From patchwork Thu Oct 17 15:55:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840301 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3A2F13B797; Thu, 17 Oct 2024 16:01:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180917; cv=fail; b=q/ZpKaMG9XUIzpZXEKZH2WuY9XsIWYJ2D804jHsV0/OoWbwITD6jhdgRENU7sfnuxFbFmmQ6kiZxbs9NJqKepVgqa11dYFSV5hK6a02hIrBLr9JoJdHfrT7IPWg/r5PLbogIrbqP+hFJHpCU51jpr7v4BISUv6PPrWMQUryW+KY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180917; c=relaxed/simple; bh=hhMfAo4Yfk6ej/qZiLTK5i9QUg2QeO3hIXotPH2sb58=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=k9Kohl7DW53Z35gZDFKz+ISMOAcRrdtvT4RGj3jgnwuMULOhER5d6brPArBU7gWGeaUwkSPgHV24qcB99U5OqXPbCKAWoHvLTwTOQZPEvUzKbe06PUoytvlk8SnP97osTkyfagkH9z80cbp2zjuCUW3fUbqthZ2WOomzJCRfr/c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=gTxzyZhy; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=XKUHTFlc; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="gTxzyZhy"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="XKUHTFlc" Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBvE5024561; Thu, 17 Oct 2024 15:56:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=krx6eeu1tfKXYz0vs3Htju+m2dqTtfKGzr3PhiQ0sD4=; b= gTxzyZhyLBCubftXl96hMXOfsfXKpFEzgbOqFt/GFXMCVAtJGq4CLzPbpDCC0ukc s1+GfIajLe2HZfSKz8s8rETNiW+oHf+T0XHMqQahjWm5JmVdq7JeRdSozPBTxeHc VU3TitVAl9OrPUkrMNLfLm90TLF+e8AXtu7P4S6IFXXeO1+r5h8cUDQpW3YqCquX +AfRf6uQkaMazReI92LRuJxUq3tDkFZipO0yMAFEyg5FJZJCalEwA9zdRIemnyhD ylaUTe5ZOVpwQM/rOyf0A2jB64a5HO4u4qvVbUb0hZdYSdSF+Q1aSk8z2NlDkR0y GfEocXxpNUFXF7FPbd+zDQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fhcpd2d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:05 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HElWMR013904; Thu, 17 Oct 2024 15:56:04 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjadu5p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:04 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UT1X1id52a5mT99NMA97txDcST41luZApz2keMYcx9qbD4XvXVRQmprqaLUNCf2Lkg8hDx7qQiaSApRuPN1VbnHy4JDxE2C6N1YplSwzt/L6EKhTu1pNRzhYSOSJqwCWXBTneTcpqV9yL+IjpPIUe5MdC1zJAgdLy3dYSNSpI9A2tYea3HYhgC1qE0YCCuaIagCxe/pWtR2k5wVfXJ/nDD1mt47ZJPflAN0CdYNJXshXnN+Y6ZPZR+T7r0k3yD/vuCl8wkzQtkmPvxDkwZMtlExQRHUDL8n0mmfqHLO8xjKwGiiGRxN9bwNk2j8dL8WLiCWHvpT8o0DbYoYDJEX5uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=krx6eeu1tfKXYz0vs3Htju+m2dqTtfKGzr3PhiQ0sD4=; b=hHGhJUTkSpK4RtxzrxjEymMZYM5fw/y2CreDoiqPmocYMJ+KxTEBkqYGgxVrUw2jS1xOe1NS4obLAFEhrugfZEDjXjVUXSCMStnzOKjmwZ34emFaQhEWMzW2//iQhJFbyPwqZeWcwv7TI0JerYu+f3j/aIOnHpSRYfD9W0+YVJvzHeRIHv/yrRB7JnykOZ2eEoi9KjPcWiBlXB9ADVTNrxvzSWgu0YW98UIQIZCwhxs1kpVJP5BTckXsYyUVMG3CBbXKXiPPibGbhBjgNgWp9YIrf+jKI/LHHCi008BLRQ5Ql5BS2NvxHVV+x6umnTKxBI84NyI3pfJSV//eM+v9QA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=krx6eeu1tfKXYz0vs3Htju+m2dqTtfKGzr3PhiQ0sD4=; b=XKUHTFlcx6smN4Tv1jIBzvzGKTViaI/38Y8nF2uC2ZEPbVzPGNX6stLG0Sw3N5fAfeDnsbrmHyZ1HUsnxCVuKSpv4pCuUsn3o3b5TDCUox/R0KUdE9AUSsQhj/lRBzVu1L88AU6JGdXSDzOUllXg1eMcRLzLzhIQRVzCD2dmXBE= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:01 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:01 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 01/13] certs: Remove CONFIG_INTEGRITY_PLATFORM_KEYRING check Date: Thu, 17 Oct 2024 09:55:04 -0600 Message-ID: <20241017155516.2582369-2-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0053.namprd13.prod.outlook.com (2603:10b6:a03:2c2::28) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: df916ab9-f351-47aa-88fa-08dceec427ca X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: r2PnS+cALiHNWzd4T+SVnQJski3ZLJhP1/hf/QMrCXQgwVD4+8N+VyLisis97tUaWScMP6u2u5gzi1/ZNifMuYchtRvZx1W6TH5mjwlUibh3Uab2jP+3UqNtnelRFM8E7YlMc+YPufaQn5XbKK7rVRZGgH+diz/eJwSUw/7j2ScNG31qdT7gsZmALozCAI7IcZrKiZ8oCsW9h3qVxDYtqF/yECb6Mmu+KSU2z0RH/qdg+L9arHfPPcO70q13OrLlLYQyi62JWGdkGgUSPF4nSjFt6OOdehKb/NB42XcIrqWtK/t1kgiN77uOIBQlJke29U3/cSsbuHgq2WtphWQKG9vlzvKylv5xEEVw4FpG0DfpX+VSOmM+og4VT4INtTFglXXVdUf/919WA/Y/1byQV+cn9/JM+U8rVqmrf2rcZuqlX21KFkoLwQoQs+3QXrGQ6snha2vDJuruUuTls8lHw7Je4sj4PpCBCsmSzvdH9BIXjB+xu3odgBTKf6g8zRLe1Q/uKO9iL6sxp6CmObxIcT9ZnooTC+cM6J9cbuIjdaTTqb/kk9UY+YnU/rCJ1QPfK8bYnUI+0uc6gohtARmBcp22a2EqZY4RV8nBhF2kF+7PRcnnqq1v1KXCZ22eRsmNQEK6n8GZMlWQ9cE07ZqNBBLBXg/mT1dAulISkTNe/dUouFKMon9qGykfhlBWEcIactQWlWCA2Qz2dWBKHGUg6zt8Gh1ezJrTKtHmZkSFLXCpkfjBlu1dwo4wmxvKcK9aoOSUG9KWQ5UYQLrCV4SHi5T8O0qyaqukO2bKQ/HYZKEhIcxwwDrC4fqiL2QT7KBRGS0dPEhh5VE0iaAyi6frAzTX8g5y6tBvvojf0hauNL05y9IG03V7WmrRx3eae1fS15DvH411CXu2E6270gkj3SvtaV/CKK2PBtG0VAAcOEAhUpfKgcC30q5nI7bUePLRq5W3cXKvbuXpUVI4R09OLrUDJ7h4TKz0BjJ+h2btYVS0pleF+1uzm0Y+n50n6HYIyC15tUy7r6TxwvkgdkQowhP6Ti3om+67nJoVe5oJUKjUsUJIys5p0cOpeBJXFAbgrn3oyYcqrZnQZgatqmW52RxueGn1lwNwifQRAb7SYDEGEsqXNJXvMx/AY6afIBbBIgo0axWz4D418+8F8QFT23Vd3JAhCZAEAFBICNZSycbCd3fBvp2MRRUUQa7g3GBBLk4rz/9gC5X4M4z7VC33T3YtctIiXAIBSe0/4OjBe0XoMyGzpJdjlb7wUwJIdMCCxnT7luqznbqWfcAQ2mV1vBoEqRukC4kOO5haaHh4aeTJkapLlml9ox6aG1tWxnvQ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: E0laBAxjNZzCxW/OWe87MYpNYoy3JmzNswVGrNaPtE/poGWBlmuMoNz6ij51K9GUhwaDWehlSeYPDPbvjMaSqWgN6aNvH9elysFqDWd9trBOdOp7hJXoq37iJTiO8VnRKZfXURj7DPeFRNN57sWvJDFYnvGxFUrREwnZ6Ynv7CCcx3zgHCLTPK19AAmTV08b+HKNKtFJbd/iUT7Bip+cTUCme1FNROBLjLGf92LZMljU14hujfdnBywVg4ftpCG8OU5xqIJmqNFGtBS7UaOCIXTBNeHn0bvw661Y7SVaUChjSwtdg9Rc8/RQwQhJlgtUQZQf91fAkVKN3TRY+vpw26pgiuCXIX9fQq5H/c2/5xYpayASJiruiihj5G0SPPtHlI38yQmr4vTu3oqsq0YSZK84RYEM2IfKYOwN6QLWyZpIl1WLWYAUHSZiP+LOmIKHfq+WH4UVsiQ4sV6bhsWQXb+5LrH2hmifeIGZCVX5ADgDKuCxzi+8ZMLwno0dmJOHZqzvUOCAyLuY6fL8LJOJGTSfI0eqyOw+83wD6gEpxXyCtydjfvVIPcmQA38IXNHml6965+wfR8G6bCuq8H3sPTY56P3QjNJGjbKZ1EvE+Ld6D/RC8P1DqcY9CPCBKnnWECNfWpWjAATum3YMRBHWu3ebDEtSJrylNInejs+1/OWiJArER12VBojVyaDmpxzhChAk34B57XuWPI8nxS367OnaiuCFiLMf3XIRCyRVZSRieQkDK31b8nV1zx6+fIOjsv/cT+FyYQsR8kNZB5sjVl06NTBrvETVyHmTs8/xedJc25TNd+hmPLDvsfStHmduUYN+UdL/LJqX6Ygj5UEVBqfGpfeLEP1eD/CkAZs1O7hs/wuCwphMMVFMbDbHrRdlMtzQiNR7x2IObtGEqdkhQO4982SZR6+el9wIcX2ex8OP79Ko8doK3uD0D7RXUUgtrj7vvkALZFXkZWOaeiyQMsvjxuUmCnSvb77iQN35dsnv+rad+OGLXVDz3lbiDqR2SEA0nxfVbU/J0wsHGRnrKECpYeIJksOwlCkii5lYlTFi2OhSUUGKWymNBDyY3L75MexmpaendV8pbZczPxFgVmlvR4YTNdPy2W9qbt+tBTRpudlQj46sMRB6gQZW3RQJmdDLQJvSRVz0KOu1IrwkNS+juunmsQ7MPlZs4/lajv2yH2E9uwBB82hjkgknfGfg1ubGwHWsrH+yede4WxHte4VxmKNb1bPSTQqtQc641OVhn7aP3dRvdG+ellid1wa6kCH+QF1ZovK6QyK4+Q9mWR5rR1w2mGONJB39CvQYl5nA/ZAvKTCdDnSgOivHr0XgfFWBtBpL7/mNV1WodKN3Mq9MtKDQ9JGqsdICulU2CBWa/oHi9nypuAG1G6iLMycTvPgXVyAZAVaQevaLqQ5qrQ3F7fIjiJjCKyimXttXdBBZIOm+FquS9AmKSsFckfsfd0rs8CTS2FjBS738r6BWmY185Ip5MCPckvLrnqkyfn/LmWMroEn1ejR+ofbz6WXmO9GqUq3VDlJo66ciC+LIJMsWOVtP2oPG5+xuhHj4rbZIhlq9aNTgWMkt7oVZ5WxvJls48mSJWKS+ue2JXIYhjg== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: rFUssuHGScInf82FIYq/20EMAgxqqQD0xO/u1NdBDyIlmJGjLnbgm95SSlcP9LCq8bgpRl7bSkCJa5E3c76mZSZ9ElBkuh1oB6M4SWLv4dFkuznZQ6o2A8dO7amOf1b5s86g/JP1hCEsQR4+k0GT159tldsxcD0DwO2XTpi68e3PXlk53YBYEbniY5dlQA8LCBMws7kgZ67LYTFNbuCrr93QjS6wDEKxDlRBS/rW+02xFHue8hDB6Qiay8Syhq4HhBEbT8yCDFazvLu1ac6Epw87441ysL3TNkB2IdhZbPYZOJy/X8tJvf1LfLxgIEg3aWcZEpgtCxI1XjiwxnHrWXcC5gWVV8gu2twbtBlpWOlk5qRG42mBRn30IaFKKvFV4Y9bWt1UiJdK7VeIrB3i6oyvJNLovpZMvcePi+jeE90sFqlKOY5m+pNKggVavr/5qHvkvS9hI2mFjDqoeHv4XFoDCIewtcCZhGa6bh3k86tvQxJxm887sc2vdrtPobjeyEakrBqLZvhPuehnLV+MgJ+a0eL15XljJTx0DmNRQLmbvzlNNZabSkzfiDr0yM4D1Iz6cewEy6R1Wm+YjVE2hZ2IISZ51zS+EzJFGp+j35k= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: df916ab9-f351-47aa-88fa-08dceec427ca X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:42.9365 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GO5atfWPOyTbE+FC7CHhrB17Bsq4gKDrQsupQjrQvUht0xqU6XTKd1sSZ3dqTTeh1+4HTa7ekokv3MDClnVFo4eF9T161T7v1ZvukfZjbbM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 phishscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: 5f2lWyWcbvEbY5KQrxp6tRVDaWrBCAn6 X-Proofpoint-ORIG-GUID: 5f2lWyWcbvEbY5KQrxp6tRVDaWrBCAn6 Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this pattern does not need to be repeated with new code. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 9de610bf1f4b..e344cee10d28 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys; #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING static struct key *machine_trusted_keys; #endif -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING static struct key *platform_trusted_keys; -#endif extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, trusted_keys = builtin_trusted_keys; #endif } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING trusted_keys = platform_trusted_keys; -#else - trusted_keys = NULL; -#endif if (!trusted_keys) { ret = -ENOKEY; pr_devel("PKCS#7 platform keyring is not available\n"); From patchwork Thu Oct 17 15:55:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840265 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8E9721DF743; Thu, 17 Oct 2024 15:56:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180613; cv=fail; b=kWQ/FVSg/9A5cFT5iPaqhW2XLOM8GGEKdHQdlgY5+Yxhy4DUxOicmHn8EJPLHshtWZhCmf1OLQX99mRxBkijVx8/T3zckzOf6Fkphv2/8G6WtetQtUq8lfMypTlK29cXtBs7KaKoiZ1n5vEKDXMevYVDh9zFa/C2JUT0z/17rXw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180613; c=relaxed/simple; bh=PFxGllvfRbrzwkppzuEajlEZyEBBKfeGtWMMWH/TkZk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=B71DKE5PXX9ab1YBFQk10YWbuRsgz5xS1hTxgAKIAKenvpjyMUUFdB1T4htmeL+U5T6wf87Xi23U/JhD/4vhyfHs5HfLrTj7FAshMhvRJ8VMOtF+o0amliBi+CAbc3pI/t+f7iosuZLvf3+LxmbSUfVqH/ZS1r8MzWLZ+c00w/c= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=CYaj1bYG; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=oOAIg+vQ; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="CYaj1bYG"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="oOAIg+vQ" Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBhYi028803; Thu, 17 Oct 2024 15:56:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=Nojvl3wQnA54MTg1AJmT+MJRliJCpkx+2ocL33A0DVY=; b= CYaj1bYGQWTw7L7qNPExfCY0+br7xGtuZJ2SwK19CTCb806S6dPa3fGCygAjlKII PqFcLAUacIu17e8cTjSGlE3PGed6cTtOdpWMLY4LBUjpV/BSRqLUZN1iSqJ7gnGo fuaNECn8Xhg5aoiUP44v0jtXx2XH1vjpMHRVtdraRBSr6mBpvnTtjpFzILDV5nsX uKGkx8OBr0n2q77h6uJcsovCy6O0tYR/BAZkCNVq5uTd+38Z7Fq6vUdUsn2gc5ZJ jZSZH1tdKoClq59GMEGeCrYAK9aDXz5PskUTTwNZYPda0gxpGmPH8rLP4pnBZW1c UNutTPVUB2rFU8jKd3ArkQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427gqt6tdf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:06 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HElWMT013904; Thu, 17 Oct 2024 15:56:05 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjadu5p-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:05 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IqLTYDku6VhBRF5XyfNMuaa2q76HqbCcOObO5YX5qsQePtPMKCHENwSYbLmoA8VozsVC3j40wlfCRA859eqrWFAonshH03TDXOuny0kompZNFe7md/H6HaSOtXXfCCqvu77LXFpY50seG5NXiCefPqubUPpKw0xwiWVyNrVMYc+2KQznEb86wDlJKKWyW0kihVDlF0JScHC+YljkpeacKpkjAy/X2/yZBpgObDkxtyqBcX/pvtabs2bBqlr038KbWap4nRJH6oQ+wFNeeucwv4oWPBORHuRnsMhT/PBQPH9Yy9Y8g6B4mNG8bI6Jn/VLDRet2687Xz7dtKM+EhzvcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Nojvl3wQnA54MTg1AJmT+MJRliJCpkx+2ocL33A0DVY=; b=XcbsMSLjkXzObENj/h/TEvtTgZzhXYZ0n9qDekYLFQ9/h01FXS+agemKnJr2PVlIJUs2ibvH2oBlcOIW4VgErGIuaeXV+GgcYZuZ7CEgFzXHFWCib6Pc8C4Eh0/r4OnAmnkvZM85USbU7VSP/k7QQB4zJ8Vg+3g/sFDNJXrXwA1V+sfT0xsqO3yy3/FAAw2MX/iUoipzhHHzwrvJ1STryQm2nzizqvkKTPGhfrXGIu4hAdN83CYbryRWPnMC9c7dG6yLbShYtxXRnl97mVqzOEiD1K/wDUz/KFJDL8VtMpxwY2RZw8mRSRKndouRHOm6zBW3pUwsE0ePZ9FyMBWMlQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Nojvl3wQnA54MTg1AJmT+MJRliJCpkx+2ocL33A0DVY=; b=oOAIg+vQznXLcdnU0wH3v3/3+tKoJrvjbm87J8IHg53wodeyFnOInARXlMvxz/Vn3TzuMUvBO3af19tr5n6vCVZ5H6n/ON65Bxp0mmAfCSvASSFDWH9E5WWIrZag8DT+GZ33B/Ybtz0J3/mq3gGZNWSaZA/b2dc63OtIT72qcss= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:02 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:02 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 02/13] certs: Introduce ability to link to a system key Date: Thu, 17 Oct 2024 09:55:05 -0600 Message-ID: <20241017155516.2582369-3-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0037.namprd13.prod.outlook.com (2603:10b6:a03:2c2::12) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: e3788ef2-606a-40ca-a7f9-08dceec428c9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: xJfRSRjq1sik9njmrhhhqcle+Jj7gpuFmovQxeTsdJB7f0BD8rHi7bTxxlhhaBBafSRMHA73I3jKHUNdAOEM91nUSDryABcjbvbLwAW+oNmlTAkRS58KlNUNM4dXsmx+yCVS7YZnVzL1+iDX7Ngsh7e6hy0cLvbQnzX+jaBgZoCY/LTxoAxcYm4tL53h7nij/IkOh9ENKKiTa7adv4VlpKGpvlRG5d7RQAKBjTSHLplzmGe/WYMBp7gMpOUfbH9qRkGinxoZpfb+yqRLohQWScscsf+A65WJ1bVZCXLn/x5ipL9A+VXpPe8B0YbA7SU0apKFDbM+DvKUorKabJmVjuc2vB3VYJ7yqrgv+xsVyf28tiSCGe99oVzFFLvDolEQu/8BIZ+D6AWpMeju1q66QapjZigAc1ldG5E8yqn/3F8w2Sr38/oJlIqNGAA8gyZg1QWsec7A/ctXjC5ZdmWSJWDV0l0EejHb5JzDF1jISPdNeRRGQSp83vN4EBUhNgEnYt6EN3PosNZTGKboH+15yUQienV/mX7Wu+/8zrZs91a0Cl44JmFE4mQ5hsqbRJz/bcY5fb6eUKlT0DPiSXNyjumHL7X+9xdSKdqiK98lueSNgwqcyVCmwVUw+9Ad+Za1EJyB4q8DnpCXhE6WhyMJePH15LAI14g7neu4B6wz+zDKw91wayDB+tsXpzLEkLEe8oKPXeFyi+7mg7YTyQtciTJCVdNut8y7+vhHZ/ae2Ar+E6i6PzRBN2jcZg2Fj3DiiBAH52dPt6lGGn7340ivC+RiT8Se+eux8KnUco8fWYqPzdy/6AtmM/gKqPd48Fhlw8kGJjpsaVa8pDMICFZEVa9V36LNXK6QSIiUcqHDoHe+CMohmc9sy3NizF8u4s4mwd43vMRGXAxTOHtgUuA6V0PBhgXjspQAkWSbzXJEued0IcRhMD461/XTeipPCGxHxF7+dU5y7ngtJaYTMPlokzYpZL7ZH41Rr3Ap2kqJP2bBK1C7DIGEwmdj9Fc7Ghl+2L397VxIrUnCWEsDkzjHuEiQgD1k5iD+cJNhBWTraIcBs8WK+vv7VVrmt+T9AzYou3VQzDmxx/KDKuJgzfakIbpCu0El5UEp5aL14z7J9TrnStZ8PmOHK+QCmDJFvD0vPheby6vMNvcL0EecBoEvu/NDQhJGWTfIhk+S89qNHgviCl01ywbf1As/9qaTTeq1Hswspl34dAmSG0u0JdiMeq9wv2vaUuiC3gJ0KE8UXcl+Wl89Y5STXULKoc+uvE8PQ34yOVgXd2RMYw33wRIwLlbqAg8pJAqot9UK4vXgZ3kGw1TbdWEi4RR4nXUQjLxP X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: vs0zZmNhMfHeEQUHrRMT9+0phkeoGQYpoalwqq6xPnW6Kvea3dGG3V41Y6e8ti8zRNpEf45nZjeJcSAjLxZvwnZ1X2yljOwkygzGGmu1U24jvqb6gRWEuXtJDjn2i/N+ORMeVv0C17nH+2Lf2hUO+PNMydy75RJIHM8AC/W/AFwQpkovwoZRE/ccgspKTFTayk+NiuvArQDot7XW99FAFrct8pAIVZWMCNc+TrPf8fj7doVvIk8F5H3770BY2hf1zUgIilHJ70v+Tfffh6Ifmv2ETljVwgomTD4CIsxEPVSRWkPUfDy3O9j5xogAymPMq8tY+9xt84madZGITakVjb81xwND+MRp7Pt2/BdtLxRpW8DAUySIlkO5pV6kMbeE0Um6P3KpRbtMIzN1zQg+V0QOkopGiEO8tfvi/mKs+pGfCoC+Qi+XK9NSuRWTfwcGtd4MJhS3hOioIko+bwGs9HRFgoutVrSTPwzopeVsjnPK0H7VDyTqA+ZdUDD8QwqxFhtP27Zri6JStqY0oYI9aEsMwxQPpNlOuPz8ZvabWev7f3mj9TLZ28vBurdYf6eEJMFYToiSokL1D5F1j+ncN/myOoTCUUBV2ClHyaKRGq8jCzgbFAN3gCCEOtReE0gj1JKFq+WCwvAtb/KlIrEqICKovlk77LfpvZDeK7pa0i9tcZ/nU+d7vInNu9Q0+cepUIXbZtXoRSpaJWoodvVDbmXLZ1x+hHUG/4ZbR6ROYAFXEwMrO3AaMyIk7+pgnMqNxfImxzizcorQ6n0PRiQFDMFueNcMVPu5O3vADj7Xy3pyQ3KlaIOklrITsVPJnWXUDyCwWTHgADGtE9gZkrJZcEc9rhKVpep8xMejmiNWgdkY699nTDqo7OPkv/7Kn3UDHEplc5at76AenmX67IFnBdqXhvQaE/BAC05WekJDNZn7WYl8/CaxZnXpuqCFnStq/KgYU2aFGalqdZlnPo5XIdSnMrNASBjm8GfruP/jwlg/Q2P3ySLrMLzo1fHoSNnZhT02+s/NIc2qhPEPRsqutiDFYelC7uysRup5H0dyLXY5oA8JEfbq5LTG0wdDEeFQpJfF54be22smzI9XyYcVkaul1PST/MWp9U/sFr0De4OixsswV7jubFVGDQ21ypPAmYMf90yA80RrbuomoJLldp8EVLMKGu5q6gQM0uLfcklvewc8f4V6RGHZA1mP2Pr7X7XEsBiubh36x0TxGKUpQj/1T4Wg1n4ssH52KZV1SZERWP/A2aIsoVRKTA/VW7ZOAW7NzbtsmakChctTdIQvv29PrvsOTPXO9mbyVw9sAiD7W1ET4nAQZSmsq16Lw7/BNiyKkbZpPzqnYMsXwlH2vy1zuXfOoLQqYvxyQOpdACSBrT41bfGCxUOHXi5X0zFHkz+jg3FkjuNLlE5KQ48dbQvEBoRUnifaIc4/3lmPrmCPokWHnRh0z+GqW1vR1/KU7ujYOKaT7r2PCtNb+4lec4UoeLsDuGk94ow0mcJhYX6DGni6jHqH7LuIX7QmM3ITR7BrcCIWGU5BIBTwBu1Iixrun+amx3bwXvLCP4Ax5CotJ0d5Xn3OjwB1XYOq6VrGuM917COcjDjSNHOyX8gEYA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Q1tcoYZ9jpA5e7jgUmQ7/mk8CqMQU+WGf8yDB8m1CI85KhcNsti6COLUFc219aQdNUlqVNvg7TbZYZ/AytQ7t+hnaW/VpSfbkKhLRmVONl41Owdw/jnQJcNVJg9YfoSA37Uf8nhaw9sEt5BOgV3lhAJiMtbsBKpGbXNVVcWl4TwZoYRzVHAx2e/hHad+wYjnlM04CmCrzBpvDXi0NCY94naVWXZdZrfceqxSV/Au3wrkgOo9Im8P5k1EJ0IIm0jMJZFgEm/wYzSZwa92QrRpi1QnwbAqH5AzO8pCvfsCe03e+K6NXBogjG7otXvgXsMhVR7PocQMtSkWEebuXV5dtvp3Tjy9hNZjWu0R2rbLkLfNpmfkbvx36oMePMzTwq3+OXQmX/h4tx+UV8Q4iQSOZdQ19MV7JiecaHylmd51VlkK3Y3UjPbxUcEvSfzxTrQY6P3tHkD3j7o7RSzrBCCyMibJoe+2T//h+C9Qbv1GogqDqsqn0nEQGYptMMsqrhkPyjVqukFlBb/a1FQnFY4H8TXwbXMQo38j8UWjg70v+QPvuNejTPlYVf2LOI3I1Eu4/W9E3WZrCs9DBHm1jqxDQI8nLQmvLkx/ccR0rAY2h5s= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: e3788ef2-606a-40ca-a7f9-08dceec428c9 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:44.9061 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qS835+jSXvu4DJ8XPkd2blu2KUA09xOG1yCd7ZPktHwjRqCF7gXhI0YOF+aNNf4h6s0NgSLglDMMpTW777p64GNGtETdNxMSyKCFxsVdGVo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 phishscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: oKoo18sjZQNsdQOpjdDTZCfdYK3iIv4U X-Proofpoint-ORIG-GUID: oKoo18sjZQNsdQOpjdDTZCfdYK3iIv4U Introduce system_key_link(), a new function to allow a keyring to link to a key contained within one of the system keyrings (builtin, secondary, or platform). Depending on how the kernel is built, if the machine keyring is available, it will be checked as well, since it is linked to the secondary keyring. If the asymmetric key id matches a key within one of these system keyrings, the matching key is linked into the passed in keyring. Signed-off-by: Eric Snowberg --- certs/system_keyring.c | 30 ++++++++++++++++++++++++++++++ include/keys/system_keyring.h | 7 ++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index e344cee10d28..4abee7514442 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -20,6 +20,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; +#define system_trusted_keys secondary_trusted_keys +#else +#define system_trusted_keys builtin_trusted_keys #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING static struct key *machine_trusted_keys; @@ -420,3 +423,30 @@ void __init set_platform_trusted_keys(struct key *keyring) platform_trusted_keys = keyring; } #endif + +/** + * system_key_link - Link to a system key + * @keyring: The keyring to link into + * @id: The asymmetric key id to look for in the system keyring + * + * Search the system keyrings to see if one of them contains a matching "id". + * If there is a match, link the key into "keyring". System keyrings always + * includes the builtin. If any of the following keyrings are enabled: + * secondary, machine, and platform they are searched as well. + */ +int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + struct key *key; + + key = find_asymmetric_key(system_trusted_keys, id, NULL, NULL, false); + if (!IS_ERR(key)) + return key_link(keyring, key); + + if (platform_trusted_keys) { + key = find_asymmetric_key(platform_trusted_keys, id, NULL, NULL, false); + if (!IS_ERR(key)) + return key_link(keyring, key); + } + + return -ENOKEY; +} diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 8365adf842ef..b47ac8e2001a 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -9,6 +9,7 @@ #define _KEYS_SYSTEM_KEYRING_H #include +struct asymmetric_key_id; enum blacklist_hash_type { /* TBSCertificate hash */ @@ -28,7 +29,7 @@ int restrict_link_by_digsig_builtin(struct key *dest_keyring, const union key_payload *payload, struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); - +extern int system_key_link(struct key *keyring, struct asymmetric_key_id *id); #else #define restrict_link_by_builtin_trusted restrict_link_reject #define restrict_link_by_digsig_builtin restrict_link_reject @@ -38,6 +39,10 @@ static inline __init int load_module_cert(struct key *keyring) return 0; } +static inline int system_key_link(struct key *keyring, struct asymmetric_key_id *id) +{ + return 0; +} #endif #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING From patchwork Thu Oct 17 15:55:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840258 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A08131DEFF1; Thu, 17 Oct 2024 15:56:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180608; cv=fail; b=L7+DxHrxl7BlcCVOOfS9M7rXjhTtgY4Ls0x9rFDto7oakLU3MFRFFHQj/h4RWkT7x+SssbdL8Azj0LLVRzol7rE7JY1zkkmg67ljJdr6ouhTIW+qqSYtq+NE/q7G8IFz6GRvymz1f0zSCENYqNEwI0KnE/J8BoZwA/PyUo7+KWQ= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180608; c=relaxed/simple; bh=0Dz26JoFR0dl5goU/ElcSAy5OjWHbxoVggSKkA4UHmQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=XSGcfLSeUygJfJJZmMiiHpAj9tN2gcJzTW5Wy0gkr7shVKK7XHRrHzzxwmlrKJGJXYNv9e1f/ot0Ft6kvSnrkInMv8AynfLMJOT7k0NMV5wY9o0JSAYIVAdykks6Ti5pSAfh+cQdPMlPYxrdvYJpthaEUaocTMUz4Z1Gk14HncU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=lhS2Renj; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=L5DIfskU; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="lhS2Renj"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="L5DIfskU" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBouJ002189; Thu, 17 Oct 2024 15:56:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=zSH92tUIFXowUHbAfcAcQHD0O5mpkSl5kOmEt/qWF1c=; b= lhS2RenjFFZ/AoS2stwhzcihsqJ8z6S++38cBeGAKsQu49IYsJVHYs3W3S95DlWt IbP3bTlgV1Z2f84Np/WtV9D68nRNyhYaBl0S+i0ra5SAcF44jinGSqw6CtLPLyuN L2VmLAEBJCMPPlx1FV2hwNUqegNkS8blyPkJjljQYPIt99uqQeYywbMwYE8Wg/om umON/1h0Pr9fIzaTtdIsaZcKAtpz+0MVgIX4TqX0C64g4OArCKb9SXivFH2yEpdb 7twuMrWLfkPM+3wUd0e3O4Piv60cHCZPDhkh7/Yf9kvNOSuQ0jFkfN7uO0q0rXNd 9Apws3W7eaVMjUkUdzF+nQ== Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta03.appoci.oracle.com [138.1.37.129]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fw2pxem-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:07 +0000 (GMT) Received: from pps.filterd (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HElWMU013904; Thu, 17 Oct 2024 15:56:06 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2040.outbound.protection.outlook.com [104.47.66.40]) by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjadu5p-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:06 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lorF2X3NFZjnyvErPSl/dGaVAK5c4fYnUZ+NUSkDg4YO3Khqms349FIsTWzR8bsxBFnbmD/H4CbynoZq2b249L6RuvopZscHYBx62R8uJPA3I77P1CHfS5/k+6vpYBcXW7g1fHRDXxv5PKepRifcPqV/XpwmhQIpjoFBukpYkc1SXod+WOFcSrMQ3SvFBbzH26CYd2YgzWUTkzBNchYxPcd2UE60pN4ivL86elcMtN1AOXf4GlmZ89s8O5CTFix8Ib4TMuJ6dFD1AfUohoRJEtUJZmKphtFAMLYqgW5m2Q9UETOxI4IYOCheVZ2usZm5e+G3aYwmK3PBx6wWym5kZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zSH92tUIFXowUHbAfcAcQHD0O5mpkSl5kOmEt/qWF1c=; b=cE8haHHhnxPQWA6SqgS3S36ZdxNTA0VX9uAD0sWO/bXON/NVBgOpmIBN8aohB4demiDjnVuXXBKOpEytp/vFWVJ0iN3LWvHdntQoMWu2ohyPdDbFURVpjhoyK8STsEzzGfCPsRQ+L8JXMaXZ6wp7urpNrejz1SeZBLqTKXyJDuBjvQOBJo2FmWdwekwNSVmlLymGa5cthY32rfkkT62ZUKfYX03L3ziaJsRNRZNSFQQJYhQaReYQES2s+Z7nZwOUhDaMITc6VwuTXEkhM6vqJxYrToJ+I2/wHpJJDAhOX6y5ig5A0ksOxBICTzrI36vTEkIDQ58YRyK0pvS9fI6vGg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zSH92tUIFXowUHbAfcAcQHD0O5mpkSl5kOmEt/qWF1c=; b=L5DIfskUPO7VXvizjCu2/PoCSCVjTXxlkuNTKWWYrvQtnWW6H58K1vGHvR2fofZTAac2uObtCVK13ByyBGLawBQFYKPAI6zNlZAPw+M4nUIXU8TmfuPl2T0kp36ElI1DM/72C8LBrPp4RZs+SWL1wpqHhcAldpVROxCroRXdXiQ= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:02 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:02 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 03/13] clavis: Introduce a new system keyring called clavis Date: Thu, 17 Oct 2024 09:55:06 -0600 Message-ID: <20241017155516.2582369-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0PR13CA0051.namprd13.prod.outlook.com (2603:10b6:a03:2c2::26) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: 92c02e0e-cf1d-4982-e7ae-08dceec429ff X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: F+tgaVi276NyRd4pUOSOXMFCVlyRWNrBnGFx5fmdaWuPJ0eODBIYlc8QgkhaVTtxOmlWxtj+eNPbn50hpmGB2sWA0qFpgXXMCK/wNhaCOiDk11TPNKABlf7kNuxhMSxVe/jiULAzhq4nSeqEa8a/ZANXTDeq8HjsuDKtKdD4bGLYyz9XRkJSG1ZJz7KeIhVj1ng5mXDZtGellEqjR5M7bug3HW7SazCvwOUwBH7+9a3Xgj04CnsTbOfYrdNIWhP+mwlM+PtglT10HcWSc/UIj+iYFL5UCrtZCm3ZpDhhrBC+FmW34rAorGspTfU0/6mjiWQnhHm3tdtT8DOcQ8ABcWglenTSBq6xDH7FzNnplHsWtjpRJmjg5dqGPQ4x6yY3fS5MXa4DwcdaETKxdBLgDuTs8HFyp5lwXnNAZFPCwgW6ag4pErviyeRuM9Jvye9CyN/UQViEQgq2I62l1bfXQqtOFNOvlTU9Xwo+32WJ6xOMXlxm9uSa1P+VF1jH2npKrt9LwP3ytADkt2hT/eFt3eYcty74v2BcdLCmBc0HuiAmtrV5aZJ8RJ80pMNKvSZsDATQS3pcAXRHWG2xOEr2Mv1vZ2cs4NGSOV1uyVYxvUha2uOlXW24ZcaJumyg5d/vPwv/ztvqbWvF7/5wcBVeA62DpXM3KRIriLTmg72/0YDpSkrQbld/RX6cydSgyHy8YdpxncqmyhbrI5vBux2pNNoC97RQX26TxQCphN7iBVzV1MucTHsInigZTDtYTKVkGDFMD0UjphixTliXAC0BvaRiEPaMNB+SP+sWBTivg7rJtbyzYZWsg1aluo381BZx0pdoJo9RHxZf/hlKU537jeq4c2uG7hWYF5hUA/OIaT2hI7dxbRs2P4PjDkyzBGv6HE8vAeGkSbUoD6XhXs4Ik6y+1pm10ehPkDb0ZH6v+XUpO3+dfx+ItLPnlRPqbHT0ul9o/ncniWpbhJeOABlqJUMe/MXDcYCKkVD8NAi5RxB9bGQtslFaO39nOziPyXDjb/D2DIjat6HhprPUfmL2hjdcXq09TShiZN8Ls5LvrEbSWSBhsHQEPcTuUVPmtkFPObNingSw0I1mBPiXy3uwYkpdtJrP4BgLDRAsiIemXtzH6FPEWLsDIoJDh0jjOQHQsiUJFXf48pcl+/BjVrdMMiZcqTv4EmpWhn24uQuBA/OScTef7yzEQJAHSwzJPVgHGGu0KBse0fOL4lHDTmyz+qtmnQngrR6yPKLUa1XnnuHFoUlFleiTRWZ33GSh8lcJ7vE4sKwCZGgBWcoy3XVu0Pqe2aBUwOpLOkpNAu19+7aoqWWrx+jf4tKKFGDnmUBz X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 5hg2xunVkLmJ7r2cl4WNMwUy1y7tg2fXBSgxrsL9tncQqSkp7cLPSj7SdzAv9GTfmEzFn9144z9MxBcStit/t7pZrgVHf1yoAdm1A6kRIIu3dN56Y7qPhPalPXC1HPCqRQ4yBAHAm1SWeeg4D9MAZgfk6Mvn+xWVaxWTVO6sNxEOZ1VB7RmaUzVwSBhlNGY+10UrQ6tRYy18QkmKDocHe4lpZb7svd0w/72NfcwWqu2q+lUhhF/lfqKlZvRVNAclZ5M0NYMeCWtx154BpIzV6+E8mggsJ+6+0TYDaUr2tLlYiB7AKUXDMaMo5cEAKQx2EuAvKyAzv1N9ISKs/aoEOLVS2G0YZWLt0IW5ZXGC2Xn5XvEsnsg/YsObeRiyVrDvhq0yAhd6NLhR0QuGiHMdZT+aN0FsSeaYI+m609iCgRhaZiTW9J2oYYErTZ/rBS/Zkb2aQeHOgy/ITN4SKdMSXiijX3KHjgbfxXdhHbRmQGrpiVyZeWHcoyjXM/ssS3opxMRjJ8uhfnwMODx7w+01uHjVY1LJ06g1/4Hr/gImozaFtRfEgZyBv3Ilzq0Pr80K8/ZYMclqpkBqw0hoCh/stta04KQ3wPnUdWmWavsL7PKR1hHxA/+xA4KwoPJnlP7VxEMayzvQ05pdy7zhYl0Aq/vzrZ/UVPLfV25eWElTPSQU6cRM6Js9f87G0YE709VWDwc55O81DEfopXTBuRmIVYu51wEXvIov4Pa1IhcHcuq9Kahp5Br61T2HwloWOfDVSheao/Dn/JqwCRyDn5PNIAZ/23hGfJ7oy6UOAxgws3+ygQm0nVyYsBGbbAQ/mTXa8yXGuX+2ENSA/t7kEdLN8T7mSY29xiIERc8LRJSAl1RoRgimH2HGvvG91dLIYEva1HDm/V/vT3/e69NgOYa7sA5I4Ub69ZJVHFtd7TRIzOnXiAvYSwQfyW4JBZXYe/1VjG+TwzSQ8+QUx5r3lD1Cke2fzTLz6bguXT8HaG0uoEsMz2RW2LQ8JYUrhBWkiCW4POgCEopcFasVy8h9cov8axyN8Ib692EWQlyCiayO72eI7nb+ZYPEMnR2iDaicf12ZPpjS4raRKG3DBgaeeb+vXzNaOftuSdG+MBbmhIIQ5wiM52R47PXCYPG2q0LTW/DUZqYzYyaWu2jJlzJQrvKi2t6M9LMZ5yxpdSQVVAaWSVqfR6yrG+Ox8u0dIsLSaKyvKwShCepxAPLRHl7vUQAKY02qrJJmod65jAnNS3s5+63qWRaytpbjWFz00MI3Oz3imda688pL3RwLcXEf+W6gT5AhWe4VhvsY5zHE5xwvcO0jzfL3h9GISWihzwUQ1K2A5giex40PPvjlRA0iP+h37EzSYCImNXqLz7HZvKL+KUCBYBhSy7PSxNGn0p4T9PNK15seYDIVgisyyAlyz8k60PvXcloBnXgI2hkASWbZ16+ZRHNAiClLKM0cSYlxPHvG3QbuGCXla3Dj+ZZnINYaP2p9jH2lufQywf6KuclW+ApZyIWaz1vC8JJ+TnHIYboFC1ljmruQSZ1IHPDGFg91SSYzdcHk+b85n9Zr7L1WALq7Hl/cb4PEtXprq6S1f9TQ1hsUAAcOW8Mu8vqS/tvvA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 9zKGN+Ecg/bZFelpyyRj+xTb6G4fFxY7YGK0bIrmbLcVNpREoftPoMvzaF+xu1AacV0/pm80Gvrcu73pNL02k83doXBVPhD9Y72zOecd0MCuP4ZiIjRWz5zN47E0+HBS9K9Vki9OK4PQ3Zmdl0vPShCl8OL95yUNjcEHtNgp2k6gL/732Muvnh9mDp/UoNOlCtBpXeaOKPniyw9tcsJ69tNRZByGWCW1zHm1Y3gMpWRD23cOdqB1EELB13Ouk4Tu3CKMQakgFJtVhnsgfVyz9tI7Q8AkkEYmFArJffjVHyCNYiIy5dkGg3q/mAFZAHYy0oGiMqYj9dugrV8HuNYsqyc1kZnjTNTesoPY7am/AYyqf3GZ4v4lgl1DA8POz6cPsl86JY+aOBDmQxS2xaTeKmn/pFut8iGEN15hvBiFsHOdMcGyF4RyLvlJm9hW9ngd4kh/0poyEMNLFA9rQgdpVJweemgzy4IYq9S8DNCoQ1NRV96qRcSTn1PuC2+QuTTJ08bVX5k/I1edat+OIVBXTZH43sk5MlV54TNBNCmetKxZp0OJuxiiBWoEZFS7+9I2/bsuGvS6KyRz5YWo6wd46M1rfsY5J3Or8RN1KEUnrs0= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 92c02e0e-cf1d-4982-e7ae-08dceec429ff X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:46.6887 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yRmW7NtkQlO7NkuEHtzPplAYZ5l+p+zluVkNavzymjOukMceJ4mRRHTikVKx/8Fuaxxw5p/ii6fhNZFqjkJdcaX5vDvlOKxbwIszPGrIWZs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 phishscore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: gKDe7UYFlZH6zE5nZUad1jGfcBOgpoXD X-Proofpoint-ORIG-GUID: gKDe7UYFlZH6zE5nZUad1jGfcBOgpoXD Introduce a new system keyring called clavis. This keyring shall contain a single asymmetric key. This key may be a linked to a key already contained in one of the system keyrings (builtin, secondary, or platform). One way to add this key into this keyring is during boot by passing in the asymmetric key id within the new "clavis=" boot param. If a matching key is found in one of the system keyrings, a link shall be created. This keyring will be used in the future by the new Clavis LSM. Signed-off-by: Eric Snowberg --- .../admin-guide/kernel-parameters.txt | 6 + include/linux/integrity.h | 8 ++ security/Kconfig | 1 + security/Makefile | 1 + security/clavis/Kconfig | 11 ++ security/clavis/Makefile | 3 + security/clavis/clavis.h | 13 ++ security/clavis/clavis_keyring.c | 115 ++++++++++++++++++ security/integrity/iint.c | 2 + 9 files changed, 160 insertions(+) create mode 100644 security/clavis/Kconfig create mode 100644 security/clavis/Makefile create mode 100644 security/clavis/clavis.h create mode 100644 security/clavis/clavis_keyring.c diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 1518343bbe22..d71397e7d254 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -645,6 +645,12 @@ cio_ignore= [S390] See Documentation/arch/s390/common_io.rst for details. + clavis= [SECURITY,EARLY] + Identifies a specific key contained in one of the system + keyrings (builtin, secondary, or platform) to be used as + the Clavis root of trust. + Format: { } + clearcpuid=X[,X...] [X86] Disable CPUID feature X for the kernel. See arch/x86/include/asm/cpufeatures.h for the valid bit diff --git a/include/linux/integrity.h b/include/linux/integrity.h index f5842372359b..837c52e1d83b 100644 --- a/include/linux/integrity.h +++ b/include/linux/integrity.h @@ -23,6 +23,14 @@ enum integrity_status { #ifdef CONFIG_INTEGRITY extern void __init integrity_load_keys(void); +#ifdef CONFIG_SECURITY_CLAVIS +void __init late_init_clavis_setup(void); +#else +static inline void late_init_clavis_setup(void) +{ +} +#endif + #else static inline void integrity_load_keys(void) { diff --git a/security/Kconfig b/security/Kconfig index 28e685f53bd1..714ec08dda96 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -225,6 +225,7 @@ source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" source "security/ipe/Kconfig" +source "security/clavis/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index cc0982214b84..69576551007a 100644 --- a/security/Makefile +++ b/security/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ obj-$(CONFIG_SECURITY_IPE) += ipe/ +obj-$(CONFIG_SECURITY_CLAVIS) += clavis/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig new file mode 100644 index 000000000000..04f7565f2e2b --- /dev/null +++ b/security/clavis/Kconfig @@ -0,0 +1,11 @@ +config SECURITY_CLAVIS + bool "Clavis keyring" + depends on SECURITY + select SYSTEM_DATA_VERIFICATION + select CRYPTO_SHA256 + help + Enable the clavis keyring. This keyring shall contain a single asymmetric key. + This key shall be linked to a key already contained in one of the system + keyrings (builtin, secondary, or platform). One way to add this key + is during boot by passing in the asymmetric key id within the "clavis=" boot + param. This keyring is required by the Clavis LSM. diff --git a/security/clavis/Makefile b/security/clavis/Makefile new file mode 100644 index 000000000000..16c451f45f37 --- /dev/null +++ b/security/clavis/Makefile @@ -0,0 +1,3 @@ +# SPDX-License-Identifier: GPL-2.0 + +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h new file mode 100644 index 000000000000..5e397b55a60a --- /dev/null +++ b/security/clavis/clavis.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _SECURITY_CLAVIS_H_ +#define _SECURITY_CLAVIS_H_ +#include + +/* Max length for the asymmetric key id contained on the boot param */ +#define CLAVIS_BIN_KID_MAX 32 + +struct asymmetric_setup_kid { + struct asymmetric_key_id id; + unsigned char data[CLAVIS_BIN_KID_MAX]; +}; +#endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c new file mode 100644 index 000000000000..400ed455a3a2 --- /dev/null +++ b/security/clavis/clavis_keyring.c @@ -0,0 +1,115 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include "clavis.h" + +static struct key *clavis_keyring; +static struct asymmetric_key_id *clavis_boot_akid; +static struct asymmetric_setup_kid clavis_setup_akid; +static bool clavis_enforced; + +static bool clavis_acl_enforced(void) +{ + return clavis_enforced; +} +static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_type *type, + const union key_payload *payload, struct key *restrict_key) +{ + /* + * Allow a single asymmetric key into this keyring. This key is used as the + * root of trust for anything added afterwards. + */ + if (type == &key_type_asymmetric && dest_keyring == clavis_keyring && + !clavis_acl_enforced()) { + clavis_enforced = true; + return 0; + } + + return -EOPNOTSUPP; +} + +static struct asymmetric_key_id *clavis_parse_boot_param(char *kid, struct asymmetric_key_id *akid, + int akid_max_len) +{ + int error, hex_len; + + if (!kid) + return 0; + + hex_len = strlen(kid) / 2; + + if (hex_len > akid_max_len) + return 0; + + akid->len = hex_len; + error = hex2bin(akid->data, kid, akid->len); + + if (error < 0) { + pr_err("Unparsable clavis key id\n"); + return 0; + } + + return akid; +} + +static int __init clavis_param(char *kid) +{ + clavis_boot_akid = clavis_parse_boot_param(kid, &clavis_setup_akid.id, + ARRAY_SIZE(clavis_setup_akid.data)); + + return 1; +} + +__setup("clavis=", clavis_param); + +static struct key *clavis_keyring_alloc(const char *desc, struct key_restriction *restriction) +{ + struct key *keyring; + + keyring = keyring_alloc(desc, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | KEY_POS_WRITE | + KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | KEY_USR_WRITE, + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_SET_KEEP, + restriction, NULL); + return keyring; +} + +static struct key_restriction *clavis_restriction_alloc(key_restrict_link_func_t check_func) +{ + struct key_restriction *restriction; + + restriction = kzalloc(sizeof(*restriction), GFP_KERNEL); + + if (restriction) + restriction->check = check_func; + + return restriction; +} + +static int __init clavis_keyring_init(void) +{ + struct key_restriction *restriction; + + restriction = clavis_restriction_alloc(restrict_link_for_clavis); + if (!restriction) + panic("Can't allocate clavis keyring restriction\n"); + + clavis_keyring = clavis_keyring_alloc(".clavis", restriction); + if (IS_ERR(clavis_keyring)) + panic("Can't allocate clavis keyring\n"); + + return 0; +} + +void __init late_init_clavis_setup(void) +{ + clavis_keyring_init(); + + if (!clavis_boot_akid) + return; + + system_key_link(clavis_keyring, clavis_boot_akid); +} diff --git a/security/integrity/iint.c b/security/integrity/iint.c index 068ac6c2ae1e..87a8bfc0662f 100644 --- a/security/integrity/iint.c +++ b/security/integrity/iint.c @@ -36,6 +36,8 @@ int integrity_kernel_read(struct file *file, loff_t offset, */ void __init integrity_load_keys(void) { + late_init_clavis_setup(); + ima_load_x509(); if (!IS_ENABLED(CONFIG_IMA_LOAD_X509)) From patchwork Thu Oct 17 15:55:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840260 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 50E801DED6A; Thu, 17 Oct 2024 15:56:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180609; cv=fail; b=e0bUXHh/1zc0v+7PptYueL4E/pZuuqGhTTxWYM5r9jSUcw/beK5nro/UvNjIp0Pu33OUkw4Sj977HCxbsXePL3lpbEAv4Idv4Tdpwb2MCNtrb1owUXYzFCPeU7b7qMeRedCCDcXHRjfm8xrVNNFUzUk2reOYKFhMGAgSsEL3vcI= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180609; c=relaxed/simple; bh=QUM/RXskzNEvZWm2LUlMC1t8mbCmrAXaBOK1168TkvU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=QC+32G9t5va7JAVLx77GAYcQHkh4bKKCWotjGuoqnaPpxI0x9VlUMNif/fPw3zutfkpiWOk+TFVn4lQmiFjAImwZcD++/7kY3Ob7UF3Z6AEU7BZNEMX/itES6zmxLs/7fFc0q0CTqj5WLkl24CMMKXQjmAQkbmkO4GH2XTSMsnU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=VP2ggwGp; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=KDVkJ/cx; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="VP2ggwGp"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="KDVkJ/cx" Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBnEV019227; Thu, 17 Oct 2024 15:56:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=4MF5i3cQYFYfuhKXtzxnuneBu8XAWHMFHEg/5rxPIZ0=; b= VP2ggwGp6GlYUqrEeXudyk0zlfze/SOQpndREL89ixpNFFlN3WgGBBTrQFC7xxpf T/JpyOUlGYAhKN+brAqtqXQPXkBzf0aRWvM5N8RYZJLOzo6geA+Pj0RNwFwLToa9 yowI+owbZ1/mSqG7pSX8310NWTDkw74FkTfyT/OK9Xrqaw3hCGY/4vpouktvoIT3 sTVQj6KkpJP05TfzadWmArVojpbphH0FhMRqXOcTi2mLpQ0Y3QmF4L2Ewp+0RaHj O/DMYXU8+21u8oMsZEQ4E0cPhs7wfvLFv9eK0cC5QOfa6Nvw9OQs8KQWH/yLIbR5 GAqi3oeIYyUh7EbMvFg1tw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427h5cq6qk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:11 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFPSY8026291; Thu, 17 Oct 2024 15:56:11 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej31-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=RS8lq6sKI6M3daDevwiYYLxtUZwjvdahXDB19WdisBWoZAiQ93fWPei4i5aI7stQ6rtwFVrgoP1HwlzPYKtn/EiLWDPbbVFDTQvcbXud766j1gg58vkaXz/13mlg1jmsTFrDgTNx9Zz75pAsLvAChb6ufl5wIzI310MRg+AXyeZDUgrwQFvY+A1qZORCwcA1b5yZK8wjTiSrbiFm5tUwpgITa6wmlpwoYmlwB0VV0UCxaLetrn4Yaaa7yCMjfA41Sl8LODatBiWi3o8E8tya1HJlYMqyxcZhEb/lbQHJmC5I+E76xu7h4KnJngSle9dnS4DZSzbeBrX9blnXg3Hp+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4MF5i3cQYFYfuhKXtzxnuneBu8XAWHMFHEg/5rxPIZ0=; b=WCa6q057dTLjAizCMGuJt165uLiEYItqo3mrWhqgrttm2HBMRPo5AJ7pgwVJIzXzhUv0EImVw0LBF6+URNKZ8NMWqE3AcZSEq722s67JIZG7OzCI/BsVgv7yuYnIgMgKTTqhUPFFysvuoMnTJIZybqK3fj+KDlhuwNMVZ32pKleSndnJXHUzo5vXMJU7o9PVfB6MKMlvnVOOue5EyTOWWFSK5KWebG9xlrax9sEUKNKGyFWXOLnsR/Pa6lzpB/vchZSui1Ut05u3+x7NUkBMFbIFY8mWxfm8u0sSdYLQVQy7heHNQFWjJmbfIpZ8k6ky5ihUGnW/dA1kNJpBUtiBlw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4MF5i3cQYFYfuhKXtzxnuneBu8XAWHMFHEg/5rxPIZ0=; b=KDVkJ/cxonTuRszknAr46oNbcU4W4QhuEuonAjrD5dxktqY/1fXsRkqKKM6TbSMpiw6pD1G2TQFOeT5l5AJ3M0WoT5U1JPsy/0SDqSczRgKsdlPvMXty2hS6UiFwIFn0eBrHvMrXk57s07bo0QT+ruSpscLvu1qNOJ22hTfd9Tw= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:03 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:03 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 04/13] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Date: Thu, 17 Oct 2024 09:55:07 -0600 Message-ID: <20241017155516.2582369-5-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BN9PR03CA0358.namprd03.prod.outlook.com (2603:10b6:408:f6::33) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: 393bd34c-bc7c-4086-a24f-08dceec42bc0 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: oiOQvpbkMoimlKiombIHbsN8kmu0u0ZgII+7Q46FA6SX2ODNj4mh5s22Op334zUlbNdDUXu6PZ/ILz0Bq2bgmledFgm7wepQ+OUZ/AmtuWuPZ1ns3aU7VDzfb1rJJC3q63DXcQjI2ZNkWfIY5a7jjDtWLIJc4g5D2j5yTpr8bSH/fdEJvcERwYxDFCa4Lj1bAQtbjot7kkPo4JvgIk3G5GaK5AAXY9dakw6CV+7Q6MmV0wcdd6EI2Xh1kt/ldefpFmaWD0g3SKqPiavILWzidMjtFSUCT/BRDhtD4EUaDPz7gv7zQC5JPV4IJLpmoF2FhTelJvREPtnrMxX9OxQFq30HPJi3uPt6Ak0oaIoqCw6TjueWXsKNRlATyfmpU/AKKSe6ibNLUe79GW1nYgF/x9Nio1mDhvqdWzSNDOMqjylRVq/qWaT2V3Jt+FwTyahlmCDwR3YM6OIPYjky+9aKpf1pc34AQNzwQpzQqUYZwFMfzuUdUBCnBIOJr7oTxvcDUJOWg8cvp34TLESCSeViWpPrNVwQiXjqzWtUW6tTxeCygXhQESrSJICV/wHXjVjJNFkxfGzKrnoEtw/tlnnbebk/0dhMH9KC7aVN8oMW1UaR5aBafxH+gPHW4Z1mPIcTbwsXYluHS+DFlSu/XYvF1CGQj6bS42ML3rsSwIIdII6XGC0lGktpK5FFW4CWJoa0Cx4FvZ/XTnTe+s2ZIo3hBmRM9dvSGrEU0lLu4pWlBPBr2P3RZocp9WxYuO0E+4gNKnrR2+/dtSGO5kWeDowbaFRkymG2kvYgpHiam33D/Ckm25mct2/KZWskhWHbzSE3wRhhDMI0QCTY43OOA9Mhb+13Cv0IKzw9F49fcvNc+oLfy3r2HDZFW36YgnHJWtdFf2gnCx3mtMAWExXdRgQMaBPCUw0RPJvbqdaYrHXNXTQGtB2l1Xn8/uUUgSQ+Yclsq9hPfQndEGpihJ38hI1JLkO91tlHUZR3q2Kq175Rxv5fKC35U3UborsIoVCsCRI3e7/Z79V37d+4Q2cGmA/LXOlwj8FzeaizvlnBVCU/jgwQKi1S+vE4PBmXr1LQdVZmsS2fRVU7ZaHmT3tpSxaxLiDhN14ix2XlkOXi6D77XjHjkMNtq3PFWrYANJ/wXdM8t8lNBwoHKEFMPGMr/46VnPeqAPZLAR17ENP2f9AAHoj8ZjH/W179BkFzw1CSJ3pEQrehXfug1XWOnR/G9YfnVofGPnIhwKC6SNvMKEa9kHXbagLLdDkRnD0qxYvTZyWMMmTj2P/UukiJEvcaEisTNQcNo1tds0eiSmLILqN45uShAAUAOpfUaHjDlwOtg1P+ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: +MZYLz1h9wUBrDGOensMxWlE1GTOgl9wfdRAzY+SUX81xlJSbjO95bf90Tt+RVz6lTibjDotT4s9CMOVw84WPeEt4Fi/oTvTieFENkNmXhAKX/naA7oGy20n5IQ4jTMZRuZBtuNtmB3uNUIM3LWsgk6UVP8+wYmHGz8IBwwW2MSRMJxbYIU4kQlXUj1011Ga4TWi8L3E2KXbcvbqLC3Z0Ttvx8hl7UbSFjnaf8cyjQ6g81sBAZd6zNOPm+3S0wQF9Gm7+gcxChL81vLlEzXZP0Ry8bMQxQMMwO4ggKC8W5uWC3pUW5VdXLCkuFfbXJd0Xpgasp7DLKWoB93LuvX2sSQawTx7mzWLuiLtPvwdNNYEbysrJnxPWyJxF9Xa90sN0xwEXbH9BYsiRtOa7xh7wCQLcmRl3fdAZf9Uyqbq1WtXuvt/bXVqaeACVMjGhiiGmElNZtqYJCpZzouJD4wNi9BYy7F4UZ7hrYqlnlIqJcCZ7f5XkWA1wNCNXpK/iKTEEOYogfKJMjBp+5ZJ6+qCJhYZEhAESy/FFMAKQlb0cour8GGf41xKbznjDreIga0KTFOD6DeSMg1OrnpS2NoIKoXjyPMh99YkHpLGbeQn0Ov4k5U7zmfMYqkcYe3PQWpyktZ4NWb70AWdB+iCuoUIlrAlnqBjaUGMA1UrhprSloRnufbDHK2OdEJBtyvHUJAlhNJk4twdfSlwWG4/MB99fZWHWwwDc8zGrEO1Sj5APfryPErEGJ27zJOWSsBdlYDIQbRxekqGZmUoRK3MF0Ke35Xb8K73OUeXFLegD2tEg4eH+GcppooM60C+cFgS3/7knk1XDGcxhaHdKqvp6rj/ruZpOrq2jZ1CeunKJYsz80QuMaEiOkBGzkohH6c0x7JsG1OMaVj3I39H3NcOyuL62bxTY1WVmGTMVENmuncYBWfIExS/vaGNjByprzzjq+LD7Ifqncay05uMW/TUfhEAUCjsd0Hm6RRmh6X2RUviSGjNlpBF0JPJZP49LuSOcJ83f/bTiFYmsJ1qcURU9I4FjX+8YR4AvjhGSois2cdu+cFVwJWbNsPrELr2NPHNZLSOMWNCa2yKah5J5WYpN4eVucJISrGss8M6Nw/GE2KeTn8I/FHxAhxLKPeUjSyCor8vGdeH/k4Fuj4rF1ltf+Ze8SRg6CKwkDptX6SwHjJJ7tA7GrWmLRikUWPMovfHCYqc2GETK9/vx5IgT5pJ3RKUu0viDqqTN272/FjINJCAjLR4z8s0+vvQMeI8L9rcuc7G1LJmwtzE0slwkEnklXNA4KtYkUb++fWtFVum3cqrC32HMk0MXMUckMm53P2a7ZC5TiJMFvcRR5tL17xJGfo/IdWaxmvxLrGJ8oLBFFDDJmWbAs9BxPcPKAZra3QBoygv20OwaR8vt9Jm5dyzXQjX7KFJONzpsYUkg1vP95+8Navz6ET4MSB7uETVQ5b5Frpd7HajjHlyv3jguiQNDxeDhHCMZumr2UT3EddpeUthxuaJ5I4F5utokf7WMJf9zmc7zCggZhNrmyW3wZt/DRSkNZPLEwl5iVxMG7NRsA99lijXZk69C2BHZWXdIY5Jxb2JCiWdCV9fYy8CLeasLhIk8w== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 9uV64vVqPOaYXjNBEjYZ2N1wEhOWuijzlE7KQQ4JSs8hbM+k0vPXkqf3cxLlpJDF/vNtNuCEG6OlSGjNmcN0antoqr6iX0JROzl6CzOxC+29rOjKHpSPAe1MNUjhJZxgQcMSTAr+jNAFQqDwxHarrpnG5B9+BIH6+0HfR6WwhF/RLeBfh5GMLnMEZ+23MzrrDaOC5QVggno8gaUGBsmzWFCC+Ige/KpN3WMszOdP1CGCef6Y4tXrmZw1at2+mTWoSafnS2EXgulP7Sk6znJhQyiMye3kXJx2774s1XNInjgSUf1eG9QJwfan/2nhyLdN2frk9AOdRz22ckucbacgZuNkKC9lePVSamYpCq270ZE8O6/LQINOziKI10efLEx3zwVPpVHKqhj9lImpKPorUKB74HoREtaj4C7kvjEsJxMTu1r4ZpakbwlQHmCmNeiLL9cdakPzdZHsU0Kzh4QJ4Iw8wCPuTo+yYTpow6ccx9xQCrbjUqTiawz0j3mzn+ULceiX1b9eVTzJQHkpGzIw3whJaCa/4VKuA3vTVxHChbg+xLy4/yme1VUh/bOlX3PxL5zxjhK+2RXgax5BIrWbEJE230GL5L/hT/xS0PYGVHg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 393bd34c-bc7c-4086-a24f-08dceec42bc0 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:49.6484 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: BOXI1L3mMGCP9AMNVBBLqT8S4iwxnGsauUTXeed7HuPYkPpmINulkBqqFFqmBWH01UpxEFGKKVFVkezBeWrYft4YMKWSPPBIk2Fy+1OicNA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-ORIG-GUID: -0bA1tdLcYCYW9gxiaThzpzhYQ0wmLXk X-Proofpoint-GUID: -0bA1tdLcYCYW9gxiaThzpzhYQ0wmLXk Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new usage will be used for validating keys added to the new clavis LSM keyring. This will be introduced in a follow-on patch. Signed-off-by: Eric Snowberg --- crypto/asymmetric_keys/asymmetric_type.c | 1 + crypto/asymmetric_keys/pkcs7_verify.c | 1 + include/linux/verification.h | 2 ++ 3 files changed, 4 insertions(+) diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 43af5fa510c0..d7bf95c77f4a 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c @@ -25,6 +25,7 @@ const char *const key_being_used_for[NR__KEY_BEING_USED_FOR] = { [VERIFYING_KEY_SIGNATURE] = "key sig", [VERIFYING_KEY_SELF_SIGNATURE] = "key self sig", [VERIFYING_UNSPECIFIED_SIGNATURE] = "unspec sig", + [VERIFYING_CLAVIS_SIGNATURE] = "clavis sig", }; EXPORT_SYMBOL_GPL(key_being_used_for); diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index f0d4ff3c20a8..1dc80e68ce96 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -428,6 +428,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, } /* Authattr presence checked in parser */ break; + case VERIFYING_CLAVIS_SIGNATURE: case VERIFYING_UNSPECIFIED_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid unspecified sig (not pkcs7-data)\n"); diff --git a/include/linux/verification.h b/include/linux/verification.h index cb2d47f28091..02d2d70e2324 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -36,6 +36,8 @@ enum key_being_used_for { VERIFYING_KEY_SIGNATURE, VERIFYING_KEY_SELF_SIGNATURE, VERIFYING_UNSPECIFIED_SIGNATURE, + /* Add new entries above, keep VERIFYING_CLAVIS_SIGNATURE at the end. */ + VERIFYING_CLAVIS_SIGNATURE, NR__KEY_BEING_USED_FOR }; extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; From patchwork Thu Oct 17 15:55:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840263 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 811FE1DF251; Thu, 17 Oct 2024 15:56:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180611; cv=fail; b=l+aToIzbLtj842nKBrJ2RXD5zLZoAVZdiZ9ezFs7J1EDygIsDZ97xTmzWXyg0QoCsL41LLFQQlEM5Os49b2pZsn/fgU5ppMQeCkRm8DTF6b6wOTQ9R3E+LdAwhekoVirpRQXYJJ/626ktGGGzrCTCqT9gY+cvnuZyZrxwVYvAYo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180611; c=relaxed/simple; bh=RmnD2G6Y1vNgNLB/DgX+55tjS7v/TdfMghYaSgpZ1F0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=GWFuo/8JxZ4k2GSgbtN3cDAvJiB9tFmWRkQQGNtjtzmEusLJ09m7ta36mVkrl8zo+6JPb0nSZgkyJftY0Ik4+KMoB3AxTg70ax9tUhaFtFt+gFJZpDOfz/tTuyQm3C+ozFRvrtude05p/2Wrq8oCxETHVkkidnJW0ckmkENvzxg= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=eUW6PVtx; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=Tls3s0Eh; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="eUW6PVtx"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="Tls3s0Eh" Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBnQX019235; Thu, 17 Oct 2024 15:56:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=tc7hZu2Z4+2wzb/Pm9x77jBTd9wvgLAb5D8nVUp0oKU=; b= eUW6PVtx/uVASTchC23nMM60dJT7XAT9/fzo0qyhS3YUmk4EAuicds4DueSI3QR0 Dwi7TwCGU+9LoMmdHaKiM860cfLP6ZaLnrxLUAgjxThaVlNx/yIoaNf/v+gveh7J u5bG8OWb2KfWvP9sh9ALcmjribXcFagQwUQcwgjui7TNL8WYFB+/uXGQQfP2K46i bgE6atskImFPhOX3AqtYbOSqQNufZERiPoTgefLt7bFVFZhkqsQ48oeTe55xyPCX CIxeRIAV6bEMz3YnMvp8/2+Y5mmAzwK9HAjzBFdbcVweMwKvTUfpgreBFnF6LcJi ugTWHIBDDKnVaSA8twmkrg== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427h5cq6qc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:09 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFPSY5026291; Thu, 17 Oct 2024 15:56:08 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej31-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:08 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bPxR2TaKCwR/RxW7tgJzrKeKGnatkqU2Um0MTYOM9RA+7NQQ2phPcYtqzcnpBioXvKZn3Hq+nZ6OMS7Ljww9+hH17nhcoDxCwx+2O27X4t5ijRH9Swubwq+nZNNUEE9kLSqD4LInujMP8OgVMFC+vzEk+L55KSLkdvx5aWZmyaHhJXHH+42TsRAMWhsAR6wC5ip/xrCIP64Xp57sE2Oas6XpMeBx20PRxVcgfNW+7UviGOcWWICVTgtuX798d065JKTIEWvkMtX3rici+Jm7dbkdmdC8YBncOucSABJ+IvlyQEfioS7s4iBwsEAVSmwZko4Fl7+oARnbbrplPgB7jQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tc7hZu2Z4+2wzb/Pm9x77jBTd9wvgLAb5D8nVUp0oKU=; b=t1Lp0bxzQnumgMocIzaLH0YzKoEpktZbaDkJFmlb74fvIRsezgor9pYSOu1ljb+TuRsigJO1rkVMDYZ5RbiEDeXLtc8NA9SEhQkH3FNIfCq+BSB0TuHWNXjPF21KLAaCvhZtcc8FbRoMII0ucDbIBS2mMmVFUihIQ7OPUcmcucgmwJaZYYhY6DnK8tYaA6pFxCUQOtfYbEruDZdR0sozXsGcnY9FlOlyJ11mHyZfo2CT1id7AUgKs3fGbdnT0/tIE3zHp9j278nyPnzYoE/QzH1ryC2zO7PWxiX/scrDxFNAnYp12qLdgCUqppy8yQmkxnE5YcqB0cEAZTEdQmnr6w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tc7hZu2Z4+2wzb/Pm9x77jBTd9wvgLAb5D8nVUp0oKU=; b=Tls3s0Ehn49vlGn1CjFrBwMNepij+e5hFKPr7Y9fHubefWmbVz00hDwf67DW53eiT2yZdXcremLyYVavbcHfNwoiows7NOHTvNO75uKP/nZAWV1XGR6MSYrnOSAbvjRiJCqjTesinMFreiUccIyFpagUs4xmrMadiS/DSAHdv7k= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:03 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:03 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 05/13] clavis: Introduce a new key type called clavis_key_acl Date: Thu, 17 Oct 2024 09:55:08 -0600 Message-ID: <20241017155516.2582369-6-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BLAPR03CA0021.namprd03.prod.outlook.com (2603:10b6:208:32b::26) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: 561adca1-2e0f-4d1d-4814-08dceec42dba X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: jy/pQp395PJexdwz5+rWcbjA7VCBJO/OCJCq5d0+BE3zVL6mqrtfnYWiLyEv585+8KkOH6A8JuydNysdVuwDgnE7ww+j+2v3tyxyF+KgaDsgdHIpJRcmd3IJJFE07NsooC4DfEhTELxpFcUP2vAQw5z62wTviFat9odn/JakJpVfYj8/R+uooGrLacY6dwn+P0kjJBiPBdNHxoCDpBb7p/D5UIA0xREWiv2EiK86rkO+97704q+lv08N6ZE+/xL/0D49Knj6RcLkHNqkEKkb1iZeFInCa8B3iQtk8JXwZ1O71SleY/6HMwrmycPkGga/PUKB+TbNdFy221viaxmnKSRrmxjHVE3mQKQG5Oickr6jEwtMSWHAA5l59Mu4ISmatkcYGmFydKjMijF60tKrZSKRncDTum6JxDNQ1j8peVANOBjbCPsfCdStpUtOg/b6u+RS03BDjKaS2wLgeueBYRiTElLHNip6YFcyyqc+C+iCu9k82jFVdl51FbjjM65G0LAvvaJVdUJGtMxJ24H9NNRl6nq2TbLLVTQLayhz3G7KMOwf1w8kUttleYjkCSEyIs6s1y4S/XoL5nsPXkNkNewOXcwisy4jbMCJTA5c9TSQYv54JDhYmRJpIg2ws1/kbdI6f/YXr6jFCUB/Xx29ZPIOG1J2fjh7arQrXS6/zOLl80xif9cpOFg3Jg4f6qOXKxmf6uvg+2ma0K3zZLdMTsbd+X8JN4lcIEqI92h+GNYNkPoASqFqBVqJuivmDhQ+u01Px3lfkMX9Bs695fxL5h3Ho/LPYGmuCdkTs8oXYM8U/93N/VEZd5gkLWk5Kcf3CAbBabKN0ou7ZZypcPh/w1xRmLCNRb31/0EqGWK39aUPB/fimv0VXHQuNz2uEJqQwxWZRH4DyPnXLkEMFsPUeEz7uGPbyAm0HY7VuTVhtzGpl17YvGzztTKolR/mhHDzrqJwwnj833ky1bk8Qekqj7K6GNJA1hb6GTTGaxCuhKoWziHYRbqTuJ6cLHcztYQVSfbXe3X6VanVC9kauqEEaBwWFH9DuRCePI2AB/1+RGH3S8DTqWkk5JeF36UOaOXCHpysiH3yC2NpzqCs74akK9UPCIgipTvjcX4pB/Rvqj1XcamxPTLEmQsoFqMncr/rWtrYqETkA3U89w5QsXQ6Fp++jMT1edhvcvgliL4kWVzBSojUotQgBsZYO3wURKi2ejrAo1z9uYIUj+c67ZSS4GFYvplO/zTNEsnALMKURBeiuC1fIUWt4QWLm+ugk4i92nxtUqj9Kltzt7uom1Ga8MCNpxpL4DaZ/9vu3+9M7PrhYZ742RE1kjFe+wI68bdx X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: vWrMOA+mQweI+uRZ9n2zWz5ZbWnfjT+chN/WsOQ7mqlg0NLQs1tUMR6NvVozeeBNUuzU+7hacBqWtTYFNu+68NJeS/XjdqqUjFJ2rdVZxHd1cIMSPNKX7QQHFGQTDs1WXSHAmgIql1qPQNDsStyXJY62zboHUkoVbC07D4w65RtcMP5OKi2XjHGZt1xJR67EtBOdTNhmjVTIRH1q5wifSUXtid9zlVyg21pQ22+LmHi4kdwElAyp2WGdh2+bX/MgfkYQs55M1Q2oEizyDlM6/3Ptx4u8iHpm8tnmtS0NxN6kVnWq33+sGOxQ6/j+K+nfD9qOT3WB24SMzqkQ9hvspu7G1GxeWKvgutmS5RO1K88Xh7WOVhWR5t6+U/A5IRjVkNs8dvlC5XhBsd2/bXwk5uDZrjQEc9I/Y7M1ncC3U1wx559l7CBk0mpYqXEVMPvbfBibe8CT0iF+uXTCvwycorRVaknKr519URxOORG+pFj6ptwAzYgunW8olpsU2hfyRXy8c/JO9EX2mmpUeorPDSxkWrf4MEJujzxgZI51EZR+gmAJoSjcmGH+86qhRbgogC2yqUb+ol7snSRcFTEba6Ui3ZhlvexWUCcqtHmRRmjrMC88wUgxIZiEO7zxVwW0ltC+z+CmrfNcDClbO3CLkWSiqkC5dY5Ch0EFqBnEdGBJAKDiyTErWeDHNhe85lVMb4XVfhgD+2B9H8otU8fUQBeS8VTFosn7KphcvFbGm7xeasKR51HlKKtvOBPlCTc2w2/Z5AAUSPNAkBsm7GInUuM6pYdY+deQ0FdLdLt8jkeu3FGyOF0+5gh7NIdNc+QEKqEOz13raj9FFAS8jwOMosSa062VaZTVaWWrZF1uusUGMPKcbZjy3QDjffYcxinwv7rUel3l/MzQo2Swbygae2rLTuHZR5yra2qOH4dxGK9W1z3nYzi6zBC998JxVowsrWK1wGBehP70fCbttNg58+0Sg5B3ds+eDXx+FkF8+KoxV9FfdISjFivtSUUhCFq7UW1WHwACO56Awl/5r+Ap7WtODQJtdyqw7Ha8lGHJ3S2+fpnxGBwCh7h9VyI7cJGNEBWFu1EFo888L9TK73sZqvH2lm1OfXaj4czMorUFiEgnfqyYR73VCdiIM+gNbEZNw2OU6FDNK0xJAy+0HSZwRKYtygMAvTiTB9OCR+UQULoCKYYlIUE+cYKgeSxtDL4pwI3h7HVC5Q6CCfJ8EhidjBvI+3jFkcWVJ6tyU9YvL4kuQ7GowfYCyYUuS2cIf9u7GAkiqTvhbUOisFuMN9uFQFlWozRr+lc2RoYxssVhpCz2f4O6ts2FmyYkYyDzaP0NvAJi3unWoeUJjzIPauxP7HZ1fSCv6hQBqTVnDdVjf1uGhlJNXQACjDxo4vOt1rYvRQD3NSRqbU1C90aubwVNX5cCST9bNbW1EFl/nPa+cwMmvLEEGu3/fUlrIqufwMSeuEhUeDW5G7oOhbrTZaOX2GOP8yw07MuE2Ie2ZhhiujdX9gGXhEmS5iQwTyCmYIYcJEf03YSTwZ3ltBfjhdzIK0LLYkMvaa0vY18zDzj+idE34yuVP1Q5Xyt29xInUq5vtxw8wBt0Itihc5xI9Fty5g== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Wk9tTXYdjlMJo2YZ5eqGcCs4UNDRDU5no9JQlpj8y52pznQBFJ9ibRfI/CfhQ/zJyJpMYI64eFjPzf32D6SGREhWJKYUwKpkgaqJKRv6dLzrhktaMG5psdb2fdIf2w3MSDh3JUUrw/Nzbm9jo+doIftxi4qHunXIRyDG3XanpUeWHBF9zwwZ2bDyMNk+nqKpKGrztaoQBKUts4/rFtrMusAXjGfNIFm9h76gTaFUMQ25mctP3rGcuJ/qZ9XAAuB2WfYsjeRX4ZqqqFALK5FImBTltuID9rECfpFHqpyMQoTzgTkbESOm7Z1xHZ9PjhaXVpDaV5UU1OYGh2TFbTgClu0oVos0QUkw99kEg+XjVptQhYkuESbxdTfjheHhIoHTAlkODNV/7aGYwi7i9eD63bOJNbJP39cIlPg5X5nKACcAFpQU7sx4a6dQ7Os3ZRRluvypyy5cKkcNJd0fAeXB26KCjrHTrAT+i+rRfNulS9h2v69/6bXvPvco7qdYbvFnEzw0ykqEWT+ypGoIMW34MEPPD2H2x+vFNAtV3oXVW8G23GTI2pnAzKO8wo8KnaSvN+5yWNDHYbhmXrsbltzYhQnpsCWnWoaNB+Q2Nrgc+58= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 561adca1-2e0f-4d1d-4814-08dceec42dba X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:53.0050 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: hgtCMgFh8rxw+kBUh9ZOOgjjwPI+1axjLJictRsV7NR3SFW9ykKXR3K/XYodqTkWIqVqCtBTop5ed8AuY0uV1L34kzDfphpZsBbGGEGcIBY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-ORIG-GUID: up7HkfDC9HDLAgReCueMol3zl_R-T7Tb X-Proofpoint-GUID: up7HkfDC9HDLAgReCueMol3zl_R-T7Tb Introduce a new key type for keyring access control. The new key type is called clavis_key_acl. The clavis_key_acl contains the subject key identifier along with the allowed usage type for the key. The format is as follows: XX:YYYYYYYYYYY XX - Single byte of the key type VERIFYING_MODULE_SIGNATURE 00 VERIFYING_FIRMWARE_SIGNATURE 01 VERIFYING_KEXEC_PE_SIGNATURE 02 VERIFYING_KEY_SIGNATURE 03 VERIFYING_KEY_SELF_SIGNATURE 04 VERIFYING_UNSPECIFIED_SIGNATURE 05 : - ASCII colon YY - Even number of hexadecimal characters representing the key id This key type will be used in the clavis keyring for access control. To be added to the clavis keyring, the clavis_key_acl must be S/MIME signed by the sole asymmetric key contained within it. Below is an example of how this could be used. Within the example, the key (b360d113c848ace3f1e6a80060b43d1206f0487d) is already in the machine keyring. The intended usage for this key is to validate a signed kernel for kexec: echo "02:b360d113c848ace3f1e6a80060b43d1206f0487d" > kernel-acl.txt The next step is to sign it: openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in \ kernel-acl.txt -out kernel-acl.pkcs7 -binary -outform DER \ -nodetach -noattr The final step is how to add the acl to the .clavis keyring: keyctl padd clavis_key_acl "" %:.clavis < kernel-acl.pkcs7 Afterwards the new clavis_key_acl can be seen in the .clavis keyring: keyctl show %:.clavis Keyring keyring: .clavis \_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 \_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d Signed-off-by: Eric Snowberg --- security/clavis/clavis.h | 1 + security/clavis/clavis_keyring.c | 173 +++++++++++++++++++++++++++++++ 2 files changed, 174 insertions(+) diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 5e397b55a60a..7b55a6050440 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -5,6 +5,7 @@ /* Max length for the asymmetric key id contained on the boot param */ #define CLAVIS_BIN_KID_MAX 32 +#define CLAVIS_ASCII_KID_MAX 64 struct asymmetric_setup_kid { struct asymmetric_key_id id; diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 400ed455a3a2..00163e7f0fe9 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -2,8 +2,12 @@ #include #include +#include #include +#include #include +#include +#include #include "clavis.h" static struct key *clavis_keyring; @@ -11,10 +15,173 @@ static struct asymmetric_key_id *clavis_boot_akid; static struct asymmetric_setup_kid clavis_setup_akid; static bool clavis_enforced; +static int pkcs7_preparse_content(void *ctx, const void *data, size_t len, size_t asn1hdrlen) +{ + struct key_preparsed_payload *prep = ctx; + const void *saved_prep_data; + size_t saved_prep_datalen; + char *desc; + int ret, i; + + /* key_acl_free_preparse will free this */ + desc = kmemdup(data, len, GFP_KERNEL); + if (!desc) + return -ENOMEM; + + /* Copy the user supplied contents and remove any white space. */ + for (i = 0; i < len; i++) { + desc[i] = tolower(desc[i]); + if (isspace(desc[i])) + desc[i] = 0; + } + + prep->description = desc; + saved_prep_data = prep->data; + saved_prep_datalen = prep->datalen; + prep->data = desc; + prep->datalen = len; + ret = user_preparse(prep); + prep->data = saved_prep_data; + prep->datalen = saved_prep_datalen; + return ret; +} + +static void key_acl_free_preparse(struct key_preparsed_payload *prep) +{ + kfree(prep->description); + user_free_preparse(prep); +} + +static struct key *clavis_keyring_get(void) +{ + return clavis_keyring; +} + static bool clavis_acl_enforced(void) { return clavis_enforced; } + +static int key_acl_preparse(struct key_preparsed_payload *prep) +{ + /* + * Only allow the description to be set via the pkcs7 data contents. + * The exception to this rule is if the entry was builtin, it will have + * the original_description set. Since we don't have access to the key + * within the preparse step to determine if the entity is builtin, let + * it through now and this will be checked in the instantiate step. + */ + if (prep->orig_description) + return 0; + + return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, clavis_keyring_get(), + VERIFYING_CLAVIS_SIGNATURE, pkcs7_preparse_content, + prep); +} + +static int key_acl_instantiate(struct key *key, struct key_preparsed_payload *prep) +{ + /* + * The orig_description may only be used for builtin entities. All + * other entries must have been validated through the pkcs7 signature + * within the preparse stage. + */ + if (prep->orig_description && !(key->flags & (1 << KEY_FLAG_BUILTIN))) + return -EINVAL; + + key->perm = KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | + KEY_USR_VIEW; + set_bit(KEY_FLAG_KEEP, &key->flags); + return generic_key_instantiate(key, prep); +} + +static void key_acl_destroy(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("destroy clavis_key_acl denied\n"); +} + +static void key_acl_revoke(struct key *key) +{ + /* It should not be possible to get here */ + pr_info("revoke clavis_key_acl denied\n"); +} + +static int key_acl_update(struct key *key, struct key_preparsed_payload *prep) +{ + return -EPERM; +} + +static int key_acl_vet_description(const char *desc) +{ + int i, desc_len; + s16 ktype; + + if (!desc) + goto invalid; + + desc_len = sizeof(desc); + + /* + * clavis_acl format: + * xx:yyyy... + * + * xx - Single byte of the key type + * : - Ascii colon + * yyyy.. - Even number of hexadecimal characters representing the keyid + */ + + /* The min clavis acl is 7 characters. */ + if (desc_len < 7) + goto invalid; + + /* Check the first byte is a valid key type. */ + if (sscanf(desc, "%2hx", &ktype) != 1) + goto invalid; + + if (ktype >= VERIFYING_CLAVIS_SIGNATURE) + goto invalid; + + /* Check that there is a colon following the key type */ + if (desc[2] != ':') + goto invalid; + + /* Move past the colon. */ + desc += 3; + + for (i = 0; *desc && i < CLAVIS_ASCII_KID_MAX; desc++, i++) { + /* Check if lowercase hex number */ + if (!isxdigit(*desc) || isupper(*desc)) + goto invalid; + } + + /* Check if the has is greater than CLAVIS_ASCII_KID_MAX. */ + if (*desc) + goto invalid; + + /* Check for even number of hex characters. */ + if (i == 0 || i & 1) + goto invalid; + + return 0; + +invalid: + pr_err("Unparsable clavis key id: %s\n", desc); + return -EINVAL; +} + +static struct key_type clavis_key_acl = { + .name = "clavis_key_acl", + .preparse = key_acl_preparse, + .free_preparse = key_acl_free_preparse, + .instantiate = key_acl_instantiate, + .update = key_acl_update, + .revoke = key_acl_revoke, + .destroy = key_acl_destroy, + .vet_description = key_acl_vet_description, + .read = user_read, +}; + static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *restrict_key) { @@ -28,6 +195,9 @@ static int restrict_link_for_clavis(struct key *dest_keyring, const struct key_t return 0; } + if (type == &clavis_key_acl) + return 0; + return -EOPNOTSUPP; } @@ -93,6 +263,9 @@ static int __init clavis_keyring_init(void) { struct key_restriction *restriction; + if (register_key_type(&clavis_key_acl) < 0) + panic("Can't allocate clavis key type\n"); + restriction = clavis_restriction_alloc(restrict_link_for_clavis); if (!restriction) panic("Can't allocate clavis keyring restriction\n"); From patchwork Thu Oct 17 15:55:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840262 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53FD517ADF0; Thu, 17 Oct 2024 15:56:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180611; cv=fail; b=IZjcvIl27DSRi9kB+NWdYITbfKvXAHyqvIRFkmUTujtogJNxtcOtsZ/ETsOGc+S4cjymhtzaPdIERrkL2MRFCxj+Ikj3aVogCN7Y3H5hZJKUmbvdExsne2cF8qwSxroHr3SJ/N1QTRRiX1vr+1wLdPGqAOa2BkFRIAFcpzGFlPE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180611; c=relaxed/simple; bh=eyyBNzo0pPajUy0whW5dmTHjqA3kTsJhoGhziO81ea0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Dx3k2N7saPCWf5WdD8Ak4qEL/dxPiW9YgMzSHAixAzQhrmOipurg3kL4IR24lfdkwydv+vV4LL8CdLiQguGe1mlQF4b09EhnlUuxYffTVXrWGWaLTMOpLlryP6ugtVQ9G5sBOghH7Ap1/xt09UBNDHudT5C4rusaHb5JjYC7W0s= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=lQTEbwYJ; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=phRzK1H1; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="lQTEbwYJ"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="phRzK1H1" Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBtIK029045; Thu, 17 Oct 2024 15:56:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=YDTqhqPCXyUy/wm9cLMQ4hOO2UFcAO1j5bz9KsOIPGw=; b= lQTEbwYJq9fI0iUTX5NRe/4lF2XXUNOXyIILBIVS5CDtgtsHhcvc2olegz3VRela UScN1L1LFxBb4HgdlgPMdgrNVzyLjdupMU0kj1S+1OZ3qGZ8irpTCEyWH/BeWNhd p034GEWB+/xaHAxj5BClKa67EH/zAxXGcLDocBX7oTGTj49b3QuI3bdiyN23H8qU 2tZrz7m2g63cjfAS/hUUr5ePWsHYfyIgAUXkCmZLL+v4YskpuXUgkUx7wIuEMRuk JDgzEC7BNmPXXOmIDIOuCShZmzfGvnmSKeMaPnYaw+2mTz1tZXM+eKT/dz8l3Hvw 7crhgT4ZAcQfET9i2saBgg== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427gqt6tdx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:10 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFPSY6026291; Thu, 17 Oct 2024 15:56:09 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej31-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:09 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kkGSmrwvQVYs9KcazK+7QegfCQkE3MeTpHdJ4NFEv1QOfYi3/pHeA7HIYub1OSVdlnhRtAl/a8AZ6Yy3IrIWa4R5i2nfLzTE2Wnn0QG9Rx3GNP6Ehag931ce5Ls0UUtBNpcXtkDk/GGFzFMNNo9M3WVyDuJ3uA3VgX8eok7YnNT+RZhnyR35hEmBa/Bk7AG4QIlnzESxfFHCKV86DUC0FlTfjrOTf6dOdvdoe4AoTLgm8Xtf19jZ1+JmqcwxDTL4oik4LQ+EpDCEOuBTVt1pdCq8P/pQcN+vfVItrIA1pDKywJ5eug/YZk1VIx5tsux1VDC6/IfDslK/bNCI+bhkSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YDTqhqPCXyUy/wm9cLMQ4hOO2UFcAO1j5bz9KsOIPGw=; b=yqfjr9UTSi8c3XyMYeB3sEQtLMQqCFZ2pBS4Er75Ti2skzWRSgXFBQoY5QbL/Jl7DuCa/9UT588S3Yz60alugCG6f5HMxFvlnR2G+bbKiUUOaz9NdmLkkd/RUVZC5bO/viUNr+RNwWIMhIDBw7gP6Eh6xdaCUoNvR8q8HtK4dRtCnyScPRYpxVGniVTa9gMyUCzUXPDNe3lqNxDE9hooIJ/ezzF6k7SCpKzJTE4O8nPmHYUfFP8VJh1okHN1x/WSFZDxLbtUkC3ivS1jarEeFD2mM1tOIumQEntphfa7TrzjTLl83kZKSIt7lk1n5QqL22HXNDiqD8Cu4VHG+Z63nw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YDTqhqPCXyUy/wm9cLMQ4hOO2UFcAO1j5bz9KsOIPGw=; b=phRzK1H15sNUAc31zerv5Z75JRyBatgZC/k4tUVZlKrTJ42QvYMzWePZptTw5pL1fRKWpde4muWqtIIBBMn0I6q1S5qSRdk89vX/2zc2Vpu5s+5tplMHAXWySAzbaPgWEhFW4PEkYWG2vZlWrMJ8U5Y4PdzHxHvWlGjmJfhGyf4= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:03 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:03 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 06/13] clavis: Populate clavis keyring acl with kernel module signature Date: Thu, 17 Oct 2024 09:55:09 -0600 Message-ID: <20241017155516.2582369-7-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BN9PR03CA0340.namprd03.prod.outlook.com (2603:10b6:408:f6::15) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: 1d5b3e12-26b2-427e-6f34-08dceec42fc3 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: i74Z9ZVF1C8Q12ZdxDS74B1oMuDPgguje83QqSLNb3juehnNQtPxFncOo+Tyt/R2CA/u+8v2TquP1qJCruz9gD0dHJp/XE22zaJIcqgcoBxgxQV7J03MLKAuxyHoEsXmsYpVRBPKyVjXLRQS60a4Jd1j0fx0NsI4MUR4gaFAdHzreJ7tBq0DFEr5VJ8Scf6vhpxxsNFI1sMGylutLZW3Mg363umm5bD3xfDEEz1REbvhqU/TNydoDBwX+kQh5GTguXMyhVeA54EEtXTPX3xhp//jWkuf62D8eJxi+gVpVaVrQmh/CFvBsRNbTnYzo6qzBPNatL+imSKnH7zo0liyndaSZnL748PiekPG4hQqHJjdT2QxSx2H8+CTp3lLnTgbCSthi2e3DCWmpMnn+IOCd4tRULljPFftJHtXKR5ZWb93wsP49crvyquHyQzrroQV27dtBfekmbYXgPC+gwvWyGLg37E5XR242cRIMtxeMEm1XpDehBgZjxeG+xA80cR4xBbnVPp7tPKyol7aEPQvppsvVlWQrIlpdilhsqcjj3iFdPXFdur58NQFCX6t661zlKFDA1UlbeaA6pcE7Y/CsVsq+xBJkMYoeBm1TCn5xKjlHkziO4Md2AleASB6Ekl6L6vti78ghXELxlwvOFpyUy7pQbuvI4AI/06kg0b5n7r2cFh2QqPkFlM7u/ZnxDEIsQe8GbLqa+z/a6mSxUMoFcaCY/G3LmotJx0xNNT86ZSuprV/Keu3FJhqNuW4KzKMdVY/iOiY9cR8Y2DDyRvOCfwEL0PbMbiHry9qW2rZxlaeHrQHf3OvGBVoxLBnLzyEfo+Vu2V5748DM7GAZPpNBhuyuOy0Bx//mtqCfbsljD8vdoQwirgHb8QiEloAS1ddh+AuZI7+eqlMRjFLfzpagdYmziZolWA8VvhaUvX8mH2yyF3OmWd7AdfKiAW0N+V45gvqXWRWmtntepleSnuxGyhmD7sR1DSeDTjLoHkzvsrgBs0SiT91dofbTOapAxiJRu9815rIjGTbwlugL1DjHqMdu69guXthaMd3PLQjXhSldgU7HGUZ4Z0O1aCUXl9nl7qBpEGIGHiLmOz40aGFTijWarjWh0cYbHI/a/y6dVklVGl3Mckr7NfZ3xml+yemVb8pTw2voStb0tdmqiDbM++URAsuM+1ZyRUA2/uTWTDDfldQAKYIuGuzOdQsDVimryXAoiKqfX8Ph5stCJYl360TgWwb07CDCZ1nUf8QNq32vq+kzajCW0yMT47tLGRYpz8GzF5cO5V/o4OdzPp42jr78fNITCoCxMxlxPc2zQaWJT2UEiqJVS5PMMnHYQP6 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: /VYW8uLUJfGnx06HgE9npMaCESKiy5Mu/rWgOiV7vhZBjGC+bdh/RIYnNRgLdzQFzHoZuXD/hbat/lO9oAUNGfV+YHlbCpB+4IRkP/CURFrkfFzm7kDEJMaAmzwqaBW7J1PQvfKvvlQWnIXA6A+PNfMkaPKDGHQNpPLQ1YTzK+OysYxlxmBPSRC3Irezq91gI3XHOPhGejo86wyW4mU5GRFlZFIIwtsfLbHgiUDE7tdycIrHoQOxKFRehbhVr4dV73ADwkd3EeonuJXlGrZW4e2IqudP8bQ0kse9vkq0gHp6DLARkuknjHJHBY4ldUpMGLl5UGFlON0JSU1DM8dhPzhqdkPWRKRpr1FmYnx5jts1pVB85cY7EsHCv5q9PO2kB5DNydVSzqtbXRV0vNdH1I/4t1gUM8bFPdVN4A7ur627g7VzO9hhHTioCZqtEv9JjRxVeomWTJjGuZeBobN5AjEahKfxWqsZIMR2o+Npllq9mZRtzZE6/iJGyi41F17hYXgRiJbc2ACnIuZChtDpg51gIwelEKseF1tsfG36Zpvr3iVpOEW2I1CuWOKC0QK24dPM+s2ejdn7lHFslx361qFZo0lwID7WfdrQt8vmMDNYQ4gqiVLUybBxByVYtxerPqEJY4STxCEesmcVHzsPD/ZaRMICwRrC7YA4klCVzPiaFLMKeBVfe8ag0+PtGxXr1vDYo4/LppfLMgJcLqRbM6PY3YHKHovBQoMylr5y7164zGL6v3yVPUVqADRebpYd+cTfm8maYzW0CDeP4QFq+qt8FalS4NCfUuSVWCtjXGi3+sqv1+zt+mU/lmT6C8XDsV29Rj1NOEinGhUdSP3DN3R8qMJ4tFIhkfeQ2Kcpr+pyL75UybINZ+bYIDJprBfrIRikKruutmqNwo4Xd4BSRfigZ2zuv5eTCmzM336tFw4UtiVTa/Kj9hojHVKMVhSIwpdLLMuKun4t0rZkRJka8RrTY5zkotpgcLCepDdbD/ByVRNNf66XalJFgsdLR0kdUOggcXTlHQemW7YY6XksBqQuYHDNMibysIRVgUHLbV+SeK2ZhokzGUKOvv32Qf2Lks4BiOwGafNH4fl0U88DouKwiS9p1jiGN/s4n1J1RxJcB4id5CxHl8re92p53yEOSW0hxVOpTxxgifeLCGYVhtsEj8D+9srnMtNI6avL6W+Rl2KQel3+qCxPH477hOhvg15QiWyoVUdUA3zigHljOdOpkbPJyrtSNEwHyXO0f4n7nqhpQuHtt+5iUNBlQl63WxyrsTQwcpn0kI18PmaXmDVpyGBlEH3lX6noMmPeBdzeecXL1vO+pcCa31FIi/7djJPx9gwdKkj7H3EaCw1u6xp3d7KYwR5TzGDyctrcREP4DwTPmhKUg4l6xSndRLwIx3OvUd6Ifg/ZbC2UBnFpEHqXafuRsZ6W61lkdaRvjKv/SQ974w35LVTu+fEvYkLjjj42RmagknlZo/vAktfeS0SBDadpYrXeN1fUdywJyf6KwFh971pVBKE7sfVYF2Nc4apyZ1bDji+W8PP2beoe8coITs480v0fN5ZM0cVXoS3sviTpMNDJx5iZxhNJ0/SQLnsEy7LhOYhvpHq78eeICQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: +njJf6xdaQTc6ktV15NtrFIp7S0i7nfdPX1vjlO1M/ZsC397E2ymTBBQH4iIDtCP6uKXr/BwX//Jy28DGVa7Z6w5pvEBsT3YcjAdQVU8qeQ4PUZ5I3XtuKEsGZN1E9i05ENk2P+MgKwm9IjXpTJ/REz8hkxNR3biDvwIM0ksyDzkwBxqCZav3Faoqv53V4ft66UDQyNCKJ+P/wglqLnsPDqobc7suX6fweGMOaLf2uAlYBlvFkpqasldC6DPX19AduK6LDmPwI2/ezleYlqeSKjQ6ld4T8lGDNmQH0IijuBRdv2Bo+Rm4oIHV9zacU5UH0Ci1UWsyPbJX6zr4QzR49G9kr8ME5yRDDA0QduI59Eh2HzGYmhZyXmLXf0NdX0HaK6i4HKO6ksXgdiCwa2KP4NHcUBM7pJjueo7ByUZo61DR6KS7F1SfOGhhtsEyAEqoq79H463xdNlaKYUmCnLYdhDUctk2f53SlhAne5wpKgwM884rPJBMnwk2VTptECn4j6t/bIjMNZjCFXTu8oJo0FL4GYXc8KACc8LqQsa7yE2VoNooaYmxswDdoFAmfl0ibJnjrkUAfMkSULc5Pxs11jwoPExmqF19+kmobDH/9Q= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1d5b3e12-26b2-427e-6f34-08dceec42fc3 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:56.3811 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 0y9BX/zzQ/GqRj4C2oFHaT0wwAXvZKtMxvUmtqTG2EL7AYWQPhxJc33BF3DwzZ8opRWGdjdkcStrukBpFefUZKAXgbtmXSgoMiTLtPb5mbQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: T_il9mZ1QPVR29TU6khlVwd94ojBrhDw X-Proofpoint-ORIG-GUID: T_il9mZ1QPVR29TU6khlVwd94ojBrhDw If the kernel is built with CONFIG_MODULE_SIG_KEY, get the subject key identifier and add an ACL for it within the .clavis keyring. Signed-off-by: Eric Snowberg --- certs/.gitignore | 1 + certs/Makefile | 20 ++++++++++++++++++++ certs/clavis_module_acl.c | 7 +++++++ security/clavis/clavis.h | 9 +++++++++ security/clavis/clavis_keyring.c | 27 +++++++++++++++++++++++++++ 5 files changed, 64 insertions(+) create mode 100644 certs/clavis_module_acl.c diff --git a/certs/.gitignore b/certs/.gitignore index cec5465f31c1..dc99ae5a2585 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -3,3 +3,4 @@ /extract-cert /x509_certificate_list /x509_revocation_list +/module_acl diff --git a/certs/Makefile b/certs/Makefile index f6fa4d8d75e0..f2555e5296f5 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -6,6 +6,7 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o blacklist_hashes.o obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_module_acl.o $(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list CFLAGS_blacklist_hashes.o := -I $(obj) @@ -75,6 +76,25 @@ $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $( targets += signing_key.x509 +ifeq ($(CONFIG_MODULE_SIG_KEY),) +quiet_cmd_make_module_acl = GEN $@ + cmd_make_module_acl = \ + echo > $@ +else +quiet_cmd_make_module_acl = GEN $@ + cmd_make_module_acl = \ + openssl x509 -in $< -inform der -ext subjectKeyIdentifier -nocert | \ + tail -n +2 | cut -f2 -d '='| tr -d ':' | tr '[:upper:]' '[:lower:]' | \ + sed 's/^[ \t]*//; s/.*/"00:&",/' > $@ +endif + +$(obj)/module_acl: $(obj)/signing_key.x509 FORCE + $(call if_changed,make_module_acl) + +$(obj)/clavis_module_acl.o: $(obj)/module_acl + +targets += module_acl + $(obj)/revocation_certificates.o: $(obj)/x509_revocation_list $(obj)/x509_revocation_list: $(CONFIG_SYSTEM_REVOCATION_KEYS) $(obj)/extract-cert FORCE diff --git a/certs/clavis_module_acl.c b/certs/clavis_module_acl.c new file mode 100644 index 000000000000..fc2f694c48f9 --- /dev/null +++ b/certs/clavis_module_acl.c @@ -0,0 +1,7 @@ +// SPDX-License-Identifier: GPL-2.0 +#include + +const char __initconst *const clavis_module_acl[] = { +#include "module_acl" + NULL +}; diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 7b55a6050440..92f77a1939ad 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -11,4 +11,13 @@ struct asymmetric_setup_kid { struct asymmetric_key_id id; unsigned char data[CLAVIS_BIN_KID_MAX]; }; + +#ifndef CONFIG_SYSTEM_TRUSTED_KEYRING +const char __initconst *const clavis_module_acl[] = { + NULL +}; +#else +extern const char __initconst *const clavis_module_acl[]; +#endif + #endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 00163e7f0fe9..2a18d0e77189 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -259,6 +259,31 @@ static struct key_restriction *clavis_restriction_alloc(key_restrict_link_func_t return restriction; } +static void clavis_add_acl(const char *const *skid_list, struct key *keyring) +{ + const char *const *acl; + key_ref_t key; + + for (acl = skid_list; *acl; acl++) { + key = key_create(make_key_ref(keyring, true), + "clavis_key_acl", + *acl, + NULL, + 0, + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | KEY_USR_VIEW, + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + if (PTR_ERR(key) == -EEXIST) + pr_info("Duplicate clavis_key_acl %s\n", *acl); + else + pr_info("Problem with clavis_key_acl %s: %pe\n", *acl, key); + } else { + pr_info("Added clavis_key_acl %s\n", *acl); + } + } +} + static int __init clavis_keyring_init(void) { struct key_restriction *restriction; @@ -274,6 +299,8 @@ static int __init clavis_keyring_init(void) if (IS_ERR(clavis_keyring)) panic("Can't allocate clavis keyring\n"); + clavis_add_acl(clavis_module_acl, clavis_keyring); + return 0; } From patchwork Thu Oct 17 15:55:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840267 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E3A91DFE2A; Thu, 17 Oct 2024 15:56:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180617; cv=fail; b=oMNyh4BqE2MD/U7nafzDNybiREAN02KLG1uMWJiRFpgMKvMJVhP7PMx0SrHKkQ/AXWnJPaU4JbjoVb5AKCPKftLpVASjOhjj0IpJXtOnCpBjbuU8MNtKGi73gday9pWipTIvfdOPVG62jFWMwIIx2fQpORpPV6fWW81UugVPPsg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180617; c=relaxed/simple; bh=QYrBbZRL3Pzrup/FbP+45q+pVLMKDvw+Kg3xsK9FrHg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=FTjTm0Wk6UUyExHkqKBh49jLNr3FJVmm3ocjTOgS5rQ/PC2cp1TvZESCejyi0eFVW6gcMIvNSI/Xv0arH+s6lEiUCou1rYxJYBEoyf/Cc4IYs0TDP4WAmkOPSd4r7Lrh/epxPe9FtTUNA3YiqXS43NRJD5aH6ZXvBTHB+rKv6dE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=AfXz75Fq; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=s9pRYs1r; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="AfXz75Fq"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="s9pRYs1r" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBpKI002238; Thu, 17 Oct 2024 15:56:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=jiKVptX4xdkm8eHptFSicuf8wuGcNFVT2x3AbupQFaU=; b= AfXz75FqlLtyT5Aeq0bFTc6AL9Ux75+4Fh8NZGMA87ldWVjR4nHRrBASboVhUuBp plTkOp0oTh5We0FRC/6sY2Qh1IQJg4o7KuVLuSZdVD+4PizPC6NqNOAk374R3NyW meL0I9N8W2Rq4bDeRve6bAPseSrgpG8xh+0USUs8C8O9kNd37P8PdAb7Oi6Yt8DB MqLSCsvILMwc2lXr/0r0X2k5ciHt9+ap+Klga8uMjtxjrucAo6H0rLc70asWwn5l B92i6C86MJCQuVlXpl5mZJgxKKHBjX10FtAeddfSslKj3J9GhvAPy6qbT9c5YFTH ctHliBUw6PY8AabBlbSAhA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fw2pxeu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:11 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFPSY7026291; Thu, 17 Oct 2024 15:56:10 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej31-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QJq5yZrEpkQfWH/3y3Bn+R7uzh3LnBTRlrs8CEq1Zpmd03y6ZpIaBnVKQdZWX1H5pnMLatC06+nOFDO58N1gqG2paAbzgqs152iKf/Jzv5T974oWHw9TV0teY2zAhHlfR/iEvJSraUUSDvQf3mLGvcJlLkBDHqGIcOmF9uf99gRQQGYBEKUMOfjbMgh/tdy9GXkmpSEi8LkEwMyVZE3Gtl9lQLyYQOrVv8f6jNua3VwrSKVs8C2UDHfjFlGdIclx9W2i4TEoXb0dI1ZixytVZdnQOFHhO77eJdJKU7BWUtFG8Sqw9Ib+pMAYpq/52+n+Gemr5mjwKcr6+b9DvsxFFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jiKVptX4xdkm8eHptFSicuf8wuGcNFVT2x3AbupQFaU=; b=oXNCq1CTmNtLh/I+uMb7DQ2AIB5W+uH56fq/Jj0OvA3a1kCGSfhNSxXuGpW6CosSdXFce0kNqclUqIvzLEsOkIZFMdzbhdu1z8y1S3uMlZP+1Z0XpmhZcHPFNYuafBpYEHXtnqXMAc5/cKvt/kjt6cuEYc/1surVX4htHgly+HDJvpkTlugJDfJaGBP6YEppl6Gvn/6Xv0t87C94gtQAUJ72jn+A5EEz+339HunJdIucJRf3cMeX13MChZ/b6+rN7OUwVrxvYoSW1Ogkmxm42WJ6ZdYU/D/3eDbTiV+I4XT5qtDsvj2vIP2Isl/rYYRBIk1baIXeTkW0rax3rABSYw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jiKVptX4xdkm8eHptFSicuf8wuGcNFVT2x3AbupQFaU=; b=s9pRYs1rdv1mbDfaTAf+Qulu+zArQ1oNZW5pxnA2t1N5OkgcE0WEY96dVgcFbxk0Rcp8fsiQ6Z5/TCgfnbUbqk8FpSl2cVyA0hv7ParalX4aJCpE6TqvnXW/Ix9FjWFCWCX7cbN6lAz9EnBW48qF8Dbas9yQnaETUxuDvfMvgzc= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:04 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:04 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 07/13] keys: Add ability to track intended usage of the public key Date: Thu, 17 Oct 2024 09:55:10 -0600 Message-ID: <20241017155516.2582369-8-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: MN2PR14CA0016.namprd14.prod.outlook.com (2603:10b6:208:23e::21) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: b2d4ef8c-5e71-449a-83f1-08dceec431bb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: b0hTut6HNSitoRhHeFUO2rIE/cJPIpR80znCoAaFB3VAIaJfFfbQy8LJIGODL3ugshodt5Zmzcv4ZfBW7BhnCq6zH28ie/9JVhZMHZjXJt94slRYCQtcBV7BqjVirMxyBl3/FweAHz07bGIfk26SLZ9J6In5jen1rJ4g2wqxzIw5plFsTwvgGGqTmAQgKR27ckTb5c5m3tuG6H35IDrPenTl0+TGMIqK4UGs2/99EqnWO8XF03lplMOe/+4QfuN9VHbr4eYRV6ZVmwWpjtLZDvVpPJUeF84mVbJdYOhv98ce9zJ0qbnS1vXD/eeKPJv2aqnHo+0ZbInOuqkshNrbdxUBLdLAEvLBaA9HJedUuccp/HBK20lkF4RKeGi8rVfTQZE0inYdG3BtbWD/Zm5FVmVFIhbxDOQDEdAyDlaPqybyUqSHIBjvKQgvlXBt2h+FyUU9bC8kLW9XTpt1DwYoIvDoD0m5GxHtFbtjKyV9GLPgz2qJs1DH4sRwHlOK5BdgydYhqHWRuVPovzgPr+bzlcW6yJr3XzDSL4Yw8YRAmVlaC6AILdikSqOytyqHV1G3IV09Cy926GEFK8j7337S2akuymFmKCXrLu7GFOJDdYstkbZDKBMkMbA9DOu4Tgdruls7MqcLTIgIAh+3THc4+yNGl5bD7io9Xrme8lJSpXsFUi962vs5njkbNtqTP8MGc+xiloOGpgwApanax2jlYizrd0wjtHmV0bY9IixaDucc/X3IOnyJ2hKdWbh0tYh06UyH3n3RPIeVq7cralH5kk/IGOGt8EEDMaWJo5yrvuN/OYmIkU4cY59D4U3rD6TR9NLkZkdh5smjRDea4JkEHSvmIYmPcUp9DnbUta2RkXu6FP+QybvW9CPe0a28lEfWLpQwX1pD+b0iQPsawaHoa3DzooQThSB0NLHF10PZ77scN1aRKB9vmyzGei/pD/ugT+Uh+HP52vl99tLhDHUO62te8jEVgY9eQZcFNprJ225IpD3qgaHUXDWXkW9z/cQ3fCCdQ/SgOvs0ZYwjqZpNjlGbNjX9pou9LAz6to9O3DoEiEdCysVTlHIGb0zS+N8C9e7ILmVlKgw1/oAYnt/zKytEaDIS/qmCylmp9AXg+OPAcC6EdNBnTMsGI6kZi2ShpFdNRztfELDRFzDdYJYI/yD6PmP7ihwQbMFQfsD6alpGPEww9IzzVInDL1/CNGTdUm8ZD2Plvji1qOAaZXo0uCZ1a2X7wFu3UTX/KhaoYlg6m2sS18PlX/plsj9Dh+MtNKvaEhE37NmrjfV7hyA2R2Y9/TY9mCvWQbXB4ojQHJdwn0MRV6sUCtvqhXDxjGFx X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: yObkmPhmGnVtIuX6ujBIM0L7MRwByaXRtVtUNV1M70n52Yr6cErwcxmP2HbZZJD/ZD/iwb3bTQ4D8/k2JWq6dE7t9Z2GwGBnBeY3RQ2uaH6+91jCK8rQIoP0GxRcIUPjiufkJ+DeoGDACqPnKZxI2N/F26YOcAwi5k/SIkXyjAT0K8B57/Npp8GGjNS01k3HOyRpFyNi4aWEea9rxDLoAlkqamWB3uii9tiCqDhTZlGB1GEsqb+bLtBcPWLq7W1bJIoVi/jzcgV2ynLXpzk8+n+dK0gzedCohGotM/kceR+rL9TpdHJXys/rDU0AyuIAw37bGJCZoGIB7+yKM9tDw5KxZ3XJyY64tBu9ptKBqpBGUOYvnJLQEE3pWl43W+2ypjqy68EZ40NZ3eq1JTlOzr1v/WCdEzhHLnnEHk+he38XblW11652WW1/ulIGIj0jz5TJL05hp9mNAvqgX6zhSXHzpI8PM4FmVe5y33j2rXrDhT79ZiYA7nDvEI80eMeMBic/5uznGbI7ogHufGnODjvQ/5Wjcjx8FfTjbKtpGGmP/kjP3cci6mGyPBvIt8vee9y7Ie3vGPHDp19Q/oc66QoZuY3EOg3ttV+pTqSKwt96m9Bvv6GlmI/MmEUwwtCpyrBHoDLwyB1HB2sig7Bb6GLmWVoV32U/EWxXHrAQEwccIv9u3gZINcg0umLbe5Kj4xLVu3L1hZCHSKX4qLimebXbm2FSqBlJMlIHbqGmXtYQXaMxP1iK9m+6lpeyN/5aZ9FM28I6/01Yl+IwV5/yQ3nklv3Lk5SNNsGGHHDD41ErOGrv6QNIG09Syno3JuZJoSULPrdlfRGothQFOO1x62VPksxDW03qKbA8yM1W8D8scFJePZPWgFRD+srDqBhiYl+PTEX6sQFjFvVVZO4mXSM4fV0E4xtL4I4OD7FFpVXTiD3pHUN0aRNinp4xAULPbqdTP32hVvO62Y9fUOosusIMPeaIwPjRRKD4RFzhH5LBYyF81tu0aXq3bjzbXFZuQYTynV1BDnKXkxF8Tha3BlVlnS9MVQoodxDwj1L25gRWGH3iPWeE7i7MwpK+Fx29OiU11h0aSAoV7l3thyBUsnHFeiDl38ytbYpsmCcI/DSoAQiLqbatB0JSP8AkOw9RIQN7MmlzdncNepZlGsrCB+AS6VToBkfTPvtcAUOpo9kwhK6hzjR7f0cW9KEduofnNQB706ZFbwOkd+9xG0Ssc5eXOn2Vld6gZ8bvl8A43bfqwsdqrcfp65fnTm9BBNOVRPGh0/MHnzWw6TXNCHoRWNfqhfFWWfHPUOxXmOKSrrixX6xmD14P6Ljp9bmuz13Vcc/J+FUnm1zp4uujVvAMSmQ9CZQPHxov1Dj5hf8E2CINczq6wVAvSDOhpxRMXbIemWpWUwPVUTQAcoRyIKWD1+wnPQDrU1WiIZgcF97oX2gaoHTHDb2GLfYO0zzz9brIUBJ+m6YIP6BpEyrGh1MHxWKidaF6tbZLlQ5hxVRypa3BNNgJxc01FAvvnrCGhNpPiTkb+ht5arM2FfPI2Jt4I8zQApDjTdvqqgnmAw8P82njQ5FCKyYeEAb0Z7A51Z5pPyr9ynh6Hxk8GynKdrKglw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Dtc7a372gRqnBZWn9RId5zo//6XBbtD79OUGJcfxpaidfuH1F+owN5l/PFbL3JYa+vwlCXdnvJ+Fs8yP88XMQXoP9LUOAAwtdbksILP2ZW2Sv8xLJbwgbYYV4kRZdt4II+eb2jyOlGKzETIOnfXD7DwK1sxQC5bexWG1V9IbJbI0HWEpvQILptEpZL2Mai6U/3H25eIJqV4ejxmlFQLWwD24uKP1LGX5YTTPoLN/3ZgtdB/HVUsnpHBE/EcTd/wjRsX3ftQnFA3CztU2udJmA3NXwO+w5bR0PvqvtHeF2gJeEii7lajzY3AnLZChmfCYzl/P4Hrth+kHoeL2/UUxn2wRdevLCjUNRuvCr1sdLjQw7K5oAybeEaEUODTxUa/o8qvi4JUsnajzs5UJZ79YgLAOlEFG4TUBuiGOo/lWsHz3IiOSchxIUFVmuDY8XLlTtDmw52w8PkatHcqPsL8Sopszof/0tvTfI+PuVytdaHLNsvTwgdBDakzOYhtXdPDumTL2VrHfZy6tmd6Lw2jA2iodqR7Uwx2SiSLKfIe/u9c+IfNF+WMNWXZRKRrPlrDRxsLkYpz/vvx7JqGv1wKz63OYdb9c5cGktiZKSLIh5Ug= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: b2d4ef8c-5e71-449a-83f1-08dceec431bb X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:55:59.6684 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JSe52VJFLNZuVV1p6dbty90ej+G8FkcNhx512LJLpcQT7xYpsX9SvpVLXoaLiUoXJpmddIKBsfPfHbhz3RPFyHX8lMK791QqiLikoc5nSAg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: zmLgbRBLLgQcn3q7s-NuzCni-neCwCal X-Proofpoint-ORIG-GUID: zmLgbRBLLgQcn3q7s-NuzCni-neCwCal Add two new fields in public_key_signature to track the intended usage of the signature. Also add a flag for the revocation pass. During signature validation, two verifications can take place for the same signature. One to see if it verifies against something on the .blacklist keyring and the other to see if it verifies against the supplied keyring. The flag is used to determine which stage the verification is in. Signed-off-by: Eric Snowberg --- certs/blacklist.c | 3 +++ crypto/asymmetric_keys/pkcs7_trust.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_verify.c | 4 ++++ include/crypto/pkcs7.h | 3 +++ include/crypto/public_key.h | 4 ++++ 5 files changed, 34 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index 675dd7a8f07a..dd34e56a6362 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "blacklist.h" /* @@ -289,7 +290,9 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7) { int ret; + pkcs7_set_usage_flag(pkcs7, PKS_REVOCATION_PASS); ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + pkcs7_clear_usage_flag(pkcs7, PKS_REVOCATION_PASS); if (ret == 0) return -EKEYREJECTED; diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 9a87c34ed173..64d70eb68864 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -131,6 +131,26 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return 0; } +void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + clear_bit(usage, &sinfo->sig->usage_flags); + } +} + +void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage) +{ + struct pkcs7_signed_info *sinfo; + + for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { + if (sinfo->sig) + set_bit(usage, &sinfo->sig->usage_flags); + } +} + /** * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 1dc80e68ce96..44b8bd0ad4d8 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -455,6 +455,10 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, return ret; } actual_ret = 0; + if (sinfo->sig) { + sinfo->sig->usage = usage; + set_bit(PKS_USAGE_SET, &sinfo->sig->usage_flags); + } } kleave(" = %d", actual_ret); diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..6c3c9061b118 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -32,6 +32,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, struct key *trust_keyring); +extern void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); +extern void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage); + /* * pkcs7_verify.c */ diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index b7f308977c84..394022b5d856 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -49,6 +49,10 @@ struct public_key_signature { const char *pkey_algo; const char *hash_algo; const char *encoding; + u32 usage; /* Intended usage */ + unsigned long usage_flags; +#define PKS_USAGE_SET 0 +#define PKS_REVOCATION_PASS 1 }; extern void public_key_signature_free(struct public_key_signature *sig); From patchwork Thu Oct 17 15:55:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840269 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE0FA1E0B79; Thu, 17 Oct 2024 15:57:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180628; cv=fail; b=dX2I59uXEjx0Z7Br8ndmwlNZMT4GLmZPcIhtT+TvhOGEnS1l9mP5lPT4ABVIOhhK0UWz/CcIihQd0N1fzK/SheXIHxy5FuIhPAJJht67xuhD95GAhVpjcXdt8EFV1m6AW3yrQaAelBQ83RiOTB6w86FaWhzLY0aF7okH0uCm1Zo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180628; c=relaxed/simple; bh=28SZ5XgUtxi+bc1YMbAuMWMIoej/4EJyKPRGvq5UErw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=ug5tZri3jRO1kd0iHoDgEQrDOPoGJxYXRKWgxdax+CEp0F6xkL2xX61TOLHCCSIvcNwCpn1MolJb35Wb9AfRDUZOeFmd7KVP7FR7R64OGolZS1a/dy0nU97DGfc8hWUXoCJGAZymalagIzqu1qAQdpFgQeHxc6qzKFf1HEZtZuA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=Q23XjGH1; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=aQwiLrsD; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="Q23XjGH1"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="aQwiLrsD" Received: from pps.filterd (m0333520.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBoBV019266; Thu, 17 Oct 2024 15:56:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=pXiM+Ccq+NHIgqOcJ0rb3Wky7q54msjhNytuLnm/Yq4=; b= Q23XjGH1y5fjUKqZf2ynS8bI053+id7Pg5ls8RplGlWscKVvl3LrOiFCvGwnfVs1 1DCGpF8ogumgNtgsoWJ1urylikzNbVwZ1QljTVgaFk18gUvrNchWw1qCFLFogfZl tEF9xgE6SaEgtItjcMiiLeebYRdxUuMepTV5APrRVxIq8ux2sXu0p+DqK9It1b9X F6UUnm+jXG6ZvwTGOUm+SLeVvdiXozHNeI17d8lB/p87ix7mOdANeoIyKZEYn7np e2VZ0H63RyJlPwYj+xldaKcTN9iyoeUQ3n7VZ+JNUZF2CzybySIazKsmhS26gPuY Z+m9dz8SEy3UeCEZfOyfNw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427h5cq6qn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:12 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFPSY9026291; Thu, 17 Oct 2024 15:56:11 GMT Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2174.outbound.protection.outlook.com [104.47.55.174]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej31-5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:11 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ejO85wMIXtr6rFO0x/q6FEReNHoAUUO6oaLF602B+w8Kup+xEGmViSiRuLG151TTyCYf6WSog2m/0ZV0a2i5OpW0iJS0zFM99vkkKtJlcx5VgYBLB/wiKyRJOf96hTKrX4m//6mid43jBhMFTqZb70fNnEqFUUZaiUR0EjkxEC6nHRH4JHpQcC++Z8uEn/gZjCW7RRdMuHAWr0wpJGhqF2OxY9M4KQlR1yfGp3k0g2C+uW5Sknwsmb8ttUUgxl2WpVh5QVTHeZW7fqglrrGitoxaSdXGvhjP2lzm8r9G23wNqMp/7rJIaAMImtBOhxLmkxJONavjiVV5iJkcR5dP+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pXiM+Ccq+NHIgqOcJ0rb3Wky7q54msjhNytuLnm/Yq4=; b=IE8k9mBMShnS2hzhGN55iHPTUvHEk3usHDkj0ndrFAlObVThOSMBqtj2p5ChAdEBdy3BUBX2V9XEu8aVJ58jpgpqmMlXx0BmPu7RZpB51v1M9WHCBtIVJTFeqBvosslilvibXs6lpadkNcPF4Mp1dLt6IWkQ8NGrBNWZ4tU7wY6XI2QnQMtMOTS1iZ8S24S3tChUnA4yCaTtxVNf0K96MWCe9CSlXPiRXVQRtIvaFd8sE+wUj9cL7YUnx8EYz/E8qEuzSdy1rmVm55k/t5oBYdU5yt8zahsuNdj3yjnJPP7JmJyi9JlhyKyvPfoRuRou3ypti3Wdz1FhWxgThL5wgQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pXiM+Ccq+NHIgqOcJ0rb3Wky7q54msjhNytuLnm/Yq4=; b=aQwiLrsDu7argw5trJzW2ymKHwtWfXrzsPTCiDgbl5ty+MX/umGI/JyVbgemWis+MMzSZzWtD7UCbXya1X/8CCPJlZpitjX+0bhgrF4YIh9CJNDOBvqiag9elHZGtsOdRC2alIpQ7hEWfiAVA/FJLX8uafFLZb86R6eJftMOv50= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by LV8PR10MB7967.namprd10.prod.outlook.com (2603:10b6:408:206::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.23; Thu, 17 Oct 2024 15:56:04 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:04 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 08/13] clavis: Introduce new LSM called clavis Date: Thu, 17 Oct 2024 09:55:11 -0600 Message-ID: <20241017155516.2582369-9-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BN0PR04CA0172.namprd04.prod.outlook.com (2603:10b6:408:eb::27) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|LV8PR10MB7967:EE_ X-MS-Office365-Filtering-Correlation-Id: 34a19b1d-08d5-467d-dcbd-08dceec43395 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|7416014|366016; X-Microsoft-Antispam-Message-Info: xKfc43i9q6SaPAiSZYIOIsflpgH44fTxaDYBvlQVqOaC8cDpfqkRScF20s+K4Z880Bc4D1Q40gNst5Q+H6VAAi5R4xaQZjTlBgiHhPdR3joO3s9d/+bjZH/qaC1tJkIEKUeGmaBBF0oZUUVb2f6i8QvAXLtLtWMJcSbwvHRMZI7LrSbaizVXngTGeJe7yLfHSXLaRyb/ftT2bfmgfgcCHRWzZNDiXSC7rYo/mB5L1hWz528SfyvtXj94KQBYSpR/VZtoOdfslrQXMV+R77JVtRioGu8VBoqeKYIisJM6CA1aGwF36XP5+Ei88w0ejKeSHZb27cLiURBe8QlGEzyYSjsn2Qxh6fKRYPru3nSXmxpnMVQgAE5Memvx/HgF0Rk800eaqNNwjXShS7gId+MeiditlFVNDuPq9CPD6pRFKd1SRUzpCnqNdV9qfMNPemdYBwdBZwlRvE4b/Xk1o18JwWb5H0V5+5OZWB+tSLhYjMJmUqNConAaeN94ufiusLtXjdWkPfqgK7nrjolhLyQsYXTZkSwpEykd3JnOrTYcwKLCqg26p669NJjtHwhagbbPMvtCbjxLjaqL6+HEUODaIhzkdVN6j9jr4e5T65p10/zMTu/rLnxdjQs3kvgppmYcS9qQiO7pm2B6rU9KJal6JV0yeSLC7tKdPSGjAt2XE4T+R7He/JKgQBbUlZdu5PvwkuMBDhR37Rwj7f6bJKz6dZ3YRNbPqciA54/T89VsrQ1KkLxiK62x+oJ2c1aZ4LqUuhDIps4AWKLIbWYjpiQ9ritcDNov6cN7DjEK7YRVVuqEZMs0HzEdVqDP5gRmI06IhjYxc8GxBLQuGNhDYihs5TGR4vZNrV1uzUya03RGqXCbYXbXKHRUGnNpifPjHj3ELf8E//o6dwgqoOQP0AJYrzG81qCQs+CXvMqIh7BTN6lMGZjPwo7g+Hp0WuW0R7p6CWcvHCTi9fdrkL1zpYmZbRwl5r0tY9TCOrUKUPkzMgFyR0Lw5ssII3SR806Y9NLLj0CtJdvhwO9gXYz4esd6FFV8NqvuMBfKt2oXXi50GPr0aD/1K++rehL2bTynZK/RfsxJ8/yD3q5fgrK3ERQnRFzwU07hv1zEgxzfItQ2rT3y70gw0H+f2pjxItD+3LSjrYa6W09D+qpvT2tgmgg1d/FYIzxqnTE3BfXu46y0qK7Jeeoiu6Bd8hsZ0uQvm3JGWBqaI6+ARV9kBzKeIqoYbay92rrXBp2v1fZGhStA3VZArIz7cIzrdBGSRaspHAzuO8CheGOm5Jx/DjOaFJN+H8lNgmy/l+EftQmB9h6kbpSQYxYTr0Y22tEO4DjLfDGk X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(7416014)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: iOQLWr1X1/MiybRMQRaMAg3yqIt3/G4tI+y8rSMvKy3sxshGuSopOXSowS5TCaplAFy5UU8XdFiPklEFpD1RZgJxLU+PgDJchgooV3vOTB0lxcsXKcihlL6p2IunVH4ei/VFb9xALSXY7TLxXfCvU9sEtkMz93rvaxDLJd7uSDq+CyKatfoZ+tWSC9X9/l77Q5GUgmR2FM4OZZa0i2IebF9g5fyFelLpcJXQ0tM1xqv6/eDf5JgRDq3gAISL6LyXXWg8cfldssJ22Mxtc+S+7i9VCJkUVZ0VrWV+Uo63MX2XGGSfxRRJJUPe43wPJwbtX56YYg6DHKo66jjEjQAAg6lAJ5DOPztxwlLMBm11LqbUpvg94g4LJ96HUBGL1eTqfJkiBjEaf4OP2ikdXuparSyWJH6rERaNgmXJdKRnnlCXBKMg/Cq9bg37z0NtkhZzeRWH1beyob+4Hhc1ObdD24SIwg/RQZsxcW71oXpHWGqlQ4g94NBYseB3aC4xMVmyr1ttrvPDSJBUNZoPBeZoRL8uKxL66XBtu0QUXWKqGSmEN+Z2PvCNBaeB23K9wV/q9nNIdJBsLd9QuDGjM4NIA3hlVU9oicMGoKwWj0RQeoBCKrG6DfFpbLrPf1MKCpq9bKsX5A1dfXVytyZ9NTQ6ITw0Y4KXavff5c9iw5EQK6jqh1MHqnqnqFra1LClyUIBx0FO6fEkmrjIdAINURck55VUopascHlGlZoSbubbEmCfl3ZkyGtRKE4p/jcCFm5zUhAgZin/QY+qqk0xjA9Z4dty0U+JHTtGJn4UpCVpP3g7N0m6z7kYAQB20iho4esJIieavpuSU+Qe7HLO3eC47tekFeerLc4Fntf+hhY61DdGGVge0rKoMFSfWPm+kBdR00BlSWM5yxla3VNCw6VeySQOWD7ld8Ohr3/3XDeKtwcFA8/WHCcXqW+7A/vO+5o++pN+VMutVmBGDW/Z9Rq6CTvfHmcRK5ToH0rHrrL3Mp3Wq6CVHC58b83mwZbwywBNwtyLvS90X8sHQ75SvSoiX8Zrk1q9UjtOYshoG8njy67tpk6+4jREM/QXTv0gUfBs525+CbeOecr6gmXK/ja36GdZxVMi3Z+GUY0F4XGb7x/4Q7wzsbWJet6fEfXGG5RTVOjhNo4drtj/8FlCPjrS7lKh8XGhY7ASu9AV58b07AXuV1jyQNTcrQNyQLY6rwM5igzYnFv6brjR4cFDoD2LY/829xrsTBnXK/CPuCWrm/X64o3ZcYlWUn5JfOZHQCBLhvNHKSrm7tCJ5cSuyLknpmZbBxBkdAjSplE+3hwGbiy1RPRdCVlcYGZfvx2NOUM4MDdNGyyk9bc7TYxny5YPJDChU0RIukJgSY46N6jD61A8PG9DZHPdeaUCf4GHKSUeCq0mfZc+SO1FWik4htLlJ5rSTN3qnOf8Kf70mPhg3lmQ67Ha/mvIbbCAcE6n5CAZHUk09rQLe5nsYSErTkBT5/nsREc83Z6/Wt4BQuEs55iXWGtBPT9DgnUif4rXOm6hThy05XaKkfdY2D4L8ecQXuZ0jioQIEgBTfBq0Rvbsi1r25IKF5rXHmfVE8EdmjC/nI9DOkRezdyFQNn44NR0YQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: atFGOedyH8ZGfKNAOfsPu+98D8aTkCnZL2ogtGAf14sXer2qqCAWyCE85FN7zc8WKTjeYsgGXvqYgRIDNyAqMlQx2qFc3ZSLtzIkQQcmFZAzOTV383mzeqMWqFx+txGwu2yMQIXZdNOM9ufk0kSeMkSI2EhE0DKLuLd8qQ0SmbY0U2wgWzAQP6/p2yp3WtdqM27Iqb8it5OZ1etD5iUqwCD6FsR1H0RIl6VOM8FslS2DDwNcO3I/cLtTW+vWH1Yl2UALuVZvB/hJC/O1z1DM6vDc4RDSPzMO1xoZCT5Gl3Sutaq89hefu3cvYYClSGkkX3e4dwd7zpQSetQkTSRfPEeC430oJybs9iD1wcwAy63RGzj5HJSi8+Rj93PsBqZCIekZevbUwvgkT1kGP3sQht5IcmPitDB1BuagNj6NsUabG1cqoZx2bvprkTtpeIrviCDfwdrizDP0adf1Exxr1tW2N6kWYdFzUZ5sZX7DuqtSEBT8zqCt2s5FDuX8WIhWVVv60WPnJyAIghkjc8crxNoVoTxq3Jck77/MAILLdv0e5n9bNPd/oNN2gOKVjcXapXwJ8Vaz/FjbvUuDmJqc+M3P1Mjb7pvUVv/WDbGMbPI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 34a19b1d-08d5-467d-dcbd-08dceec43395 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:02.8493 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: hF8Bm0PQV33ZMJIde4G85IGcdNJyli/T5GIbkEedTSwSdL24SW68ECKvTxxTGAoju2/uprsQB/Yu0DzKXqHlmA8GtlvlAcyar206fIy/zt0= X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR10MB7967 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-ORIG-GUID: E9AZ1f-OrqX8ly01Nc-sE0ZnkudhiwaS X-Proofpoint-GUID: E9AZ1f-OrqX8ly01Nc-sE0ZnkudhiwaS Introduce a new LSM called clavis. The motivation behind this LSM is to provide access control for system keys. The access control list is contained within a keyring call .clavis. During boot if the clavis= boot arg is supplied with a key id contained within any of the current system keyrings (builtin, secondary, machine, or platform) it shall be used as the root of trust for validating anything that is added to the ACL list. The first restriction introduced with this LSM is the ability to enforce key usage. The kernel already has a notion of tracking key usage. This LSM adds the ability to enforce this usage based on the system owners configuration. Each system key may have one or more uses defined within the ACL list. Until an entry is added to the .clavis keyring, no other system key may be used for any other purpose. Signed-off-by: Eric Snowberg --- Documentation/admin-guide/LSM/clavis.rst | 191 ++++++++++++++++++ MAINTAINERS | 7 + crypto/asymmetric_keys/signature.c | 4 + include/linux/lsm_count.h | 8 +- include/linux/lsm_hook_defs.h | 2 + include/linux/security.h | 7 + include/uapi/linux/lsm.h | 1 + security/Kconfig | 10 +- security/clavis/Makefile | 1 + security/clavis/clavis.c | 26 +++ security/clavis/clavis.h | 4 + security/clavis/clavis_keyring.c | 78 ++++++- security/security.c | 13 ++ .../selftests/lsm/lsm_list_modules_test.c | 3 + 14 files changed, 346 insertions(+), 9 deletions(-) create mode 100644 Documentation/admin-guide/LSM/clavis.rst create mode 100644 security/clavis/clavis.c diff --git a/Documentation/admin-guide/LSM/clavis.rst b/Documentation/admin-guide/LSM/clavis.rst new file mode 100644 index 000000000000..0e924f638a86 --- /dev/null +++ b/Documentation/admin-guide/LSM/clavis.rst @@ -0,0 +1,191 @@ +.. SPDX-License-Identifier: GPL-2.0 + +====== +Clavis +====== + +Clavis is a Linux Security Module that provides mandatory access control to +system kernel keys (i.e. builtin, secondary, machine and platform). These +restrictions will prohibit keys from being used for validation. Upon boot, the +Clavis LSM is provided a key id as a boot parameter. This single key is then +used as the root of trust for any access control modifications made going +forward. Access control updates must be signed and validated by this key. + +Clavis has its own keyring. All ACL updates are applied through this keyring. +The update must be signed by the single root of trust key. + +When enabled, all system keys are prohibited from being used until an ACL is +added for them. + +On UEFI platforms, the root of trust key shall survive a kexec. Trying to +defeat or change it from the command line is not allowed. The original boot +parameter is stored in UEFI and will always be referenced following a kexec. + +The Clavis LSM contains a system keyring call .clavis. It contains a single +asymmetric key that is used to validate anything added to it. This key can +be added during boot and must be a preexisting system kernel key. If the +``clavis=`` boot parameter is not used, any asymmetric key the user owns +can be added to enable the LSM. + +The only user space components are OpenSSL and the keyctl utility. A new +key type call ``clavis_key_acl`` is used for ACL updates. Any number of signed +``clavis_key_acl`` entries may be added to the .clavis keyring. The +``clavis_key_acl`` contains the subject key identifier along with the allowed +usage type for the key. + +The format is as follows: + +.. code-block:: console + + XX:YYYYYYYYYYY + + XX - Single byte of the key type + VERIFYING_MODULE_SIGNATURE 00 + VERIFYING_FIRMWARE_SIGNATURE 01 + VERIFYING_KEXEC_PE_SIGNATURE 02 + VERIFYING_KEY_SIGNATURE 03 + VERIFYING_KEY_SELF_SIGNATURE 04 + VERIFYING_UNSPECIFIED_SIGNATURE 05 + : - ASCII colon + YY - Even number of hexadecimal characters representing the key id + +The ``clavis_key_acl`` must be S/MIME signed by the sole asymmetric key contained +within the .clavis keyring. + +In the future if new features are added, new key types could be created. + +Usage Examples +============== + +How to create a signing key: +---------------------------- + +.. code-block:: bash + + cat < clavis-lsm.genkey + [ req ] + default_bits = 4096 + distinguished_name = req_distinguished_name + prompt = no + string_mask = utf8only + x509_extensions = v3_ca + [ req_distinguished_name ] + O = TEST + CN = Clavis LSM key + emailAddress = user@example.com + [ v3_ca ] + basicConstraints=CA:TRUE + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid:always,issuer + keyUsage=digitalSignature + EOF + + openssl req -new -x509 -utf8 -sha256 -days 3650 -batch \ + -config clavis-lsm.genkey -outform DER \ + -out clavis-lsm.x509 -keyout clavis-lsm.priv + +How to get the Subject Key Identifier +------------------------------------- + +.. code-block:: bash + + openssl x509 -in ./clavis-lsm.x509 -inform der \ + -ext subjectKeyIdentifier -nocert \ + | tail -n +2 | cut -f2 -d '='| tr -d ':' + 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +How to enroll the signing key into the MOK +------------------------------------------ + +The key must now be added to the machine or platform keyrings. This +indicates the key was added by the system owner. For kernels booted through +shim, a first-stage UEFI boot loader, a key may be added to the machine keyring +by doing: + +.. code-block:: bash + + mokutil --import ./clavis-lsm.x509 + +and then rebooting and enrolling the key through MokManager. + +How to enable the Clavis LSM +---------------------------- + +Add the key id to the ``clavis=`` boot parameter. With the example above the +key id is the subject key identifier: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +Add the following boot parameter: + +.. code-block:: console + + clavis=4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +After booting there will be a single key contained in the .clavis keyring: + +.. code-block:: bash + + keyctl show %:.clavis + Keyring + 254954913 ----swrv 0 0 keyring: .clavis + 301905375 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +The original ``clavis=`` boot parameter will persist across any kexec. Changing it or +removing it has no effect. + + +How to sign an entry to be added to the .clavis keyring: +-------------------------------------------------------- + +In this example we have 3 keys in the machine keyring. Our Clavis LSM key, a +key we want to use for kernel verification and a key we want to use for module +verification. + +.. code-block:: bash + + keyctl show %:.machine + Keyring + 999488265 ---lswrv 0 0 keyring: .machine + 912608009 ---lswrv 0 0 \_ asymmetric: TEST: Module Key: 17eb8c5bf766364be094c577625213700add9471 + 646229664 ---lswrv 0 0 \_ asymmetric: TEST: Kernel Key: b360d113c848ace3f1e6a80060b43d1206f0487d + 1073737099 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + +To update the .clavis kerying ACL list, first create a file containing the +key usage type followed by a colon and the key id that we want to allow to +validate that usage. In the first example we are saying key +17eb8c5bf766364be094c577625213700add9471 is allowed to validate kernel modules. +In the second example we are saying key b360d113c848ace3f1e6a80060b43d1206f0487d +is allowed to validate signed kernels. + +.. code-block:: bash + + echo "00:17eb8c5bf766364be094c577625213700add9471" > module-acl.txt + echo "02:b360d113c848ace3f1e6a80060b43d1206f0487d" > kernel-acl.txt + +Now both these files must be signed by the key contained in the .clavis keyring: + +.. code-block:: bash + + openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in module-acl.txt \ + -out module-acl.pkcs7 -binary -outform DER -nodetach -noattr + + openssl smime -sign -signer clavis-lsm.x509 -inkey clavis-lsm.priv -in kernel-acl.txt \ + -out kernel-acl.pkcs7 -binary -outform DER -nodetach -noattr + +Afterwards the ACL list in the clavis keyring can be updated: + +.. code-block:: bash + + keyctl padd clavis_key_acl "" %:.clavis < module-acl.pkcs7 + keyctl padd clavis_key_acl "" %:.clavis < kernel-acl.pkcs7 + + keyctl show %:.clavis + + Keyring + 254954913 ----swrv 0 0 keyring: .clavis + 301905375 ---lswrv 0 0 \_ asymmetric: TEST: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8 + 1013065475 --alswrv 0 0 \_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d + 445581284 --alswrv 0 0 \_ clavis_key_acl: 00:17eb8c5bf766364be094c577625213700add9471 + +Now the 17eb8c5bf766364be094c577625213700add9471 key can be used for +validating kernel modules and the b360d113c848ace3f1e6a80060b43d1206f0487d +key can be used to validate signed kernels. diff --git a/MAINTAINERS b/MAINTAINERS index 7ad507f49324..748ba3f1143e 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -5567,6 +5567,13 @@ F: scripts/Makefile.clang F: scripts/clang-tools/ K: \b(?i:clang|llvm)\b +CLAVIS LINUX SECURITY MODULE +M: Eric Snowberg +L: linux-security-module@vger.kernel.org +S: Maintained +F: Documentation/admin-guide/LSM/clavis.rst +F: security/clavis + CLK API M: Russell King L: linux-clk@vger.kernel.org diff --git a/crypto/asymmetric_keys/signature.c b/crypto/asymmetric_keys/signature.c index 2deff81f8af5..7e3a78650a93 100644 --- a/crypto/asymmetric_keys/signature.c +++ b/crypto/asymmetric_keys/signature.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include "asymmetric_keys.h" @@ -153,6 +154,9 @@ int verify_signature(const struct key *key, ret = subtype->verify_signature(key, sig); + if (!ret) + ret = security_key_verify_signature(key, sig); + pr_devel("<==%s() = %d\n", __func__, ret); return ret; } diff --git a/include/linux/lsm_count.h b/include/linux/lsm_count.h index 16eb49761b25..146aba3993d9 100644 --- a/include/linux/lsm_count.h +++ b/include/linux/lsm_count.h @@ -102,6 +102,11 @@ #define IPE_ENABLED #endif +#if IS_ENABLED(CONFIG_SECURITY_CLAVIS) +#define CLAVIS_ENABLED 1, +#else +#define CLAVIS_ENABLED +#endif /* * There is a trailing comma that we need to be accounted for. This is done by * using a skipped argument in __COUNT_LSMS @@ -124,7 +129,8 @@ LANDLOCK_ENABLED \ IMA_ENABLED \ EVM_ENABLED \ - IPE_ENABLED) + IPE_ENABLED \ + CLAVIS_ENABLED) #else diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 9eca013aa5e1..a405122a4657 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -410,6 +410,8 @@ LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) LSM_HOOK(void, LSM_RET_VOID, key_post_create_or_update, struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create) +LSM_HOOK(int, 0, key_verify_signature, const struct key *key, + const struct public_key_signature *sig) #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT diff --git a/include/linux/security.h b/include/linux/security.h index 2ec8f3014757..4439be172a51 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -63,6 +63,7 @@ enum fs_value_type; struct watch; struct watch_notification; struct lsm_ctx; +struct public_key_signature; /* Default (no) options for the capable function */ #define CAP_OPT_NONE 0x0 @@ -2053,6 +2054,7 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, const void *payload, size_t payload_len, unsigned long flags, bool create); +int security_key_verify_signature(const struct key *key, const struct public_key_signature *sig); #else static inline int security_key_alloc(struct key *key, @@ -2087,6 +2089,11 @@ static inline void security_key_post_create_or_update(struct key *keyring, bool create) { } +static inline int security_key_verify_signature(const struct key *key, + const struct public_key_signature *sig) +{ + return 0; +} #endif #endif /* CONFIG_KEYS */ diff --git a/include/uapi/linux/lsm.h b/include/uapi/linux/lsm.h index 938593dfd5da..a2ef13c71143 100644 --- a/include/uapi/linux/lsm.h +++ b/include/uapi/linux/lsm.h @@ -65,6 +65,7 @@ struct lsm_ctx { #define LSM_ID_IMA 111 #define LSM_ID_EVM 112 #define LSM_ID_IPE 113 +#define LSM_ID_CLAVIS 114 /* * LSM_ATTR_XXX definitions identify different LSM attributes diff --git a/security/Kconfig b/security/Kconfig index 714ec08dda96..90355ddec5c0 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -265,11 +265,11 @@ endchoice config LSM string "Ordered list of enabled LSMs" - default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAULT_SECURITY_SMACK - default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAULT_SECURITY_APPARMOR - default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO - default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC - default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf" + default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf,clavis" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf,clavis" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf,clavis" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf,clavis" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf,clavis" help A comma-separated list of LSMs, in initialization order. Any LSMs left off this list, except for those with order diff --git a/security/clavis/Makefile b/security/clavis/Makefile index 16c451f45f37..a3430dd6bdf9 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -1,3 +1,4 @@ # SPDX-License-Identifier: GPL-2.0 obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o +obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o diff --git a/security/clavis/clavis.c b/security/clavis/clavis.c new file mode 100644 index 000000000000..21ade9e625dc --- /dev/null +++ b/security/clavis/clavis.c @@ -0,0 +1,26 @@ +// SPDX-License-Identifier: GPL-2.0 +// +#include +#include +#include "clavis.h" + +static struct security_hook_list clavis_hooks[] __ro_after_init = { + LSM_HOOK_INIT(key_verify_signature, clavis_sig_verify), +}; + +const struct lsm_id clavis_lsmid = { + .name = "clavis", + .id = LSM_ID_CLAVIS, +}; + +static int __init clavis_lsm_init(void) +{ + clavis_keyring_init(); + security_add_hooks(clavis_hooks, ARRAY_SIZE(clavis_hooks), &clavis_lsmid); + return 0; +}; + +DEFINE_LSM(clavis) = { + .name = "clavis", + .init = clavis_lsm_init, +}; diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 92f77a1939ad..b77e4ec8edbe 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -3,6 +3,8 @@ #define _SECURITY_CLAVIS_H_ #include +struct public_key_signature; + /* Max length for the asymmetric key id contained on the boot param */ #define CLAVIS_BIN_KID_MAX 32 #define CLAVIS_ASCII_KID_MAX 64 @@ -20,4 +22,6 @@ const char __initconst *const clavis_module_acl[] = { extern const char __initconst *const clavis_module_acl[]; #endif +int __init clavis_keyring_init(void); +int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig); #endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 2a18d0e77189..1e1fbb54f6be 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -284,7 +284,7 @@ static void clavis_add_acl(const char *const *skid_list, struct key *keyring) } } -static int __init clavis_keyring_init(void) +int __init clavis_keyring_init(void) { struct key_restriction *restriction; @@ -306,10 +306,82 @@ static int __init clavis_keyring_init(void) void __init late_init_clavis_setup(void) { - clavis_keyring_init(); - if (!clavis_boot_akid) return; system_key_link(clavis_keyring, clavis_boot_akid); } + +int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig) +{ + const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); + const struct asymmetric_key_subtype *subtype; + const struct asymmetric_key_id *newkid; + char *buf_ptr, *ptr; + key_ref_t ref; + int i, buf_len; + + if (!clavis_acl_enforced()) + return 0; + if (key->type != &key_type_asymmetric) + return -EKEYREJECTED; + subtype = asymmetric_key_subtype(key); + if (!subtype || !key->payload.data[0]) + return -EKEYREJECTED; + if (!subtype->verify_signature) + return -EKEYREJECTED; + + /* Allow sig validation when not using a system keyring */ + if (!test_bit(PKS_USAGE_SET, &sig->usage_flags)) + return 0; + + /* The previous sig validation is enough to get on the clavis keyring */ + if (sig->usage == VERIFYING_CLAVIS_SIGNATURE) + return 0; + + if (test_bit(PKS_REVOCATION_PASS, &sig->usage_flags)) + return 0; + + for (i = 0, buf_len = 0; i < 3; i++) { + if (kids->id[i]) { + newkid = (struct asymmetric_key_id *)kids->id[i]; + if (newkid->len > buf_len) + buf_len = newkid->len; + } + } + + if (!buf_len) + return -EKEYREJECTED; + + /* Allocate enough space for the conversion to ascii plus the header. */ + buf_ptr = kmalloc(buf_len * 2 + 4, GFP_KERNEL | __GFP_ZERO); + + if (!buf_ptr) + return -ENOMEM; + + for (i = 0; i < 3; i++) { + if (kids->id[i]) { + newkid = (struct asymmetric_key_id *)kids->id[i]; + if (!newkid->len) + continue; + + ptr = buf_ptr; + ptr = bin2hex(ptr, &sig->usage, 1); + *ptr++ = ':'; + ptr = bin2hex(ptr, newkid->data, newkid->len); + *ptr = 0; + ref = keyring_search(make_key_ref(clavis_keyring_get(), true), + &clavis_key_acl, buf_ptr, false); + + if (!IS_ERR(ref)) + break; + } + } + + kfree(buf_ptr); + + if (IS_ERR(ref)) + return -EKEYREJECTED; + + return 0; +} diff --git a/security/security.c b/security/security.c index c5981e558bc2..097f8cedcd36 100644 --- a/security/security.c +++ b/security/security.c @@ -5522,6 +5522,19 @@ void security_key_post_create_or_update(struct key *keyring, struct key *key, call_void_hook(key_post_create_or_update, keyring, key, payload, payload_len, flags, create); } + +/** + * security_key_verify_signature - verify signature + * @key: key + * @sig: signature + * + * See whether signature verification is allowed based on the ACL for + * key usage. + */ +int security_key_verify_signature(const struct key *key, const struct public_key_signature *sig) +{ + return call_int_hook(key_verify_signature, key, sig); +} #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT diff --git a/tools/testing/selftests/lsm/lsm_list_modules_test.c b/tools/testing/selftests/lsm/lsm_list_modules_test.c index 1cc8a977c711..cf292f976ac4 100644 --- a/tools/testing/selftests/lsm/lsm_list_modules_test.c +++ b/tools/testing/selftests/lsm/lsm_list_modules_test.c @@ -131,6 +131,9 @@ TEST(correct_lsm_list_modules) case LSM_ID_IPE: name = "ipe"; break; + case LSM_ID_CLAVIS: + name = "clavis"; + break; default: name = "INVALID"; break; From patchwork Thu Oct 17 15:55:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840266 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88F451DFE16; Thu, 17 Oct 2024 15:56:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180617; cv=fail; b=QFllSi593x7IuH/QU1nYQsXQfhH6ktq50WdQ7RFhwmISGN/IMENv4n5jI6zMyIpy9BdLL6he9p0Kq5SMP3YWpgmiH01P7Walq/jXf/FAuRkrqL1+8Ga0CMlQnTYO9GfDr4e55pGih7iRUGH8tUEcOi0yaQWT0NDgt/0PGomSqQw= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180617; c=relaxed/simple; bh=PoO0Ac/eDyqjnv12t43kphD28yEuzzr8t58hT5IqhFQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=kM2v4lYbP2eFVoH7OzR5CZt6ggO+kwRNbd3oJ7oUGxOW7Xr8NevfQ1TAKa84FvBQusXWlrnZ5rrFryF/J+6Nt1ongWB5DoL4cjnfq3SkqhqML5N58R3iKU3YDkEIhtg8VzSXX3WpQLTACFF1mTWteU2gof4x+d8RTvMR3CbN9cc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=GBqCpiyb; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=qiXK/IO5; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="GBqCpiyb"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="qiXK/IO5" Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBrMD028923; Thu, 17 Oct 2024 15:56:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=RNu0atCC/CaTHi28ICJ2AfLFW/9yMfSjcd4hKj6n5BE=; b= GBqCpiyblgoZF6L4n1m6KLNvw65x0KKRrLTmvfnpwduaMRjCLdaR/9eIxtbkLGNC Vsu+Um3y+lk+4vIfa+tCOnbIyTpF057ktBF+eXlmxcujzKAmqtHhFyYTtzKmfZRp M1kJjhHYJ7UMjJjrYhxC5gn4sv3jVPRtFVHPT0eJv6nRuS83G/fAN8OJt5mRZX7/ dvlgZcsVEpwRLiMJK4uXH2YYrbC3SPegGyJGFzMh9vNptlFBURv281TA50xz78h2 nVQSeJsWttOvZBYetsLfcZvpZRG08w1UzLuvLKKvNl9eiCfSVKqxxxm4jIEV4pxd laKJFolY/nkTb+wSOcmWPQ== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427gqt6te0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:11 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFfHAu026407; Thu, 17 Oct 2024 15:56:10 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2045.outbound.protection.outlook.com [104.47.70.45]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej4g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:10 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=a/BtaRgh/1tWZSiWX0p5CYv0RvwTc7y6/DqkHqXfYVQUFwzMnD631Ktb++HJVVDJ1Aqz26L3AyP0bb8m+WIIM1WXqcLTMoAka4wa9N/mmOSmU7xLTxpSyRNunMDecGb0fU8PNWtRu0uyKuU9cmdbG4yCCpxuAWHOjDTM6ZTtxlyrnLouyQzOOnjX4mo7ZSP5jzCD5ksOnGIP7xitBGs9sPO5bm25hS78M01fbzNrGsylQFVU/rAS3hbwUhvFhxrvz84Ts4Bo07cyllTPmjVJWbmudjFdzBlc6ljb/OJkMeVnj27HEov4F4TGBa/ikr2LfQzJ9rs4nDKjWGVBnnZ7XA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RNu0atCC/CaTHi28ICJ2AfLFW/9yMfSjcd4hKj6n5BE=; b=A0zpcWbUWio//TBayWVu5ra6slEDlFU0q1hniySt3RlCulZU29Od1I3gNFSI8vF+4BfHwodwZRRpa9C9wLzSX76xAkhoMwWCOwxmyuXI5qIClvcsOM2lqWJbXioAHKJ5McrvefYPjoVnZwvbjew6LTnmOBEB4mvDPrkaVVL/IFmVd5sXuNaYXqeG2ey79UEuPgvdFyc9lPUt+0h9rwwMu3AboSyHSyv/o39FnlJwMGXTv2MEnw97+IPXwIMZZs/24gLax8DqdMPB1KBMNOkiL2gxqZpA4DQ3fwOcfn1ruemEJDMnYA+rHfr6GRzucGs3RkHzlhzoKfVORtdVLuI3zg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RNu0atCC/CaTHi28ICJ2AfLFW/9yMfSjcd4hKj6n5BE=; b=qiXK/IO5oD+K/xtqUmFF3g+tSCe/YOXNlelKAJ1jL32jdguoMBBowyPKyMJwrzb/2qhWFH8DhgE1XpMyWNeZHgZd8A1sBpJlM5raEYN3moBPjMEJW/q8x2TSZJBPHNuVjn2COidL1H869QQWDluj1X2AzKL3cifTHq+s2Dra8oY= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by PH0PR10MB5846.namprd10.prod.outlook.com (2603:10b6:510:14c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.17; Thu, 17 Oct 2024 15:56:07 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:07 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 09/13] clavis: Allow user to define acl at build time Date: Thu, 17 Oct 2024 09:55:12 -0600 Message-ID: <20241017155516.2582369-10-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: MN2PR18CA0007.namprd18.prod.outlook.com (2603:10b6:208:23c::12) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|PH0PR10MB5846:EE_ X-MS-Office365-Filtering-Correlation-Id: 9638a801-6a60-4ee8-466e-08dceec4358e X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: pHdf70g/EyBtzrFj0E+3CVJ4WsAFK9qahu9ZCsXePOE0SLks9yFI24eZQB8Q+6YFayCw7Y6wu0fdE70atQ7ONFesVLnHY5Slh/UncZIyXmSitZAkTjeMW6qOBqhSNfvMd1oW7bwI2sv/C6htqpC1nbhSxlhfKI1JzJVlagQnoeCTvzzpbA2rbFMFDL4q0ShZShv315p7UskssO3QL4t386+BTv5NxJZP4pc5kUL6mjdki+HsEZO9rUoiT4BGS7yjEq8hDGJvpF6RP7B1yINetfZHlGatBXVJYqFyD5y6s4Yceru9DFVD1PCPvPioDBBfuhEAZPb+tatHO3dUgfK+wT5/MJxtDIA9U0as5bQo7RH0e6ytd99aKqjvjmr1eL/Raa7Z5W4S0Z4ImY6OjtuTjNSLAKLnDoiAZP1yyHG6Wl6b/u1s+yBjovyaPt6E/wD/sJ7dbwt5YM7tUjsXjAgMroFYb/iw3WZa1RC4DZdnntAOcJGfbomotknzIzwNvVwutmQidx6LjazTQdAWZbjvnkfrJ6qatIQ+Xba51SZ8L/E9jIH8B/ayQQUCC04+bvfeohxixcPMI0pZwOskzNA5w4bc7h1tY7+0XsLQ495sHZ5xLsnCe4YkQdqRRko6zPhYJ5qqHKDROdSP4XcUWsGAl/eRQqtosvyaBDvjDAj51qShfiaP93WemRTrpoBD6LTG0urElOSpHpldLuFWsfzluwO+9mNvsiGNpTYe18CzH63KvdHEIu/cKCJUqn3N+AF1aGdrtVt75rMUV4HJce3dJ74jU6zYhGfaQgbHLpihX4T6NulA/LXyTa+06ya2G3Y5dkT7ZMY7KuAVp1TAn3luuUWjzMd1Y+ynVH6BgxOepAqNAfE12Yyl0NESicsMJLBhbbN0zru1raJc0LZhG2faEUEd1NG/JJKF/oEyspRBCYA2M8fDsBHiR6JOctd6WTL0jqiCtSS0+l7joPai1f/wvme0E/S/6G7pNfduHWKFjZ2v5M6lICdIZLhqVDHYDHf/JrG7LXHOGc+oD7LPEjmW9YbcqlhVEAIaM9ilyvPVA/1sOD08qkFPrO0quuFVyV1RGi/A/7TDFj7x08XCI3OJm3Yfct3uuWpPxtV7wwMhASD3NiCux5XVYqs+IMykRBucjKp1VSU/k+wruWARTPXzYoW/KCfa8j9ojh1BfDQWKwdr1c/Q91F/u+/wyElvKuG0+LN85e2sIAPc9HqJT0KAv/53or279qsc+BPLIYrtoBgDcwxGICYGAKI+mEyG4QYAgInVmHIySk/lsRns2IY7OzDe5TnNMg9C7UG0UNwfLJM8Q8P6VFs3QqkQuD8qxCwq X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: TiJi+Htb1ErwwUlkZ4UhxArm/dddf00qqRk0OB2sno+n2DEG4uepfUWkvwHm9vIxuIlM4fl9j7JvEYQBBDNF0vbkS7IM5buEry3l+POYAeTeMJtAZfQ3gAN8TQdDWLmKo/hU3Cc80GGWlfN6hQe4jOD3U88zfx/fEm7SdZOP1uqjfbBAHUNRi8fk/pblXOoWU9UcHXP2rCcvoGcEe+WCKe1x9UbiqEX/pO+byIU13z9bC/6i5PGPwf8PgLEzvEWvaN3Zl1Op06hIGI/g6kHGgKGwc7Io9kBNFAa9/DUYVY7t9x+JEgU2aF5ZeplO+wwgzL+93YxynnebJBnE7VXpK5AV2G02wmk4nSeLJmvKyrN39RUm3r5IrZGIN1q0SyPaZ5A6zkbsD91CIHtoLTvbH0o9SogLjG6BvK7WQw5XmutkIBsqP+n+CJl+dJHWv219AuJOFyw63ek2lxiVJoQGKslULoQopFM1TZsbLtiiSRHsYTUcDAlh6l6aRw2a754lp3mnCo2ShUjbOtBr3wGek2aC89bB+I5Xk6Evoj+c4tSe7Ck8mW5IlFTi2rqbQT1FgaQ0crWSNi0B+ADZ+IeTmBmu+20pRrvMK53cCK1mPSbCp/tRcstorTbKgFJwJOh0cOzp8vm2Ay439IGX8sAhqfFIbE9R+1SPJpVVaa8t5xavxNA3QcK3pQF4ZIyR9BwDVMFismEAD5X3H7b0ucZfW2NG5r6eQz9p1uGo6/jdKE4Qnu5+u1t5K955flBKdL3U9bryHqRxsW6G0Tj3SDLjMcBxsVNRH8lpB5U90BBGwcL0zPBIqyS125tlCeQVmDk/Tl2TRvbp/SqYizdZtc/jIVxKAFZuQHP4mDQUQr/2tMPy9WFsOCsYi2yexUy+Nt2zQECMdV/dStIQsb57767vMDx1CMkPOQdZFchLAk8qUVIpfyCIsxuCKO9SewvPrf0A/23IVbYXL9PCUq29B1xli/yEEs3iqcxgl4DP9V9pcVoc5CIjmVYugQKXUG+JKiazwvUdZCKxcgcrzlPiI+pus+sbcOh57QkdsfUtPxxZPZqICplbxhS2VxxninKvozEzoJ7/x8OyDPx+k0lK09bw2fU3MXhW6K3PwzY6we+Wus0Vfh1DbvOmL6dmEe5WBcZ1XcKFs7nv2salZQAlueRobdUpmGixwtlg/2wDu85JAK7pyClz3UohCCpRB8vjydV+iQHulfcRs24BwEO8XfdV1C/AJKpVV7O0mTgXVUyAbiYWLQYicuXSMxwF2YC4XxQYwEGlZ9TxufCwYCc+J1cRXe/IY0kK8x/Jw6I4P5N6OA30mN4YvnSbI69nNlitLYD4hbomcQoDmM6ble6E8A7aCRLb4EiCfLKLJLFdnPA+d2azEOJCObSuJZCSnEMfcXlUFOtVxnbPRxGxnJHev7TEeMrG3liUujgCqhNe30niku+4qxbSExC4/QrtVtybmAOK7Yad7u4og4WjDcYJ7XBB07MkLhJBY/g49BX3DoNmk2xMSvRAr/ZZtE15ByycH2GWk+VBwDlLaPxvrJbJ1pckSBKLOPlezbtVo9hxvpYiXFehXXaNQ0T0YYLpw9kEzEXh4H2UXuDkJR2GQZWqEGJKbQ== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: SbUCcmK738lIOSYXwuefMa1KyEQUhJdoGMRV6/lVRHQNtQLeaOZGeqasPM/ts6dCuOUsrf7YBUxrnDsgST/vyWkHp4EOXJ544dlzhTEaqxhCPW4Y88DiFFLhrtgbZlBhHRguJQYhPlWftIU2WhY+x6eVtWz6ZkAxqNxh+XJqUNf9IJa9XW3x4dsMFmCu79VxKVGb9JRn+Eys8mMJ3ssP0ZzV6x9CXwAiEZwyl+iWe8SkyXTTDvTkMgD+Fg7Rih9+0zb5LWl/GcaevKefVaDsr4xPjrXv41Bq3h/E3wdaaK1edsthZ+jzNU4kRjKiFni9c/61aXzTHezXRxIpaHzVaB0BcfOw8s66vmKOVoNVjVg3o29ln4Ohjfkhd7o/beUBPphiXIJ3qA3mm8g3FYT63tWh422OWP+EU1xfBLXL1D+URJ2eRjGoPChhB9cCFYHdpsnk8mi4+rSZGJBU6Itdb88uyF5q+qVsB1fzWHg2pYhG5isygJCoeB6vCUeoi1sLJh6PtI5obiTEiX1BoiBhk3CtsH5YEqda6WX8IXrVscl+5sK9tBFue2Lu7Mgkl9d1mJhK460qwfmaHgA3COHvd86ON6lBA7EEDtFwa06Wf28= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9638a801-6a60-4ee8-466e-08dceec4358e X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:06.0781 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: HR5jKUR7Q1U/8QxPeq7xVqmIKIF6HNdGtUMX3WGchuZKIWO9yFjm0mWCf3X4oNW4+3zUnFS2nE5p5KreJEOnX94s3AdX8boe9svspdx4P6A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5846 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: U5p-hYNPRFGLqGcPBixGVQXJMCsoWuuV X-Proofpoint-ORIG-GUID: U5p-hYNPRFGLqGcPBixGVQXJMCsoWuuV Add a new Kconfig called Security_CLAVIS_ACL_LIST. If set, this option should be the file name of a list of clavis ACL entries. This will be included into a C wrapper to incorporate the acl list into the kernel. The file contents must be in the following format: :. If more than one entry is added, add a carriage return after each entry. Signed-off-by: Eric Snowberg --- security/clavis/.gitignore | 1 + security/clavis/Kconfig | 10 ++++++++++ security/clavis/Makefile | 16 ++++++++++++++++ security/clavis/clavis.h | 2 ++ security/clavis/clavis_builtin_acl.c | 7 +++++++ security/clavis/clavis_keyring.c | 1 + 6 files changed, 37 insertions(+) create mode 100644 security/clavis/.gitignore create mode 100644 security/clavis/clavis_builtin_acl.c diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore new file mode 100644 index 000000000000..c1b60bee049e --- /dev/null +++ b/security/clavis/.gitignore @@ -0,0 +1 @@ +/builtin_acl diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig index 04f7565f2e2b..b702311ec905 100644 --- a/security/clavis/Kconfig +++ b/security/clavis/Kconfig @@ -9,3 +9,13 @@ config SECURITY_CLAVIS keyrings (builtin, secondary, or platform). One way to add this key is during boot by passing in the asymmetric key id within the "clavis=" boot param. This keyring is required by the Clavis LSM. + +config SECURITY_CLAVIS_ACL_LIST + string "Clavis ACL list to preload into the clavis keyring" + depends on SECURITY_CLAVIS + help + If set, this option should be the file name of a list of clavis ACL + entries. This will be included into a C wrapper to incorporate the + acl list into the kernel. The file contents must be in the following + format: :. If more than + one entry is added, add a carriage return after each entry. diff --git a/security/clavis/Makefile b/security/clavis/Makefile index a3430dd6bdf9..082e6d3c0934 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -2,3 +2,19 @@ obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o + +ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),) +quiet_cmd_make_builtin_acl = GEN $@ + cmd_make_builtin_acl = \ + echo > $@ +else +quiet_cmd_make_builtin_acl = GEN $@ + cmd_make_builtin_acl = \ + sed 's/^[ \t]*//; s/.*/"&",/' $< | tr '[:upper:]' '[:lower:]' > $@ +endif + +$(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE + $(call if_changed,make_builtin_acl) + +$(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index b77e4ec8edbe..7099a517b111 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -14,6 +14,8 @@ struct asymmetric_setup_kid { unsigned char data[CLAVIS_BIN_KID_MAX]; }; +extern const char __initconst *const clavis_builtin_acl_list[]; + #ifndef CONFIG_SYSTEM_TRUSTED_KEYRING const char __initconst *const clavis_module_acl[] = { NULL diff --git a/security/clavis/clavis_builtin_acl.c b/security/clavis/clavis_builtin_acl.c new file mode 100644 index 000000000000..c98b6df05413 --- /dev/null +++ b/security/clavis/clavis_builtin_acl.c @@ -0,0 +1,7 @@ +// SPDX-License-Identifier: GPL-2.0 +#include "clavis.h" + +const char __initconst *const clavis_builtin_acl_list[] = { +#include "builtin_acl" + NULL +}; diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 1e1fbb54f6be..a4a95a931b50 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -300,6 +300,7 @@ int __init clavis_keyring_init(void) panic("Can't allocate clavis keyring\n"); clavis_add_acl(clavis_module_acl, clavis_keyring); + clavis_add_acl(clavis_builtin_acl_list, clavis_keyring); return 0; } From patchwork Thu Oct 17 15:55:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840259 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BAB951DED69; Thu, 17 Oct 2024 15:56:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180609; cv=fail; b=cyZmINmNDGqJlmQFO4X/kw3nWu7J/EYDXZoqe8Q3pWFaqDVVoBHnw30mrHnVOXxAGY3G4VCzVEQ42d/PemD0FNRJ09K5Z0wSWm7YLTq/gqO1z48Ck4sz9mfaPAMySKaVehNHPrqJmtJBVGL5iPhvJXgROCmIDPgcoZ44uRbAVXY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180609; c=relaxed/simple; bh=mnqIockSMDoXhMbpzrwug+dmIAa0y/oimbOWgfHWlFc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=AQAB2fMQZdz/6CiGZ5GCthp3WUQGPVHaT2HEXBAxpTMxk6sQav09t5aAVbs24YsGxCIi2BpXUuWu7PA0ZUGPJGxfjSKX/LMhsMeTpcSmUcrpdwdygaYgBFimBz+9IK74tpis6JmT/YaKbhc6MlWMKKjqvUEE8KIA0x88FaXLNg8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=CltL2m6i; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=xZrqgWLV; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="CltL2m6i"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="xZrqgWLV" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBnU9002180; Thu, 17 Oct 2024 15:56:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=AMxfp9IG1I1xk1Rm/78tvPu4e2bT8HCS8BLAhK0tzkA=; b= CltL2m6isN23zi82cKqdq3dN1Toh1/dKBX0GdJQf7TJgrWxbCOMm5/NiFPyW076w Rs65WoIsVCY6aVl1sTiu5IDsVp5p+5fIqnH/UUW+0/ChAGiMScE0ShIyUASojN/X N0S07T4OjghH7g+6HWxbglTok/8dYnJT2kbr2BnVkAN2MADfBjK/3zCCMA0x+eAV X5eymDh+K2QlvPuolt16m/Tduwv1QOTVpYbzCdLLOHkz8m76qiwrLOiPZ7lUkWqc KuluwxKMTyYSGVN1dRG9zBiKo+X0N1jVqkagq5Ds0jsKxAAQw7gCkGPUmBRfhiqS Y/tf8CVyXHCSj+XSEjoZrA== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fw2pxey-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:12 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFfHAv026407; Thu, 17 Oct 2024 15:56:11 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2045.outbound.protection.outlook.com [104.47.70.45]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej4g-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:11 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H3WyClCO9PlJ3u78FwzhTHLJgwafgWktYxSWR3A63I/CBQ6/CkEesr0X4GFlvNyA+luEteaisohuf4+EQIMGyLmEfjIwESJrJDoyAyvDZbAABbIdN+n2+Iy/N1eYC2I8gYJExmr2bm1QaJQGyaeEHdipGyTC20lfLbdiz/esYxgR3BPmGH/v1jmkxT/8J/axZyPHYxOxm7lnEv1nJu3KolA9iWar+sAYPzqlazWwmvMMrUX1rUiX6LZMsMQCEEOo+Ty7/nbEU6A5vW4GVvQPzUPx04s5wHHinEz+Mj3DB2zEfIFdtqxvLRPLyKwd1r235x0RuW1ksJnrba78ZTWbvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AMxfp9IG1I1xk1Rm/78tvPu4e2bT8HCS8BLAhK0tzkA=; b=LkjQcL25A/E3JJbuLc8BzLB1HQq1WV6FhIcrLVbJiVaau7UC8V0DFPEPZgQdIyf0pQcKtbl9VpgcpCD8dU6oYZbcpNLuqp1rrvl3AX/lZlD9gHnmxjVqDNwiWrSsE9WA8Ok1afiBn5OgM3G1YyMvfxDz90c+bTWZzJkxEj5pBrbw4A1ETwT7wPaRoZv1jeMduoRY1U8e4Ym1vWaj1cbX8slGLsg2s551nOMN1Pk//P1JRAqKyVTP6OPWDoMFAZRPheczg+kaL2aj9VaXvnY6xBS1hU/3kewDrtQVprqoh7QTuO9LptM271MPAbNquH6ncE6h6rAXbAcC7zLAkNeedw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AMxfp9IG1I1xk1Rm/78tvPu4e2bT8HCS8BLAhK0tzkA=; b=xZrqgWLVospiJyTYmehwYJGxyw8tTy4eajLeCYq5lajt4RQ3zyYTyIO8cW4Wf5xYuwPZ1Z5IKnp6iE5DH7OFzmqKmTLNClSUgQNAdIwkmjiPsUalSITTTUZq97mTG590QJlQlbGf/D4k8ci8Bp5+L/LVVGx/8E0Prvtc+GkFgDg= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by PH0PR10MB5846.namprd10.prod.outlook.com (2603:10b6:510:14c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.17; Thu, 17 Oct 2024 15:56:08 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:08 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 10/13] efi: Make clavis boot param persist across kexec Date: Thu, 17 Oct 2024 09:55:13 -0600 Message-ID: <20241017155516.2582369-11-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0P220CA0014.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:41b::22) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|PH0PR10MB5846:EE_ X-MS-Office365-Filtering-Correlation-Id: bbaaf9b8-61e8-4be8-4e53-08dceec43702 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: mFIJ6Z8WiiPL3934Xasz3rFafI04PlI3jfc9mrlBhIusSujer/tkudcQ+FnO5sYKBXeIkLntnJ3RMyg9leuRc5kQggfN1V6xnuN4juQCqepGaDsx5059ocVejXdCCdTtxVrwFoAaLz3vAo185VV/e+8SKTX0/2tqDqoxpbFxLyUASOxDvjGyKrijcy9GC1kYS+3G+CL9cytