.h" + +static efi_char16_t clavis_param_name[] = L"Clavis"; +static efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID; + +int __init clavis_efi_param(struct asymmetric_key_id *kid, int len) +{ + unsigned char buf[64]; + unsigned long ascii_len = sizeof(buf); + efi_status_t error; + int hex_len; + u32 attr; + + if (!efi_enabled(EFI_BOOT)) { + pr_info("efi_enabled(EFI_BOOT) not set"); + return -EPERM; + } + + if (!efi_enabled(EFI_RUNTIME_SERVICES)) { + pr_info("%s : EFI runtime services are not enabled\n", __func__); + return -EPERM; + } + + error = efi.get_variable(clavis_param_name, &clavis_guid, &attr, &ascii_len, &buf); + + if (error) { + pr_err("Error reading clavis parm\n"); + return -EINVAL; + } + + if (attr & EFI_VARIABLE_NON_VOLATILE) { + pr_info("Error: NV access set\n"); + return -EINVAL; + } else if (ascii_len > 0) { + hex_len = ascii_len / 2; + + if (hex_len > len) { + pr_info("invalid length\n"); + return -EINVAL; + } + kid->len = hex_len; + return hex2bin(kid->data, buf, kid->len); + } + + pr_info("Error: invalid size\n"); + return -EINVAL; +} diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index e92b8bd4ad5b..1225a8ee1e5a 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -4,6 +4,7 @@ #include #include #include +#include "clavis.h" static struct key *clavis_keyring; static struct asymmetric_key_id *setup_keyid; @@ -82,9 +83,21 @@ static int __init clavis_keyring_init(void) void __init late_init_clavis_setup(void) { - if (!setup_keyid) + int error; + struct { + struct asymmetric_key_id id; + unsigned char data[MAX_BIN_KID]; + } efi_keyid; + struct asymmetric_key_id *keyid = &efi_keyid.id; + + error = clavis_efi_param(keyid, sizeof(efi_keyid.data)); + + if (error && !setup_keyid) return; + if (error) + keyid = setup_keyid; + clavis_keyring_init(); - system_key_link(clavis_keyring, setup_keyid); + system_key_link(clavis_keyring, keyid); } From patchwork Fri May 31 00:39:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680984 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80AA34A32; Fri, 31 May 2024 00:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; cv=fail; b=lrSKGEowzX6kZXS7wsejEX94aiTQGLxtPF/WH2FDV1i7L5/PTPHlE09cuIgcGs9OUleK4b0kx7BZH82QLt06Jf6NYnNErmM/GhSm8KdwMHEZ4i+AUO7QDs17OfE4Zy4GMOEg7iBTAZVAf87L4y8/IBE3/J8c5eoDKEvB4L3sDjg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116103; c=relaxed/simple; bh=ou8g1fR7tppvZPMKuEp2405tNPF2nleOZqyzyYtg7to=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=atee0+tim7q6uE5zudEguLwloHzMUUfGnPdKP5GF9C2rtjhw6jkHrczAj2U0M9bT67mSa3NMLGkAXk9Yxxc2Sh/RQsYYbqq834ieXoP7gqHkhxPi67BIPJSG5bIgZERTUovVVlZ2X/axq6JcQLlC7xuC0NmQluuNhq+PoeRhLV0= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFUkap019783; Fri, 31 May 2024 00:40:09 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DdXo7ah+YtG?= =?utf-8?q?VwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=3D=3B_b=3Da3xn0g3voOpt/zuU+jDtb?= =?utf-8?q?famRdP2Eot+ADlBDFRWuotNH1wd67Ihjw5Ir/ykPFi6+0GT_XI7q439f7Na4lJoHn?= =?utf-8?q?iEKPnshegBkmF4RAmIiZvaG01jO3AHEQX/2pZxQChX+Q0HbEdrQ_8o2s33J9LELR4?= =?utf-8?q?z/zYYlcgkVWrMsdC+/q9T/RJ3QFADhPGc8nQ79pkWtuXHsVhX3Fv8+o_+k8uZnjsa?= =?utf-8?q?NMO3pkjYsS63RcbPBxHj0lxnFAZUswgRNC2Ihtdv/vFrGzlTzGTl6t0Uiuo_Ci5VZ?= =?utf-8?q?k+R1mVpm1K/MpxLkGbSPWAtoRlGe7GJFVhqGb0w+Y4Bn9yJKO9rExCPGLNsP7ph_3?= =?utf-8?q?g=3D=3D_?= Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8g9tatb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:09 +0000 Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMEg5b006320; Fri, 31 May 2024 00:40:08 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2048.outbound.protection.outlook.com [104.47.66.48]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yd7c7pm0c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OhNDXxCAa1qdihKkyQz/557+GDg1mc99CE7nbvZpwOGh56uczxrqCWZHOJ8n/PV362+o4sm60nbl5YbHO1ZD0TXjx/jo9UpbNeJOGJ/3HzwEzViSW4yNHyJw5pfMtA0APiM5clCX4+GFefNlHfRXd/XOtag7bHqmjGC7MXUpQuehBjiMKXvgIsTsy1UYxHpePY7cnmhOBvmBwJWMTd55V35OdMspmj8M8ZXtiqLfP5TaSxcr/nbWuaPXvfvN10UAdyO2hVeBGVAXB862L+IBrX9knvuCFK6p/clhJT1B772S6ds/j1QyzyYBH/4v4lqaP6YQKFhxstuk4+pq9Jeh4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dXo7ah+YtGVwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=; b=HoMzdcOuRJlLNOBxWawoVo5JJzSE9sH5PEZCdROrRq7JY6U+SdB7JZn06rVYzn/oFLQ7SLnfr7eVksvpIJ870ZKY4/KFuVi6m2D7joZjCUS1QFNhs1czNWjGKPfxB03ZCohHt6Ge3x6kjMArz3jAUbU38LVRNKwxtAipBjRdSVp/pH27+XJoAppdaI5fXZvUvRZcE5kjZ38377izl3ge1P3BfgKAcGw/VsUxTGoFd9mKF6yDAYIzzxpbP5QWX3T3eahmstlNLVrgStDF9PMZ0A6DYfZyXTajsvFrgb6tHGPMsxzAWhg0weET5VAcqW3wVKqlSKb7JZmO+tFU9moq1Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dXo7ah+YtGVwttXVvKOu1CBhy+nK5wF9aNOwgMh6hmE=; b=TxkiFbJv4cBYF7FZApGnOR6uZMVzp5FLC2gwoqemZoBuTLhtK5feI9uee/LnrSDJUfvrtBqWVjuDnmWYMFUdOHAoRuJCj+xUEq11m7UJE4bHmU9tACIpT1vNvLjFHk+33Y32DdX7WTV5aDNL5SUO+oFLr6rUNz+cHy3KrLckl6c= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by CO1PR10MB4785.namprd10.prod.outlook.com (2603:10b6:303:95::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:06 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:06 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Date: Thu, 30 May 2024 18:39:42 -0600 Message-ID: <20240531003945.44594-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P123CA0591.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:295::13) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|CO1PR10MB4785:EE_ X-MS-Office365-Filtering-Correlation-Id: 026e2932-e2b7-4bdc-f811-08dc810a3760 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|7416005|1800799015|376005; X-Microsoft-Antispam-Message-Info: TyZzt53DOAqQUQmT9IvuxKI00WNLD2TInpYjo7LhISGeMDESJzI7TpbpQG66wmjm4oUQCy9J8aUF8stgNPt12FB3FuHrlWdG2FM9lGb/VnmcIKHHnTWCXfKQm1WKOLh6MT/O+5bhZ8ce0yM7bCi+FM5s0JYpB+mW8K+5CnQ4IFyTqLdmcN2PcMAi7+8ICLQps2XtuvvdHeMwsysJr8oMRTKDYJkWQTWZHvYMocFR165JCmwywZM1kwXtl8q/ePHG3GRzOa5UoAJ2qqTZwWa9HD2y62iv8KLXTdsxAipJeLjokJlYGpF8b5r52sLku9wpTo0yFNDwpnYBPkhztqgbUea7XhiImFt5f8yEwHiD/iNjv8ME4zNj+c38rkHrV3MN9S6QF5QVspsZgmyWByGUsUGZ76iK9izA9Tm/0Fr/F5Zaw7ZKDHrekkGn8BdGHH/XZD2FmmY/9BsWwVru5QYPBZQM20k/H2g9AINxRdrBnRToSl4SbcQ4Y0uUKS1DC5GgLE7O5KtXImurMFDWZvJ3ofbVecepF3QWUOqrcWDeYtOI9WYldMVOPWSOfRBfIO7n1ene4XSMsSN7SmD26L94SE6GXeITMy9jYYxDhSjjEfl+24hFo4OUQ4KDpUyR63okg22vwTEg9QBlKSHJDhDU3SDKjXaBUr+JOyNlpe+CV0iSP1NVHYlPNxOQLxsn0DBHkei4T3xfU+TmbYMuqbeIaJ1CvgHjkNZRYJVpJl9jaL6kQlE+j5T11+tKlzejEFE6Ow25YgCjrIt6j1yKJ1A3mSMsC3MRQOM5W9LPtSHxew38Iujcg8C8TXM77lOKS2IO5JjzQ3ld3o8wRLnSTWVrL54QCUFhR1PMkw5jUGJKdYBDQb1z4P4HaFNswiTp323CtHu5bQFmPGXGjUKOPWg8ToYcrAJYVkRtmosPtLUYZOvrmRA4m/uuhPufxf+pWDRWwhWY+F/cvMrnnFXrLTdnay2UCN6BQBgt/fWOd1W2FlwITZpOoIf9rzQAbwoCLcyCensJYBbP3UrhKS6JwciPXaG2xViN36LhqZ+US3xZ129GDYOKk5JiDkO9mh7BgSlx1NffYOOHoDbpcwO0luDaqIsZHibhYVxIFq8mHeieoZ6bOvBOHME0zAdXj+dTUrgdaPQ5pLZBDhhm9SRuwBZ2rBAxNrbzlRUxmh8qJrDBpjpdW052DvKxYvAK8MF2D6XRfztOOm3iWw8ROAgBzGkaWNWLpltgodNOo147Mk13a1MaFEMRoeXRJwGDdPjmMvBDTx/UVlPT5ZBDMNPEWFIKIw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(7416005)(1800799015)(376005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: V8nDKT1JuiR6iWyIHUB5Cdrnw1oFffMS6b4WcqN07vicP48SPZDXfB+2GRZWBWOkXbNKhlJVTgT0XswOHEiGZCFjXxf6JY4B2MxOyIDlfNC5pbwoSJpwc6CTkEmGOkpqiYIa0g6iaLMOf/SmBE2wXy5o+oIZzO1X6b0Yek5k1pbknqoTFEdHOO4HCY5YhNc76BeMmGGF6u4cpoX0HI0Mt/kelW1eLJ2LC6gCuFTFdm2f9KIdDXG7hG2jfL6QHvV5EzvqdQKm0T0ETUlip+GbuJWfLrIu75W7d6FUq50L1m8szWlaxvMP1BTzND1RvJi+iE89jvdeQw8UfsL7/lrAFiUJ+InJ7TIEABP5knOiwXzejADd6GuIJ2gm7rmBMap/cZ86QCdmu8J2EFgMvjI+ora5LT/p1dVkvWakHRz0oSnEFFaoOJppdAtvKwtUi7WdfkZbYv2mmKPgy0fa0lxEYbkgUyy+dDE6M/WtV7ZUyC6tYgh43WGTeUrrNJaZdkVp7ynw6ykNF1swn7kQpqlyw6qzAe2dt6ienk3DwBPRagHsX8lzj9Djf912bAU537Gg34GgmgZE/Lj6+7G0uYtOTaJcoh1j5h59nSNfAFpaYtaAtZmomOjL358GKJD/Z+AKImNcyeMg8edmk4vMLQhL3e7pgCd9BeQel6l6Z9XLfc10gBjhQpFUhqW/UB0HB1MaXWsnZUd53xFmni0tKc2I8g3v8hk4FfKEPbhzsqYXQn9mln4VagTgTjGo+31XsfsD2sa8QSSBC449oGkPe+b3ppJxGCvQQ3gLtSZ563MPcf0d9Ca3S/tpNWfdCK66LbJsFaVQeylCKhLB8U0TVH9wes5waCTtpk6HT1o9gnYnIKTxJ6St7Qd4rNL/JCsSonZqf2CIZ7G+VWrQSNAgVmrXdomjGWAfmlCZ+O7FmMmfEFivCzuWcWdlGnfQmLA8ceDsu48ufsmSIaq0khc1xsMZyANu4YS1kIo2Q+cC7vWyzlrdfgGZ8sxx56sbVaE88f58PaZCoGFs7WJRv1kGybMyk1PcYFENh2lKUCIsG1D3k+diyhoMLcgvFY9NwOlBqR07KKLCBpIaeAn8AK6TIBeQut0E+LgTwdwXswWF71cmUyyHewcVzsPYDuc120Lt8IDDpDG0/gCMX+kaNYwAhqxAudYQZRJvJzT9Tz02H/+8ZulTp/PY8YxHjpcjZ3T5crP9gQuxRCRqclS5glwWR/naYMAVexEsS6RCwjhkEkEZGczqMB5RW0bKIn5WQOBi73PTXB7TaaqQXy+5JYuPBsL86z2OLcThmRjnNfg/1NQCG+ReQLD5tHiWirFeiNNzVsyMoVnarfgckz1aqgO1ajZ5Qu8R8GvS7Vdx4EinV/0CSdSatZp+74utXhttqVMeiyv2/ayMPRF4kmAnW8PSgWLKCCIbskrTeGYGUGy8YeT2npu6VEaAZNvlVHBdf4dRioByced7yWR8qtIJffsE/137/LYpTrYxYAQG6Ao7hE/Exk4aLcV2XQ1382Eci8e2l7kT64WLeFKYE2RCb+L576f2EnjxArtjnk/pJLSjs0QLmU+QKXgEa7yhMmv0spaYH6S6TOrXspZmLfRB8/smUI5JTA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Yq/W15xiiMNz5+j+6D26v4MC9vGp2a0Ceifk32T0EOMJLRBWLvkY2PjWWtUle3pIly+nlG0+WwzekEXCUSbHVpS8LRTTY+SiqZ5Dv1rKC16JfFxXaYVlD2hSVmEz8ItQOoKwPqDuHT3tkVI2sHc2CNqWEjRGgL0CHUeNrAEHNX68VgWCxw2oV3zIWCd4nf24NiXnV5x8s5R9vFe6ILG2G51QtHX4L5Wxfgpw81DDhoi074pcYqCM6cdcUqIjxBf1+NEcsM14ee91OihamhJj0xD3Gy7v4CEckSfyfCNL6pWTjTB05tezPAs+F6i0Nq5AT2t7YHdlxpPrEpot7XkAjIiLEm2LcOntaWbPLP/Y5w+i63KEYn2e9IQKfb/4IBes77LuDDBtkzAvFIThtW3Wrkc9Rg/SUipwvDRie9AastdIqg7hL+2GAf09T8B9MGpBJLw5SWqWT/CPzbGrsjsybLrt2b7MSLvyyiy841uV49D2t2b88B82No8VB9EL6xignKggEFLyEbFGh7bHXXuf6h6pCBLT3i08m1d/dmWcRfj/IpGL1iAXYvmJ4ZweqUKX9snmSsXIV5CoOdu6z8moV3nCKBA/j1sTmUEKBH4oAuw= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 026e2932-e2b7-4bdc-f811-08dc810a3760 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:06.0713 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: /8Xy8QiOztJIHvKTIuGh+Qbf5E7hbreoRNWVdHsHO/qAA1ncrAG0jMOsp0euJuhtPuZlmdNwyIvpDHMPDEDZiF63k+/CXhjsLKWe0XA/K4M= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4785 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 bulkscore=0 suspectscore=0 mlxscore=0 adultscore=0 spamscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: CBaVsG8IvjlCZYKq8KLJkBMPKz63MoGq X-Proofpoint-ORIG-GUID: CBaVsG8IvjlCZYKq8KLJkBMPKz63MoGq Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new usage will be used for validating keys added to the new clavis lsm keyring. This will be introduced in a follow-on patch. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/asymmetric_type.c | 1 + crypto/asymmetric_keys/pkcs7_verify.c | 1 + include/linux/verification.h | 1 + 3 files changed, 3 insertions(+) diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index a5da8ccd353e..7fdc006f18d6 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -25,6 +25,7 @@ const char *const key_being_used_for[NR__KEY_BEING_USED_FOR] = { [VERIFYING_KEY_SIGNATURE] = "key sig", [VERIFYING_KEY_SELF_SIGNATURE] = "key self sig", [VERIFYING_UNSPECIFIED_SIGNATURE] = "unspec sig", + [VERIFYING_CLAVIS_SIGNATURE] = "clavis sig", }; EXPORT_SYMBOL_GPL(key_being_used_for); diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index f0d4ff3c20a8..1dc80e68ce96 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -428,6 +428,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, } /* Authattr presence checked in parser */ break; + case VERIFYING_CLAVIS_SIGNATURE: case VERIFYING_UNSPECIFIED_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid unspecified sig (not pkcs7-data)\n"); diff --git a/include/linux/verification.h b/include/linux/verification.h index cb2d47f28091..970f748b5cc9 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -36,6 +36,7 @@ enum key_being_used_for { VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, VERIFYING_UNSPECIFIED_SIGNATURE, + VERIFYING_CLAVIS_SIGNATURE, NR__KEY_BEING_USED_FOR }; extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; From patchwork Fri May 31 00:39:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680986 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 361825695; Fri, 31 May 2024 00:41:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116104; cv=fail; b=N7hPuodD0hlsmRnXp9HvBqRX0/azV+QgzL1SoWhxm8tY6Wk7ucdw7ygkG25lanLtS0Y6eZ7ZCNzHAowPTSAi7yp3PzB8FSxmHJIu/4yy+OnFc7HN3UgbELrCQ7OqwLHQr2DreXXqGm1sRCWCZ4YPQKvLM0USld5QTfQ9Wzm8PSA= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116104; c=relaxed/simple; bh=5nglmItgmUESiaBm1j6gAbGqJ7G2YoBCtNqrOtHGk0k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=MbWMI9nhzS9EQ/z/vyPxzSFpa++b41VBftVdRYivi7tBh/Oyj56ylvTK9T7xQXVJiIcEJkdwYOhQUTIs9QXK7W4SmPc/2F8wxmmbW5HLZLAxEMYx6B7DrLTVNDDzNDdM1VRExDpeXP2jKM329HayCyA1E+Nr7TON2ObxpduIKrw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFUsZT002189; Fri, 31 May 2024 00:40:16 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DNkzwK8FbIM?= =?utf-8?q?fPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=3D=3B_b=3DJhyCDtFXVyQDqfQ0tcAFw?= =?utf-8?q?1H66xXEO2fdfMDIfnulCnJBPN2Pfl+iANc2JDoQPlTRd4CE_E6SfmS/CwrnGAxI3c?= =?utf-8?q?bBFs8hnQSGeeqK6If0xb6xeqjNKCjO++PZzoxZAxN/oY5ABvVyy_kuh/DlA73zu++?= =?utf-8?q?ToyuFDJaT3PgzCqfFPeasqU8UXdkP6RH43FlZpx7arpS7w5tTIoB/UY_e1m5njKj2?= =?utf-8?q?HD9IISfuqDAn5MrescAUtOVBcxwcKcskign8ETWTB1/Icag6ZwmZMjGkMye_Ge0z7?= =?utf-8?q?tkeSHf70wp888HmSTnujBLS4RDUU6LTbwfvQjOf2iwxRutw5AMiVRo+9jvsibCT_O?= =?utf-8?q?A=3D=3D_?= Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8kba71d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:16 +0000 Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UNVWIe024113; Fri, 31 May 2024 00:40:15 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3yc52ejv6b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DQaCjSFB9QHnSMYQR5o/IBBu1K7jMbzLkUXHfrTashpBDrNS1GvcxPROzG2/Jpg083RcpMMkXFi5pKRAsZjexWcAz+Dwqo1Qtca2q39sakoa8omn6vLhOANFp8+zgUhp18NH22MyYfEv6ejrnNoZb9hI5LaXbZUfOX8IVxxxhBV2hBa9uC8koq7vaiFfFw4LUzVOtB95XdvD3/u0L7thflKJYl4Mfv+2O8+J5TTLficE0Lv3nK6Q15vDzujNPJaYnVYNQjJlBBxHzo+Cy9lOj/xxwGSoG863KRIzUF7NhJN1628mVn3mqSe+Ey0rXzI3fJgDxXzZDQ7AMA2+4K5NIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NkzwK8FbIMfPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=; b=iizwWBFjSUHXcuUBIbl1jTklXW/Mqg3HM4f+wMrir6ECKHSdHQjdPkrzvWI28YKPG+kC87QOQaQAToOlBT6D801jBIKNTHXP6NG62JyHitHXPPykBmI/tIQuWER/OiJYNe5pwyC6Li6dfEyYznj3MvyEooT8sov3x0tUWehPq3QrPlGd87sW/+YKW+/5hVUS1z2y/q36dfvj+bKnEmnrExYsRtV3awtcRqz3HFGHsWBFryqnQILLBFrdnUqBoHBXz9ffBj2u80gXYywG4EWwv//GyENxWTaXeRxeHF6NoPJ61Gf2kjXL96EDk4e1vKLVKjnwYmQ5GT6GyyWEACy81A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NkzwK8FbIMfPgygTDHv+e0TNJCjRAcHgZ+DBJYVuLqQ=; b=tHMtQ5ndTrO9Tx2r48gAIwnzYuyJMMMQUVWX0T0yCCfLIWH/N+oBLMsBONd8Zjhm/n6dmXCpmQDMDHEpE3SRv0aP95+Ai1SoI06HTXyhJrkNMdKtL7zGoi5YGZkfw/BE4En0K1pJidwC0GSLFEcJ8RZRr1T6awebu/2hBQz8N5A= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:11 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:11 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 6/8] keys: Add ability to track intended usage of the public key Date: Thu, 30 May 2024 18:39:43 -0600 Message-ID: <20240531003945.44594-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P123CA0128.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:193::7) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: d81ab9f7-3539-4321-a79c-08dc810a3a5c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|366007|1800799015|7416005; X-Microsoft-Antispam-Message-Info: +oJRAaie+W44H4awCDJ5TH7uGwwiV4kInA5K23Ovh7pzWTXBBZMEKFONbnaGTf7pAn4nzA1wiC5bwA4AyMdIWDstUm0Tdrl+p3hXk1vdtoFEoYLuRh8KIfeVoSnwUDZEJ4I104AMjHFYRoHK1ZfALomL2N2RdadLnbn9c249G5f5LGSBhxvoel6NMeG52gW5cYohE5WlshzeAaPZPyqcPMXbXtx3ezv9C9t/Xqxhixd3RCkpNcyx+50EctigFcfa0ojRMZD/2HtZG5KaWqBnnD5hEoCFRfBuy6FY5xFDcCqfcjwqQaWCYhhveIvLGU2WGEpWlgptrZFHZB+6dNNDVQnBFDBweXSTyL79eL/aIRZ0LlR5goecvo8CQLbmRkJsOXFnlWAiwtKeslaN0udvSKsLWM33C7JE//5QX7q+uDOJ4wmOV+Z6FDdCIkes8Kf9CAJbfPlkEeUkMoq0EJMR6THrQOcsBGlKOPf+zRbkmxQgnjMc6oqmDGOYHSrXJ00mTLhZa+6w3FZQTQ83sSmO5+FtEjaKERUTj6uspqWsSDbI7SbjCSNXbpxrysQmxQXbV/nYMGX3vpKQIn7cBb6WJomkkJYNHDMDlYfHIAkLKZ06+dEJPNHlFxwMqbhxB6uj03qEelGFLypF1V8RY6U3knDyVMPSEhd8OwwcVA58P24i6UMPPCvbbZRQ0VymQ+DwRPy1Se6AD9wXuOqEThlOgZuKdtyqcxfdwQLgqs7wvetj9XRB7UVl+7696ZSR2OIoMlSCorTZ/R5clLdjKGKJVOqAYLUJHhqaVVZS4O/8rbBdkiEF81UX8CxBpm0kf5argd3ryhGFhQA79sO0vDbk4xo5NzPctt/rcUc/TYpe+0sGv1eiFqVbih0QnubW3S2ksvSyUwWSFHWVPO4Pg6u3wi/lYu3VbZCfrK7vWgjxADQ4IQtuAIzW6hVPRR7geI8cFO/D4in7pLO6C46GWODvat4S+L0vxrWPOcujKhIAGWHpyz03NO+vysIEVi0LcOJZNdUCVCEWNbdpDV+U/Jg4n15qaSlmyANg0XOB1orq5oikquGI3t/wFSbZBRkX4Zd0nuChQCoCAANGu/eWE859VDmD5fleXjIOjCeBYQcklpowhzhsUeIUIIOgXt8I4+7Br9nJoy+ks3cxFwYxMcOyzNmLgSyncnjGVGUadPLdNQIyvuwmip+HuvSQODmzjsQFfiTRVMYj1CP5gGBZO+/XdRJGqTCD7sWS5AfFWwAX7lWZ1+xE7CfaUmG04pQNsrCnOPiEFwOHFC94/msMA9VTbg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(366007)(1800799015)(7416005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: lysr31unsBdGWhjnnWACkbCiZqu9bqOGSdNNspRHUxxUVKAi0QcM5oPRNz5OO95cfc5R6uA2j20Vj9klha5dbVD+KRbzu/joauPTXqIEaWRBn+j3qdJgFS1ahIUJPJ/RzRvST0U13TrpLhHAVI0RBhEbhE3a432br+V9Gkk3dz1EtCTFoe6/0XUBk9uAK5jqiQDfLNPK59uJUrUVEvWaDTiAklp+UUv5LYkAUdO8vEXluBDSWOy3fyk2M+FzJ4Lnjwj2KyixthubqiIqRzLvOaW3wYMVnAoZec/Q6lVN+/0VLfDr1Y0tkuXWF8BKxu5UU0awlJgyglzCsju4zr3RZF4sTB98rIRS5cq/6/B2xi6z45NkUrzxEpIm0a18ua9y1lS3TtMjF1R9cID4Ov2KQVhCKm4Lh1Jylde339KwrIrgPmFILAC4a3jF/MWRlKe3gMZGcIiF0kgDWtZdO59nZtSbNaU+oAPpBW//YuoRj95ZSYN7wQlGVqVjt9p2/9gfUHwPG661WppvgQ0dOsDGAs/6XB2lXtVIM76yfGVpBJRwXICHq2BJziSphSJPKSaSLMXTmRkppj25aSrB+I2pl/Xzx2txYbFtG93OR97clgGhGlP/nPW+g9dqCjHdkO/Te74anuXyP2M8cAW+INKyWacHmXqQ9DJEuA77HDILfreOjjrnKyp6XBes4GqSq0xM38q/E0nQmhoJWhfp6j6jwMEJipF8WKJWBv+cNDRnzCf7j5Y8b/2Cuhhh/oMefd6LbdY8V2/WUAsjjEhKyov8HBn+g1h9AwajiWO5iC3TsIsnp2tAen30IxTyciiworl4gkgd1wfE3ZJRR28owF63OUf9wI886k/C/6R7ChelecjgfrCZnBvZy2DPHC0N8dNB9JQtCqCFdgs7IpHQ1wnNr8dYpG9XxLxBil0IxaLbN5SGhTDjDLHcyGsQAvpMdRs/wlfGAPAk9PpPyh8ENFqx3w+Cipg8Vj5KW5ZTs5vunS/nGMHqTfpZ8OkRhNMfGLpxzFuaTINS9mGd4Z38aARxhQhOB9NDkXm8vUNiAcrsFHiAenp7+1v99sVUps6DRruGv0KFnluu50gsIK79VPYxAOo5zocmU9wUqCGWgDbUkXSPGO8m9YxG/2AhOHSe8wH8PNT9+NkaiS93NRhMKbTSCYmqQV1U+8PWkk3S8VLBktrDkpevnqtNyakvCjZyGzFM5a1DyeT0zZBqjrPAib5zDHDVvE1m2942cZEYI26QAz2IdS97ohUGTiYhqhLoZwGECbD/AE02cOeIOnHzE8Rc8GMtte6x1m5/94xA5kTqynNZlcsCWHZemJ2R8NykSqnuDadRM564dTP0PCHJpyqnajYevmTx+V+eyiH48E7xiBVLm2U/ZtGUSSeNf3sWhBsP85ss2kkdjY8mmNcSfomr5NaHQmCuP8AlS17Tkv6E+odIbV803LgIkidqdAlM9qEGiNFRWOdPzKY3gvvldY12ZIHyHdqHAfoGT/RQId/ufkOqY5Kn/5YSrvAcftidBddlao9KQM8Fa7zqf8Z/yh1xgHtucAyTnVWUNuk68Y7DPgSg0OTsK3qxr/98JpVkB3dXngDyC6eJnw9sGufFv5LcRA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: e5qVIUucKLb51GMsnplnwkek5pj9/MEIVGqgQ11rnrkB39iMxpKA+UjWhmjLfsY4FqpbUHkSOk5aMjz6JkjrLBgLs2vE48OlXgv0/ZVwoMeM/lZGrQu9+48l1oMI0lU64K0TJCOhA5dfdGuThnvbK9rmjG9Va+D2kJ5oKGMt+uUE0Oy9r7818TZkB8Aco2GguG/vdLOSP3rNl5vvzMoUrL2a9IwyPduBjc9eddjK6+QQ2J3HODZr7XWcMequ0S0f7G+Ippf0Rro3eAflTrosog7XUJu+RaaPa12uIrhiDAwEnCQKKew7usDwC5K6qD6f9yvBh+xbT6eOl9RovEfWdh4OQpcj1JPEm8MeUtCkvE01Yt3BHcNyP1sdxv3EDDq/+tZaRhPi23ufBxh2GNZjs5DSGA5vWnvpg/jsiJIX57n60i8KAO2pnICC3s4TITIHtKXUsfD7eZ7+SPChHDbcdPgVLIaaYUF4YAe1rDNhGvtBaLFwSBhOhgZh5EK+Vm1qsTSQvNKjeQAh8hiTWDPCwM24/RDX/8tF6/F7tGTsrQXSW0Vkg9sHULgpKm4pqpPjDQxN1jv+NJs7ve/9vQXUvqSma7W1ABC3DZGx0DZU8o0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: d81ab9f7-3539-4321-a79c-08dc810a3a5c X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:11.0441 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MmwWY2WouRCRMAGnhZpSKwAArjC1tIbNqF7GywmMRfdg6jGA3uZmXRXIjvIiNCuMGzbOYAVqOSnuVmpuByQbl4qHS39U3sYIDxUY6F2c6DQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 phishscore=0 spamscore=0 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-GUID: rSOmBbXC_8TYqdxUwHOW3egne2EOEyWu X-Proofpoint-ORIG-GUID: rSOmBbXC_8TYqdxUwHOW3egne2EOEyWu Add two new fields in public_key_signature to track the intended usage of the signature. Also add a flag for the revocation pass. During signature validation, two verifications can take place for the same signature. One to see if it verifies against something on the .blacklist keyring and the other to see if it verifies against the supplied keyring. The flag is used to determine which stage the verification is in. Signed-off-by: Eric Snowberg --- certs/blacklist.c | 3 +++ crypto/asymmetric_keys/pkcs7_trust.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_verify.c | 4 ++++ include/crypto/pkcs7.h | 3 +++ include/crypto/public_key.h | 4 ++++ 5 files changed, 34 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index 675dd7a8f07a..dd34e56a6362 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "blacklist.h" /* @@ -289,7 +290,9 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7) { int ret; + pkcs7_set_usage_flag(pkcs7, PKS_REVOCATION_PASS); ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + pkcs7_clear_usage_flag(pkcs7, PKS_REVOCATION_PASS); if (ret == 0) return -EKEYREJECTED; diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 9a87c34ed173..64d70eb68864 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -131,6 +131,26 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return 0; } +void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + clear_bit(usage, &sinfo->sig->usage_flags); + } +} + +void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + set_bit(usage, &sinfo->sig->usage_flags); + } +} + /** * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 1dc80e68ce96..44b8bd0ad4d8 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -455,6 +455,10 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, return ret; } actual_ret = 0; + if (sinfo->sig) { + sinfo->sig->usage = usage; + set_bit(PKS_USAGE_SET, &sinfo->sig->usage_flags); + } } kleave(" = %d", actual_ret); diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..6c3c9061b118 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -32,6 +32,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, struct key *trust_keyring); +extern void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); +extern void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); + /* * pkcs7_verify.c */ diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b7f308977c84..394022b5d856 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -49,6 +49,10 @@ struct public_key_signature { const char *pkey_algo; const char *hash_algo; const char *encoding; + u32 usage; /* Intended usage */ + unsigned long usage_flags; +#define PKS_USAGE_SET 0 +#define PKS_REVOCATION_PASS 1 }; extern void public_key_signature_free(struct public_key_signature *sig); From patchwork Fri May 31 00:39:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680988 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56B681DDE9; Fri, 31 May 2024 00:41:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116107; cv=fail; b=VT/5gtvMwelraFYBoeGmL6pnRA6E+XhEXL52YSQZeIxVZEGzEwBPa9f/2rk+SiLMOEy4LIs6fzdbaOB7IZ5UjbV9tH4YaGAhZA6x+mNp6zHyBuMIwBnCtkOzIrOSwlipqDaKG5mwn8gC7s36PHrOaJB63dh5dwtWy67t9Monb+k= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116107; c=relaxed/simple; bh=ITVAvLqAawJyqRwV/PAHLlzw2Br9h4m2ejQMvYG0IBs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=l8jFgzQtMqU2oQRhcP+C36oU6aGpHkD43xJ+RSyyhPaGw9RM2YciwuW/xCsxuAcC/CVyTmn3X2RcUSzpwiqD3ttKigABhn4tYLsYRxXbt/UBrSNlsBUoeorL0UYWp/7DJe7X3oTIKqkUVKCg10lz3AyneezPjKmBFaWe4WDd/gA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UExT4m018494; Fri, 31 May 2024 00:40:21 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3DM9PQWKZVZv?= =?utf-8?q?sLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=3D=3B_b=3DZJQN7v0k8i2P8xeM74SSW?= =?utf-8?q?xmtgFO6jP/EyNyhh0MkjoEBy3Uxy5RDVb2OYHZC5u1C75lE_yyRJIzKCcDslw//XH?= =?utf-8?q?9M/E6MC13ay31Frqo/h5wCs2Mq7Xm3jrYibppWG4KgZvsdjT8V9_k/Oupd7Nc+MWo?= =?utf-8?q?nVX1d/5qIbfezLfqOiBFzbwBfkMOL/t3G2yXQ/k5sHE83dwxtfGsDWr_whfTG6quz?= =?utf-8?q?SZHNQDvtJa4kYDUogTya7dPY7acJGN5hKMqGYtTo3I8EfNC3NXHyLUpD9z2_y3vK7?= =?utf-8?q?30YITLUKmKUWAbD5sztcQsGT88EdK1pk3kK+Di5zfQvEhixLYLRn/Su39JaP2l2_1?= =?utf-8?q?g=3D=3D_?= Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8j8a213-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:21 +0000 Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44V0RU1M010708; Fri, 31 May 2024 00:40:20 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2169.outbound.protection.outlook.com [104.47.59.169]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 3yc511ah6k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:20 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QBPK0xmmgN7Z2nJr212LbKESCxkGg7T5q/7FJlMbNDn07QliAB8qGiQ/dXTVpsiisQlAjgfWJ9iDA+IUcfTRyvTeqSlxGrstTsEFuszJzVQURaPVTObRI6j0GOLb48cnDNviofbUp2o2MoEqz6oa0cjJ96fGAlo6tvRS1Hnza1KrUOrVNJ/RHprSzSbTWGQqOmLSCNPOJsczandYcl9HaUIpmFBduP0h0aE5H5VCsiRWfHN97Xjmsbni/XBVJDVI5illoLDJELmcjxKFYoAuMFPhrve232dw07NczNH8R0Re/AwF0TH/EjwfNSrEjSm5Q04ITm50mP8iaPj39Bz6Lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M9PQWKZVZvsLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=; b=PrWwliWImRxnWv7RT5iFVJ7Cak4Ukw1yJ7YKO60Xj8/aJsvyq/lHmq+0Z27wsPxIdlRVyh4q+TNCiqzjpb9aZDLsccW3C9td1BQbiBM8a7bkLCgss/5uapY6OdT/AbZGV0Xti4JycaLxr3VY1Ttjw0ia7uAZKa9sgBsRaZScGOGqDVV7OIFXvLOO7P16F/a7K8n6+RmPPhH4KrmiXTUGVeUqF84cWfKjyjRW1CxuHs6LPyAVeZzYwmUvj5hXjgrojNh8lY8ZaRvKgEeyNVLDIiTNiMC3omlc2GdfeTzdlrA+dHrjhyoZnEzHPDZpMCx95o0l5HzspalYOTs98FOpFw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M9PQWKZVZvsLr0XtuZEtlU+LpS7GGtvxjKV5HmNd3MA=; b=OqoD9/68TVSdkmq1j6ZzxNUTqSyOb5eYiFrKTIJz/ytSTNM/4VgtbJWw9zGVBVe0nsE5xHzQHiFA+kYKDj6nE4Nz0xUmf7izYCT9yHStnRLcoqVVRKepo8SNZwhAOn9Z5RolPfHziv7+tQLAaI/Od3qG00p1Gwk4wK16g58QxiE= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:18 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:18 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 7/8] clavis: Introduce a new key type called clavis_key_acl Date: Thu, 30 May 2024 18:39:44 -0600 Message-ID: <20240531003945.44594-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P265CA0150.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c7::10) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: 3dcf537a-989f-460a-6ac1-08dc810a3e8a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|376005|7416005|1800799015; X-Microsoft-Antispam-Message-Info: 7lM3HLFGq5v1uRLtmWD+ePL9oxZEfrj8e+T1a1C6zL5QPZqsLmXPORdyCJ0V57HoFZiWdZKrhgDSn3JoOP49OvUYh5NUdw6jGBIZgFvq6gxn5JRaCuFaFVsQjxI7LS4IhqDhVZXfoA3EC5JaqRMYS9Q0yOJim1oanF8ImlrYPErIKfwo7dgDwFMIchiOyQZRRIj8IFd8XouCrlsjlon0ZVEhSab3/1vHEyeDWKmHt6q0xLzCEMYCdbo2Yi05bEi5/KzBeaUmQ4MMsw60nTO3UonN2HKV0/qTW4DhtEkumMYXDo0OW+4z92pS+7F/bkZ+bI0PiCX3D01TTPY4HYPHjCDPSkp+jnAFUhjWmqTRjYFYGTyvfJ9Yqh+92df/ZFC+90twxGKdDXxN6UEAdIVPCNrrZYg/IRjMtS5kQ7QQ2dedb8ykSRmNj5ogEMiW5Bqw0O8xKxO3bWPjvpy0SGh6+z0vMgb/J7STWJU7Wv8ZnKOw4MVYHKoxvRVWS0opMMJq+Z0vSzzEViJcV20mt5OGsYCDvVEKe1TbkcfO3Ho/1N6Vkq4tFEfIi6cgfdhK3mgPiZXnZ0kCdP5KA7jnDe6ENW2Q6rbiuebLTTynq5N7pezADz22i2PxTk26ECl2uHiTf+BW2ir0mIlXbk7uQwOKXv1tI+6Muq5X7itnzLzec1OcOgkdR9LRpIiKT6v4MM+sVcnmauHBwjDNqkjBYbopRHJ7aUM/05F74zBc32NuTSICMxnP8t2M5OuHUx+CdhM/if63+U83OsnbLcx/0FJjeayhgmyqZ/3TqwzGSrD8lZK0cAfWSdaC15SyxrXR8Mnu3fr8bLAvgPCmkoOIMCSLOkDDwdwZwPp2jrIEotm6DM/2yu5xFVJ3gw4RxBQMbNbheY4KLpySqgoARXJ+8iM1Xi473Pv90SNK2TXaadgPW0cMCNr6xS+JBc8OEzTbc/FOYqihlmFsEOSf2c+zGSunVtNSuZoEAh1uqdgaD/CeuvwqdCfUPMgCePv6rUwBTw6IzlENBw8HzY4bO+2IPv+53vhNYiqM1TkpboPfSqGxtKnwpEs3PDeysLZPkMEe5PMV2k5u1DsUOqTdUi9MK8J145FQjBFEvCp6A4du9Q56EzZDbVwlQfC4WeQ7yCgIfPyBGZItkN9m0gSubyeNa5Tqdtr2nSq7DhUAAJVp+DAEGdHExySB//y9/c8i0VuwN60z15L2SKVfIT+AMPL+zNdyQ6tYP60lELGoP6j5UKPbCQaVuRdDaFrq9RFsFMCl6jB2I3PV6H/p2Q0AEKQ+GX5/rQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(376005)(7416005)(1800799015);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jO9LuL7T+wSszHuiK///wi609R96mTAEScOz8NHW91lhjJROWixfulzNCs6JPW4D68l1xk5VqRhJvRp0Fc5+jMh5It3kld8ZpezANWq0FQ6zUM3Ont3fhcCbxYC3LJhOUmObdU55J9wflVBkrs/Xxr2zDu/owE7MyDTUv0eV/n6C37pyDbiw7emJ/v/fYDQlRRDoMpks2fX2OzeeOOk+iVyHKoKH+tgQXJ5TDB9frTCyvR+BlG0Fs02YcDgwNCpcnXecqfNyXNW0sqyrzryXJL0kMYK19zifOOohEK5Fr/iNur/euElL/7ZIXvzs6/jXz6bmA/9X2K8USDGPijv3BiYzE7RHDCrlIeMkUoo6RrYbCCYekDFtWfSHANdJrSZmTt3+5cfXf4VwNV0NLST9tszpVP31Dbfbw5uV6oMlqTEsLYLYS6caf+XVUP7ppTFFcO0qn4l4yNuolZ2RO+OcvxExe90bd5cxsrsCE/2XbYSYbQL/p/l6jpphbGO2RP1Tp45ofM6Z3+APdelsLHqBB9wBg0YxgOXL1sBnxPmG0Fz+uys7CXC8YWyYpOzAA2uWU5Wt+l++SYJiCFJulmxnjsXrejRys9dwmxTITEccK+K7bPuto6r9+fqXeqCQisWEQj18fgAU8CbaZM09o0iRPTdQ7hWmW9oszu8wtDaa94EAQFyznNx3RY4XLf/G+XWVo5QRF7W6uPwYCH+2vSOFR8bPCUttv7hhvAiOsRyYg2Cbrh/4mZesb3iqYeeKKxGsDjcHsukWYcLRjDUUbNRS08fhjTgV/J0tZFFHMXjGGl2YwBn17zXLLvZUb5k7cjmidjiVbBTiCoXG8xZWBfv0hn3eNOTwPXgOha0CvAC7qdIgDEdgIeJR7w9Tx9H4fR26gRbKcCe+W8VuOemaOyuEclbWGJqIY6l/cGOC3BYKa4sSVXHyS3WJD98SDlk5Ksd4yG37DgLZ0Y0S0XtH2Ry+9SPkf8FpUGYCkGIF9zqKn0Z/UBMyHFGLDhTRxzaF2jXeoVScCtBSX0w7gk0Fea9ImIb3QQRQfUYU76FBWLht4JEWuyacHikDaLYCuV+JV3rWSFBn4N3PWfXwUMXfuHEQgognKpEOhkOor81HRdyS+/9O8sko5YVpeBn2sYxuXM9Fdx85BGV548UPdtdBsEgI6CvxQxNGFNCKvMFEdBFM9AvbX0XW/BKOGhik1gvYEyICsLSvQ4VZpdECptL/0LcWXux8RkT9g5jALrIIxf4aFHPsCEvxCHi+wcTnrF9m4XEh/ZcDkbmuBhAmLkRvJMqk5/Ep8Ug2dMjXmAnFcpHUZ7UginJehslf0KHOeqxngoFtFddlGmTxJI613qMYA9PU1h6a+43Z40M1Iw+JLgvJavyznqwcf5IsfGh0RWB/37V3Covo2Hgde3GGI3VeFfvCyBOhci24UI9FnSbv4cM2Zc07iX2YyfiT280klbq+UAEiWL/ZlGawWxpMJz0h/M//2T2kWeck9HCJZS4uIz0iLBdYlB41YH42oBCXEVXJway2oMWJGfC6jZHXyR9oDWI6vqbrRuMi9wXR8E9ONz/Gzo+LEss6Tg5Pc1hkub/UnvPIDi/0odALbQq50cA2941kWg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 50iEhERYYMk/Lioe1Rf+0nvbCZ7zvddg+GKtA0RWd3xgYkNAuFHHaiJXgVQ6oCvWbFQcjghUmJDMvCIPZZz25JsSBtP6BU+D8x+hunGs3ypGavkyh8LHsMO+4SpXxcIFmfF0bQaNwRw5tZGBP5CkVnokHEp2qSfCHytepM/92q++OozTqoRX0tlm7A9XFbE0wCPap7SHKUFMrA5y1oyZDFlujSIk39+Dgplrq3iLjVhIKbKy9AF1qRGYLpQAaMY6IvE7D2Ilc7Kf6ldLFYWI3MuUxlsZifUHMj8BYmxZmWCLrAz5zT7hrNpZWzarGt0IfK3Rm5lKUanEZwYN+jOroW8HymHIZ1UtqgKzM5V04Ev3oeiG/B6GYglgCQ4mpqkSbMWrF+dg0coHXmzugWF5BdcTb5JO6tjTfPe1C2t7WIj9Q48hSOkwDv0Z4iHbwCORFqkcS4vW51QfEga2m+kKnBgn1yU5kr4UZxVkVwF7hRCvfqkB+cXlFTLskasgaWNQZN04Qld2xmzS0PRe2xHtqscEM6/31493SyQlvaY+RCvjFiuQtIlsT8IJw3Gd32KHFauCf7v5xS5oVNaahV35co+gbhNbbEKnafQVIZULAtI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3dcf537a-989f-460a-6ac1-08dc810a3e8a X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:18.1017 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: XJWJwAJzlAizUugLDEfYIimmho5o89tM7Bo3PvGYMYSBIsGvm3kqbGNjQrwSnR0R+7b5505kuqmqoCwMa+0JV6Kh4+bfgrNqm+yCXtIaK9U= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 malwarescore=0 spamscore=0 adultscore=0 mlxscore=0 phishscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-ORIG-GUID: 4uqA9cqxhN2NlmJllfgsgV4PW4aME5Qn X-Proofpoint-GUID: 4uqA9cqxhN2NlmJllfgsgV4PW4aME5Qn Introduce a new key type for keyring access control. The new key type is called clavis_key_acl. The clavis_key_acl contains the subject key identifier along with the allowed usage type for the key. The format is as follows: XX:YYYYYYYYYYY XX - Single byte of the key type VERIFYING_MODULE_SIGNATURE 00 VERIFYING_FIRMWARE_SIGNATURE 01 VERIFYING_KEXEC_PE_SIGNATURE 02 VERIFYING_KEY_SIGNATURE 03 VERIFYING_KEY_SELF_SIGNATURE 04 VERIFYING_UNSPECIFIED_SIGNATURE 05 : - ASCII colon YY - Even number of hexadecimal characters representing the key id This key type will be used in the clavis keyring for access control. To be added to the clavis keyring, the clavis_key_acl must be S/MIME signed by the sole asymmetric key contained within it. Below is an example of how this could be used. Within the example, the key (b360d113c848ace3f1e6a80060b43d1206f0487d) is already in the machine keyring. The intended usage for this key is to validate a signed kernel for kexec: echo "02:b360d113c848ace3f1e6a80060b43d1206f0487d" > kernel-acl.txt The next step is to sign it: openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in \ kernel-acl.txt -out kernel-acl.pkcs7 -binary -outform DER \ -nodetach -noattr The final step is how to add the acl to the .clavis keyring: keyctl padd clavis_key_acl "" %:.clavis < kernel-acl.pkcs7 Afterwards the new clavis_key_acl can be seen in the .clavis keyring: keyctl show %:.clavis Keyring keyring: .clavis \_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 \_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d Signed-off-by: Eric Snowberg --- .../admin-guide/kernel-parameters.txt | 2 + security/clavis/clavis_keyring.c | 128 ++++++++++++++++++ 2 files changed, 130 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 4d505535ea3b..c2d498eb2466 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -629,6 +629,8 @@ keyrings (builtin, secondary, or platform) to be used as the Clavis root of trust. Format: { } + See Documentation/admin-guide/LSM/clavis.rst for + details. clearcpuid=X[,X...] [X86] Disable CPUID feature X for the kernel. See diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 1225a8ee1e5a..9b3db299acef 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -2,13 +2,18 @@ #include #include +#include #include +#include #include +#include +#include #include "clavis.h" static struct key *clavis_keyring; static struct asymmetric_key_id *setup_keyid; +#define MAX_ASCII_KID 64 #define MAX_BIN_KID 32 static struct { @@ -16,6 +21,123 @@ static struct { unsigned char data[MAX_BIN_KID]; } setup_key; +static int pkcs7_preparse_content(void *ctx, const void *data, size_t len, + size_t asn1hdrlen) +{ + struct key_preparsed_payload *prep = ctx; + const void *saved_prep_data; + size_t saved_prep_datalen; + const char *p; + char *desc; + int ret, i; + + /* key_acl_free_preparse will free this */ + desc = kmalloc(len, GFP_KERNEL); + + if (!desc) + return -ENOMEM; + memcpy(desc, data, len); + + /* remove any white space */ + for (i = 0, p = desc; i < len; i++, p++) { + if (isspace(*p)) + desc[i] = 0; + } + + prep->description = desc; + saved_prep_data = prep->data; + saved_prep_datalen = prep->datalen; + prep->data = desc; + prep->datalen = len; + ret = user_preparse(prep); + prep->data = saved_prep_data; + prep->datalen = saved_prep_datalen; + return ret; +} + +static void key_acl_free_preparse(struct key_preparsed_payload *prep) +{ + kfree(prep->description); + user_free_preparse(prep); +} + +static int key_acl_preparse(struct key_preparsed_payload *prep) +{ + /* Only allow the description to be set via the pkcs7 data contents */ + if (prep->orig_description) + return -EINVAL; + + return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, clavis_keyring, + VERIFYING_CLAVIS_SIGNATURE, pkcs7_preparse_content, + prep); +} + +static int key_acl_instantiate(struct key *key, struct key_preparsed_payload *prep) +{ + key->perm |= KEY_USR_READ; + key->perm |= KEY_USR_SEARCH; + set_bit(KEY_FLAG_KEEP, &key->flags); + return generic_key_instantiate(key, prep); +} + +static void key_acl_destroy(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("destroy clavis_key_acl denied\n"); +} + +static void key_acl_revoke(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("revoke clavis_key_acl denied\n"); +} + +static int key_acl_update(struct key *key, struct key_preparsed_payload *prep) +{ + return -EPERM; +} + +static int key_acl_vet_description(const char *desc) +{ + unsigned char data[MAX_BIN_KID]; + int ascii_len, hex_len, error; + + ascii_len = strlen(desc); + + /* + * clavis_acl format: + * xx:yyyyyyyyy... + * + * xx - Single byte of the key type + * : - Ascii colon + * yyyy - Even number of hexadecimal characters representing the keyid + */ + if (ascii_len < 5 || ascii_len > (MAX_ASCII_KID + 3) || desc[2] != ':') + return -EINVAL; + + /* move past the colon */ + ascii_len -= 3; + hex_len = ascii_len / 2; + error = hex2bin(data, desc + 3, hex_len); + + if (error < 0) + pr_err("Unparsable clavis key id\n"); + + return error; +} + +static struct key_type clavis_key_acl = { + .name = "clavis_key_acl", + .preparse = key_acl_preparse, + .free_preparse = key_acl_free_preparse, + .instantiate = key_acl_instantiate, + .update = key_acl_update, + .revoke = key_acl_revoke, + .destroy = key_acl_destroy, + .vet_description = key_acl_vet_description, + .read = user_read, +}; + static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *restrict_key) { @@ -30,6 +152,9 @@ static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_t return 0; } + if (type == &clavis_key_acl) + return 0; + return -EOPNOTSUPP; } @@ -64,6 +189,9 @@ static int __init clavis_keyring_init(void) { struct key_restriction *restriction; + if (register_key_type(&clavis_key_acl) < 0) + panic("Can't allocate clavis key type\n"); + restriction = kzalloc(sizeof(*restriction), GFP_KERNEL); if (!restriction) panic("Can't allocate clavis keyring restriction\n"); From patchwork Fri May 31 00:39:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13680989 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08E1D6AB6; Fri, 31 May 2024 00:41:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116116; cv=fail; b=GRooIyGzj4qNqx94OSU1VMNvg0uxQ5THf0Lbv/es7ReASo1Y/ZcaIM1VjpTOJuZdeEjgOOLbUcczYBMlMfbg4gOjy4ZVPHBRSmgHkakaEAdoGj+Stb52u+QXoyVWQ+86vC+Ydy/d0igw7l8MyyigfpEAywdnke88thWjMe9o9fM= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717116116; c=relaxed/simple; bh=13OTUR1JrftSdz5wTB2uNsIEZyqLRxhWrLppd0Mkd80=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=ClTibDulNljUueFfIGCmiCPKYadSU/kPNReRrzIk3HfubkC0kPN8c9n7Hcr7SDe/Bnct/enTpIiLc4+a7lvUzqx7ZgduXXyrBFWMLSmLDgionqmKFkxHsrcVAauNFdahQZ5VL2gaAKjtuFBCAgKgZoTfS/ea0eX+bgs/6BQ/x3o= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 44UFdpQj018500; Fri, 31 May 2024 00:40:27 GMT DKIM-Signature: =?utf-8?q?v=3D1=3B_a=3Drsa-sha256=3B_c=3Drelaxed/relaxed=3B_?= =?utf-8?q?d=3Doracle=2Ecom=3B_h=3Dcc=3Acontent-transfer-encoding=3Acontent-?= =?utf-8?q?type=3Adate=3Afrom=3Ain-reply-to=3Amessage-id=3Amime-version=3Are?= =?utf-8?q?ferences=3Asubject=3Ato=3B_s=3Dcorp-2023-11-20=3B_bh=3D6tVqAtBqVC?= =?utf-8?q?FaMj0ujhY0KcsI0reA3mIzS4BhuUtBP1E=3D=3B_b=3DbF381lwTJuR7N54QZNwN5?= =?utf-8?q?rw5hZJjq1pGOkBrY9Q05S3gxSxRbHRhSthrMuegY7V8TZds_9haEgEBuQt7jgxPMV?= =?utf-8?q?a92ZPu7lWW69yF7megzkCpSPuJncBeLnGLX+ChUqGkSEGAaxKbG_vHVFoN82RFSkT?= =?utf-8?q?4ZhzxZyWIF/96eWoZGX+zETuFT+2bWMvePcrYuhVFvSP2M/pVbgcPeB_U43ZSuPLK?= =?utf-8?q?H86o0PNwiBkiXOYPDzqZDfW8LgfdxX0btoULUhBUrBxOU8XVFyhgo5HNIUP_zGJi5?= =?utf-8?q?N7WG4R3eQMmmAxizAuspseu1dt6V41jBjGuBmI9EvBJWYZGFYOVDnZ+66Exo9te_W?= =?utf-8?q?g=3D=3D_?= Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3yb8j8a214-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:27 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 44UMCOER026633; Fri, 31 May 2024 00:40:26 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3yc5098j24-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 31 May 2024 00:40:25 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DA79pFu2OgpYmo2m6jFUBTUMixEhLbDRu08YV1fcWqfvT/VD8Bs6Hovt/5C8yR0bi7sO0FXNw3TYscdA5cFpA19dtRCdKoVtV4KYCT4la7pFkseBU6+mQNQqqVarwqGZaA3kmEkz71Adg+anTJ9XE3e2ZqTw4trFZNtnru14LTZRlZC9Fu4nYkug0hxr4aWI5znjh+om0ZHElxv3T/hdnEI35WJi07tOeN9aiXWuEtqRb8HPrtLi0Voam8ulVPWFAVxQpgO5Cah629fruLZ4t+T4CfdwdknrVgLy3gG9I7wOFsqHv1M9MLI7qdbtJkyQ+zA8gAWj+0ncfHm/75vH4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6tVqAtBqVCFaMj0ujhY0KcsI0reA3mIzS4BhuUtBP1E=; b=VepUCVUt/808xSH4ToX9e4aU5044IgTmDeBX5dT/rLhafVKEaFvMvdywl8SOmCZ9OE1MdlYX0N/MkhiYDY6VoXIgJLLmFqtFqXRAFP4rruq/cPaK/PgEm8LIJxcU9UteFL5te0YmQEWywOOvEQ2zeqBhaRYdpUmoGDBp8Yxo79gDAkqOXI+2/HMl+FXY8Bma90t1ZtDzu7tDcNtSbxG7axBCR6mHMNptaIcoiKpcp2SGj13pLIsiLIdlII++miV0Sru1tO5ORTilCroKF3WYFn++jmXavqKpI6k0L0ITTuE56K+DIuMfprWfKn8DJAkoeFJkpWtkiemNsMfj0vBOqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6tVqAtBqVCFaMj0ujhY0KcsI0reA3mIzS4BhuUtBP1E=; b=rwMotToZZFvmKP1o5ZSIujKHxaaNqwF+R1Q/hO/n75vfbD+3IptiUfcR3j/mOKqZhXIPt5ZTZfeTgXDeIOsRwUWPS19E2/wPoUMZjvFhsQKgFtKt9o+w3vAMr2Pz8p2Kt5iCB67PkpJA8+ftrHybEICoYSNjDbwoRToYOsZlMYc= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by BY5PR10MB4274.namprd10.prod.outlook.com (2603:10b6:a03:206::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7633.22; Fri, 31 May 2024 00:40:23 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::5527:ab55:d1e7:9c9a%4]) with mapi id 15.20.7633.018; Fri, 31 May 2024 00:40:23 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v2 8/8] clavis: Introduce new LSM called clavis Date: Thu, 30 May 2024 18:39:45 -0600 Message-ID: <20240531003945.44594-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com> References: <20240531003945.44594-1-eric.snowberg@oracle.com> X-ClientProxiedBy: LO4P123CA0109.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:192::6) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|BY5PR10MB4274:EE_ X-MS-Office365-Filtering-Correlation-Id: cc87c4e1-a954-4257-50e9-08dc810a4175 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|366007|376005|7416005|1800799015; X-Microsoft-Antispam-Message-Info: 0eKBoPX4qEBAiVq6TT+4LAMa/IFpxEfEQcVTJzpR9sTTghecQ3AErzwkh3TI8MdqggQSB47RjfYYEvjmNIKWz7v0637VTWOU0mI62dPIdy5JIGET8GyriYTQrjzF0fJo5/+0SJK+nFysefEWIecvrRYthZsbC8ZrS5JgyLp9USOuY3tx1WpkmxolMLevKu7ffisYVpneXRlkdOL9KngcU/kcTYJZBBvvjTSAJ6B9eQebYNUzHJ+tAqrttKJfdwzBA33YbyczRgtF7efwawpFLk9xyMQi2SvYK+AJhbisjhykmv4RleMJPduCId4ORgBt/e2+cDhFr7gbaIOnTHFnMAB6GRcaPp9D6tvKy6d3dFiBD1MnMf2Apm6Wtpxkx/9bg7jkzxQj+ieAZhIqiqO7JfnMSQEfeghzaP/FER2INEbpXcAdJ2JViuW+78WdP5QN7wCulMEsUP+Sz5uu1HtLRqTKtUAIZ/1hsBViErjzjFhynKXbFEuBeI4JXZEbJtWK3WtcqqO0krnlsLdj2ZVOW0tjRFBM1EsX2awcy5hTEOgLHAUEP7WmXhxJSZpAv57l84CEF2EAPcz0FJ89pME0EClY8DLTxF3qXHz/XJp2OynjmUO3SXpaOjVIY4e63SDztKdeHGe5hEhB7Z239mW3cIutMSYJ4V0BsXS2uBHkvmIZmwjfMBA6exRjeQt6xR9FNHjkZoij6VRXm2sO8PE2AiwzFKBg4MBrqm9pNGyM02CR/c8ybvs3fDnnFtWGgNnJJIqR13ZPHWS4BK+xBqAxt1Afpk2CoIq5Oyby++T1mNRHm7nYs15+GGv/Nfsughm0nzr4oBBs+Ew8zPJg2PJf+ZPPz4mZdQk+/vmCVsJDbauS5xiK1o5VMeNDpZgsMIH7ZNzGpxF+rMipOYL627WMVhB0Ymof/wdeWf7QhRLMXe02mBRn7ZNTovjIH5/0a5EPhSmH1JLZfAJRdtGY3SZVlfkvOtK5t4y2U/LiDYbnNpeKUTGGIF5bsk1XCY5IYOIgL2l/rJC0l095aflflRuQD2c2ueZOtE7Yl+pVW9wenzDN75dkjHvqu6SPS/bSrCsh6PmUyPP9+V45C6UWEm+W9Hh0uy0CmcFhqMsKOL0vzJ5JzusUamJGZD45vj2SxMGS9yk4jPzKBluSkwVi4XAf71xDWsfdC69sXi0G7PocT60NG4XXFbb8xx3Gc5KTvcr6/9ImvWMDJzAsn7+/SipTM0N56b1zvdult06QSusbedQwMHqKK+V4sQKmDuGX8temTzMy9QJ18z6rhJbS6p8J3w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366007)(376005)(7416005)(1800799015);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Lyu5279BsBR7QJNq5dyZhkgcLeQfMP4/GwdHk25jBcR9ynBYSB5YoZ5X4sPsYQN5Jzb32Q+W3RbLcJc7Z5qUYsL1kxJPcyAZXeBmEQjC36fyYqCzY8D2B6K2goT8KyXXfhlGZLxAYpIzxkwCDzOj0rj7GD2zWswRiEvhVsNW8dAjqdDCtzyaL1Da+JMrC14HPvz1D0Xl4XD9KoQOa4ipFF4XeusDjg+3prho4+KJBWC4mb8LQtufNhISjNtyMhDrRIF2CbIIsNR7G8De6ZoSHuGLINT+abhYXld8ZscY1lfWKzKqtXhgZ2x+4c/9kiyWPZgf2LPSqC0a8dnHVPtN4WkaXVfvP6qm095kVjzphyDdfo4+GcoYQ2SPVaNBix3GvFxOQWxDJl1SSLUT7qRKQFju0ri3shfbr2cK5ob/Af8ggNSK43B4ICk8MLTjAwIdujaCNh4uvm9InLnGevvVrbOcnf3vW/op4BSyyQ0A06nNVNTA3bQcv8zgbaiFD4pnM1vPW8SSmGjgATNmt6MBGAcWd+gyqL/MSktYb7u4MX27qyrwxkPKKT15+r6FgwgPYWDGy4ygJQZi5+KSDIwZP2+uW5JdUPfoqRKqt87icOG8Czwg7MdFIkAidQE7fdK9VGJTUKP9PaB8G6OeZrs3T5vTnB4BS66G2Zet5Moa6dUiytR0BMNUKns2jwLunmIZct1CvVbh9Yj7KF2WLxYZJGHFZ70g12sb+/1UvihCmMbxrVNWBmxeLXhEX/YfmCbTjyZe0JaTzPIaHijDP4XpL8x6g3lSYtMijYUpJI2mW8oIdgHepdTFxAZWx+jsomwPPqNh6z0q2WyO8XFWUJ34Zf2CaYRQdV6joo0n3jhbKKS2v2PwT3ZUolbi6L1emOb/tJt2fE0N+gP6u8mGRCzfo3ZOo2WTflXlrGdjER/5tfFWTOQAb5bkhpk05tiIBm3Wb49fjTQnTbdIO1m5DAj5N3wrvLCxfzsl48Xglm13oPoda1A5j0tylnSzObKTXQNczE9Qz80HteHiAOsZLdn4V+c1Gi2dXQw46pcTsZDOoZf5yeaVThGI1B42wb2nJV8AKY4YVFZGwxXwaN7nrhWdTgmgl3LmDgsrwX33mAYty57UD0+V0MAxUM7QKnFn2AC6w+82HeprE009lvrKISRxl3AN9R2tz6xTsiYe8N+Eg/xIYbRntGvFxMyWAaZZaQN55VHKBW1e/6KCt7HNqTfJ9LwKqng877mMVyy6Va6AySpJG6sQDgMrcz+N/JmXuylo1BDM9uFbNuv9RREvb/AjPFeYatWXReYAVtUjmT49jIQdZPA2VoubLkffRICJpFi0KkE19kPhT44LP6M0tGJZCwrqswewd4eOvIqt2x7fYJR0OZ/NjSa8C+7k/DPxCEjx1+F4AIcaXctD89wvuDhldAw0fqyQbUM2eoFdY5FlPdEvLoVCIjtlipCx+1MlvekXydCvxuY8xvK6CJykZc5vuJXL/6oP3bIfjjiyCtboF/z0sF2eMP68ib4bg4oUrbDs98W+t25DP4S48ptN5yP/DWh4EuF2ebqG3Ql5MBIaH/JWzRcYZnAOqGKr7kYfjsET6spvCMETlN8VwZhgb1xbqg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: pEscxjtV8TimaJamTzAViwalNTjiS1z4VWu4R2Ra42oAxE+LolW/UNQfBlVV/yLWEUwH0zLtr1Hs7vytzBcc+qXbFHGve6WrkK1mIcntLHpacszErmSSXMJAnKkYRflEtf+jyaKolS56xvUXrZdITtCL9gqxNH7pWn3xYXeARCnjJhMVm+NJV/97bOTdJvYK3PkNg5xOXnadBr5bh3WizH1oZNyUR2OTIFvCnZ8FW63v933MIblFH6O/lVufd3Dtq9T/lltRD/oYrABDotUWSDwbkS9IbzUq5htzknkNmu1BpZtEhmoStFq4BjlZtNhdfJFN7xZWOHz3y2EX3zhBwYA+zjXA7nkT7NIdbDKfzluUn4It47VsnuYIAaAJy7kXZ9GabVRAcLc+WUsbyiapLAbNmSwM0D7AHtsSV2/VnwJSgs8NhhPEOSfvkrb1HiivMdAaqXopvOkTFYygT19NWnTkGgRws2kjvhrH/60aos/NIMmmE8H3dCICfnB00J3tUaa2vDIQyhXva/dpG+LYW40f6y2RHlFon+iKFcCm5zpAlnr/zvLeLUlsk9btDFNLyu/mlElVveOx9S575jByzM7gwQ3vDCBHc4q2OIYqyWM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: cc87c4e1-a954-4257-50e9-08dc810a4175 X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 00:40:23.0875 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fHhwoRvvpERLFS+JKySIyuqGAGidERpWcHljWO6Fr7f2MislN2ONv1hdQZGkZuBE8HCDEzo85WH+svP6h3kJECttKHTkYY5GG9QrsUvStgA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR10MB4274 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-30_21,2024-05-30_01,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 adultscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2405010000 definitions=main-2405310002 X-Proofpoint-ORIG-GUID: 1Qx6XI1MA_-Q0I-Nfp1LAHeCOVytpgqf X-Proofpoint-GUID: 1Qx6XI1MA_-Q0I-Nfp1LAHeCOVytpgqf Introduce a new LSM called clavis. The motivation behind this LSM is to provide access control for system keys. The access control list is contained within a keyring call .clavis. During boot if the clavis= boot arg is supplied with a key id contained within any of the current system keyrings (builtin, secondary, machine, or platform) it shall be used as the root of trust for validating anything that is added to the ACL list. The first restriction introduced with this LSM is the ability to enforce key usage. The kernel already has a notion of tracking key usage. This LSM adds the ability to enforce this usage based on the system owners configuration. Each system key may have one or more uses defined within the ACL list. When this LSM is enabled, only the builtin keys are available for loading kernel modules and doing a kexec. Until an entry is added to the .clavis keyring, no other system key may be used for any other purpose. In the future it is envisioned this LSM could be enhanced to provide access control for UEFI Secure Boot Advanced Targeting (SBAT). Using the same clavis= boot param and storing the additional contents within the new Runtime Services UEFI var, SBAT restrictions could be maintained across kexec. Signed-off-by: Eric Snowberg --- Documentation/admin-guide/LSM/clavis.rst | 198 +++++++++++++++++++++++ MAINTAINERS | 7 + crypto/asymmetric_keys/signature.c | 4 + include/linux/lsm_hook_defs.h | 2 + include/linux/security.h | 7 + include/uapi/linux/lsm.h | 1 + security/Kconfig | 10 +- security/clavis/Makefile | 1 + security/clavis/clavis.c | 25 +++ security/clavis/clavis.h | 4 + security/clavis/clavis_keyring.c | 83 ++++++++++ security/security.c | 16 +- 12 files changed, 352 insertions(+), 6 deletions(-) create mode 100644 Documentation/admin-guide/LSM/clavis.rst create mode 100644 security/clavis/clavis.c diff --git a/Documentation/admin-guide/LSM/clavis.rst b/Documentation/admin-guide/LSM/clavis.rst new file mode 100644 index 000000000000..d1641e3ef38b --- /dev/null +++ b/Documentation/admin-guide/LSM/clavis.rst @@ -0,0 +1,198 @@ +.. SPDX-License-Identifier: GPL-2.0 + +====== +Clavis +====== + +Clavis is a Linux Security Module that provides mandatory access control to +system kernel keys (i.e. builtin, secondary, machine and platform). These +restrictions will prohibit keys from being used for validation. Upon boot, the +Clavis LSM is provided a key id as a boot param. This single key is then +used as the root of trust for any access control modifications made going +forward. Access control updates must be signed and validated by this key. + +Clavis has its own keyring. All ACL updates are applied through this keyring. +The update must be signed by the single root of trust key. + +When enabled, all system keys are prohibited from being used until an ACL is +added for them. There is two exceptions to this rule, builtin keys may be used +to validate both signed kernels and modules. + +Adding system kernel keys can only be performed by the machine owner; this +could be through the Machine Owner Key (MOK) or the UEFI Secure Boot DB. It +is possible the machine owner and system administrator may be different +people. The system administrator will not be able to make ACL updates without +them being signed by the machine owner. + +On UEFI platforms, the root of trust key shall survive a kexec. Trying to +defeat or change it from the command line is not allowed. The original boot +param is stored in UEFI and will always be referenced following a kexec. + +The Clavis LSM contains a system keyring call .clavis. It contains a single +asymmetric key that is use to validate anything added to it. This key can only +be added during boot and must be a preexisting system kernel key. If the +``clavis=`` boot param is not used, the keyring does not exist and the feature +can not be used until the next reboot. + +The only user space components are OpenSSL and the keyctl utility. A new +key type call ``clavis_key_acl`` is used for ACL updates. Any number of signed +``clavis_key_acl`` entries may be added to the .clavis keyring. The +``clavis_key_acl`` contains the subject key identifier along with the allowed +usage type for +the key. + +The format is as follows: + +.. code-block:: console + + XX:YYYYYYYYYYY + + XX - Single byte of the key type + VERIFYING_MODULE_SIGNATURE 00 + VERIFYING_FIRMWARE_SIGNATURE 01 + VERIFYING_KEXEC_PE_SIGNATURE 02 + VERIFYING_KEY_SIGNATURE 03 + VERIFYING_KEY_SELF_SIGNATURE 04 + VERIFYING_UNSPECIFIED_SIGNATURE 05 + : - ASCII colon + YY - Even number of hexadecimal characters representing the key id + +The ``clavis_key_acl`` must be S/MIME signed by the sole asymmetric key contained +within the .clavis keyring. + +In the future if new features are added, new key types could be created. + +Usage Examples +============== + +How to create a signing key: +---------------------------- + +.. code-block:: bash + + cat < clavis-lsm.genkey + [ req ] + default_bits = 4096 + distinguished_name = req_distinguished_name + prompt = no + string_mask = utf8only + x509_extensions = v3_ca + [ req_distinguished_name ] + O = TEST + CN = Clavis LSM key + emailAddress = user@example.com + [ v3_ca ] + basicConstraints=CA:TRUE + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer + keyUsage=digitalSignature + EOF + + openssl req -new -x509 -utf8 -sha256 -days 3650 -batch \ + -config clavis-lsm.genkey -outform DER \ + -out clavis-lsm.x509 -keyout clavis-lsm.priv + +How to get the Subject Key Identifier +------------------------------------- + +.. code-block:: bash + + openssl x509 -in ./clavis-lsm.x509 -inform der \ + -ext subjectKeyIdentifier -nocert \ + | tail -n +2 | cut -f2 -d '='| tr -d ':' + 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +How to enroll the signing key into the MOK +------------------------------------------ + +The key must now be added to the machine or platform keyrings. This +indicates the key was added by the system owner. To add to the machine +keyring on x86 do: + +.. code-block:: bash + + mokutil --import ./clavis-lsm.x509 + +and then reboot and enroll the key through the MokManager. + +How to enable the Clavis LSM +---------------------------- + +Add the key id to the ``clavis=`` boot param. With the example above the +key id is the subject key identifier: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +Add the following boot param: + +.. code-block:: console + + clavis=4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +After booting there will be a single key contained in the .clavis keyring: + +.. code-block:: bash + + keyctl show %:.clavis + Keyring + 254954913 ----swrv 0 0 keyring: .clavis + 301905375 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +The original ``clavis=`` boot param will persist across any kexec. Changing it or +removing it has no effect. + + +How to sign an entry to be added to the .clavis keyring: +-------------------------------------------------------- + +In this example we have 3 keys in the machine keyring. Our Clavis LSM key, a +key we want to use for kernel verification and a key we want to use for module +verification. + +.. code-block:: bash + + keyctl show %:.machine + Keyring + 999488265 ---lswrv 0 0 keyring: .machine + 912608009 ---lswrv 0 0 \_ asymmetric: TEST: Module Key: 17eb8c5bf766364be094c577625213700add9471 + 646229664 ---lswrv 0 0 \_ asymmetric: TEST: Kernel Key: b360d113c848ace3f1e6a80060b43d1206f0487d + 1073737099 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +To update the .clavis kerying ACL list. First create a file containing the +key usage type followed by a colon and the key id that we want to allow to +validate that usage. In the first example we are saying key +17eb8c5bf766364be094c577625213700add9471 is allowed to validate kernel modules. +In the second example we are saying key b360d113c848ace3f1e6a80060b43d1206f0487d +is allowed to validate signed kernels. + +.. code-block:: bash + + echo "00:17eb8c5bf766364be094c577625213700add9471" > module-acl.txt + echo "02:b360d113c848ace3f1e6a80060b43d1206f0487d" > kernel-acl.txt + +Now both these files must be signed by the key contained in the .clavis keyring: + +.. code-block:: bash + + openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in module-acl.txt \ + -out module-acl.pkcs7 -binary -outform DER -nodetach -noattr + + openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in kernel-acl.txt \ + -out kernel-acl.pkcs7 -binary -outform DER -nodetach -noattr + +Afterwards the ACL list in the clavis keyring can be updated: + +.. code-block:: bash + + keyctl padd clavis_key_acl "" %:.clavis < module-acl.pkcs7 + keyctl padd clavis_key_acl "" %:.clavis < kernel-acl.pkcs7 + + keyctl show %:.clavis + + Keyring + 254954913 ----swrv 0 0 keyring: .clavis + 301905375 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + 1013065475 --alswrv 0 0 \_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d + 445581284 --alswrv 0 0 \_ clavis_key_acl: 00:17eb8c5bf766364be094c577625213700add9471 + +Now the 17eb8c5bf766364be094c577625213700add9471 key can be used for +validating kernel modules and the b360d113c848ace3f1e6a80060b43d1206f0487d +key can be used to validate signed kernels. diff --git a/MAINTAINERS b/MAINTAINERS index d6c90161c7bf..edf28dee71f2 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -5326,6 +5326,13 @@ F: scripts/Makefile.clang F: scripts/clang-tools/ K: \b(?i:clang|llvm)\b +CLAVIS LINUX SECURITY MODULE +M: Eric Snowberg +L: linux-security-module@vger.kernel.org +S: Maintained +F: Documentation/admin-guide/LSM/clavis.rst +F: security/clavis + CLK API M: Russell King L: linux-clk@vger.kernel.org diff --git a/crypto/asymmetric_keys/signature.c b/crypto/asymmetric_keys/signature.c index 2deff81f8af5..7e3a78650a93 100644 --- a/crypto/asymmetric_keys/signature.c +++ b/crypto/asymmetric_keys/signature.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include "asymmetric_keys.h" @@ -153,6 +154,9 @@ int verify_signature(const struct key *key, ret = subtype->verify_signature(key, sig); + if (!ret) + ret = security_key_verify_signature(key, sig); + pr_devel("<==%s() = %d\n", __func__, ret); return ret; } diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index f804b76cde44..6534af90d8db 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -409,6 +409,8 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create) +LSM_HOOK(int, 0, key_verify_signature, const struct key *key, + const struct public_key_signature *sig) #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT diff --git a/include/linux/security.h b/include/linux/security.h index 21cf70346b33..c5474e9260e0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -63,6 +63,7 @@ enum fs_value_type; struct watch; struct watch_notification; struct lsm_ctx; +struct public_key_signature; /* Default (no) options for the capable function */ #define CAP_OPT_NONE 0x0 @@ -2009,6 +2010,7 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create); +int security_key_verify_signature(const struct key *key, const struct public_key_signature *sig); #else static inline int security_key_alloc(struct key *key, @@ -2043,6 +2045,11 @@ static inline void security_key_post_create_or_update(struct key *keyring, bool create) { } +static inline int security_key_verify_signature(const struct key *key, + const struct public_key_signature *sig) +{ + return 0; +} #endif #endif /* CONFIG_KEYS */ diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index 33d8c9f4aa6b..3a60c4ff5186 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -64,6 +64,7 @@ struct lsm_ctx { #define LSM_ID_LANDLOCK 110 #define LSM_ID_IMA 111 #define LSM_ID_EVM 112 +#define LSM_ID_CLAVIS 113 /* * LSM_ATTR_XXX definitions identify different LSM attributes diff --git a/security/Kconfig b/security/Kconfig index b9ad8e580b96..7df8b2a4941f 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -232,11 +232,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" + default "clavis,landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "clavis,landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "clavis,landlock,lockdown,yama,loadpin,safesetid,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "clavis,landlock,lockdown,yama,loadpin,safesetid,bpf" if DEFAULT_SECURITY_DAC + default "clavis,landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,bpf" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list, except for those with order diff --git a/security/clavis/Makefile b/security/clavis/Makefile index 2b2b3bc8eef4..441c70c6b78a 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o +obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o ifeq ($(CONFIG_EFI),y) obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o endif diff --git a/security/clavis/clavis.c b/security/clavis/clavis.c new file mode 100644 index 000000000000..040337dbd8d9 --- /dev/null +++ b/security/clavis/clavis.c @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: GPL-2.0 +// +#include +#include +#include "clavis.h" + +static struct security_hook_list clavis_hooks[] __ro_after_init = { + LSM_HOOK_INIT(key_verify_signature, clavis_sig_verify), +}; + +const struct lsm_id clavis_lsmid = { + .name = "clavis", + .id = LSM_ID_CLAVIS, +}; + +static int __init clavis_lsm_init(void) +{ + security_add_hooks(clavis_hooks, ARRAY_SIZE(clavis_hooks), &clavis_lsmid); + return 0; +}; + +DEFINE_LSM(clavis) = { + .name = "clavis", + .init = clavis_lsm_init, +}; diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 708dd0b1cc76..2a2fe2525c7c 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -2,6 +2,8 @@ #ifndef _SECURITY_CLAVIS_H_ #define _SECURITY_CLAVIS_H_ +struct key; +struct public_key_signature; struct asymmetric_key_id; #ifdef CONFIG_EFI @@ -13,4 +15,6 @@ static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len } #endif +int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig); + #endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 9b3db299acef..736bdadd9000 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -13,6 +13,7 @@ static struct key *clavis_keyring; static struct asymmetric_key_id *setup_keyid; +static int clavis_init; #define MAX_ASCII_KID 64 #define MAX_BIN_KID 32 @@ -228,4 +229,86 @@ void __init late_init_clavis_setup(void) clavis_keyring_init(); system_key_link(clavis_keyring, keyid); + clavis_init = true; +} + +int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig) +{ + const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); + const struct asymmetric_key_subtype *subtype; + const struct asymmetric_key_id *newkid; + char *buf_ptr, *ptr; + key_ref_t ref; + int i, buf_len; + + if (!clavis_init) + return 0; + + if (key->type != &key_type_asymmetric) + return -EKEYREJECTED; + subtype = asymmetric_key_subtype(key); + if (!subtype || !key->payload.data[0]) + return -EKEYREJECTED; + if (!subtype->verify_signature) + return -EKEYREJECTED; + + /* Allow sig validation when not using a system keyring */ + if (!test_bit(PKS_USAGE_SET, &sig->usage_flags)) + return 0; + + if (test_bit(KEY_FLAG_BUILTIN, &key->flags) && sig->usage == VERIFYING_MODULE_SIGNATURE) + return 0; + + if (test_bit(KEY_FLAG_BUILTIN, &key->flags) && sig->usage == VERIFYING_KEXEC_PE_SIGNATURE) + return 0; + + /* The previous sig validation is enough to get on the clavis keyring */ + if (sig->usage == VERIFYING_CLAVIS_SIGNATURE) + return 0; + + if (test_bit(PKS_REVOCATION_PASS, &sig->usage_flags)) + return 0; + + for (i = 0, buf_len = 0; i < 3; i++) { + if (kids->id[i]) { + newkid = (struct asymmetric_key_id *)kids->id[i]; + if (newkid->len > buf_len) + buf_len = newkid->len; + } + } + + if (!buf_len) + return -EKEYREJECTED; + + /* Allocate enough space for the conversion to ascii plus the header. */ + buf_ptr = kmalloc(buf_len * 2 + 4, GFP_KERNEL | __GFP_ZERO); + + if (!buf_ptr) + return -ENOMEM; + + for (i = 0; i < 3; i++) { + if (kids->id[i]) { + newkid = (struct asymmetric_key_id *)kids->id[i]; + if (!newkid->len) + continue; + + ptr = buf_ptr; + ptr = bin2hex(ptr, &sig->usage, 1); + *ptr++ = ':'; + ptr = bin2hex(ptr, newkid->data, newkid->len); + *ptr = 0; + ref = keyring_search(make_key_ref(clavis_keyring, true), &clavis_key_acl, + buf_ptr, false); + + if (!IS_ERR(ref)) + break; + } + } + + kfree(buf_ptr); + + if (IS_ERR(ref)) + return -EKEYREJECTED; + + return 0; } diff --git a/security/security.c b/security/security.c index e5da848c50b9..bd2e13a8f01b 100644 --- a/security/security.c +++ b/security/security.c @@ -51,7 +51,8 @@ (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0) + \ (IS_ENABLED(CONFIG_SECURITY_LANDLOCK) ? 1 : 0) + \ (IS_ENABLED(CONFIG_IMA) ? 1 : 0) + \ - (IS_ENABLED(CONFIG_EVM) ? 1 : 0)) + (IS_ENABLED(CONFIG_EVM) ? 1 : 0) + \ + (IS_ENABLED(CONFIG_SECURITY_CLAVIS) ? 1 : 0)) /* * These are descriptions of the reasons that can be passed to the @@ -5323,6 +5324,19 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, call_void_hook(key_post_create_or_update, keyring, key, payload, payload_len, flags, create); } + +/** + * security_key_verify_signature - verify signature + * @key: key + * @sig: signature + * + * See whether signature verification is allowed based on the ACL for + * key usage. + */ +int security_key_verify_signature(const struct key *key, const struct public_key_signature *sig) +{ + return call_int_hook(key_verify_signature, key, sig); +} #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT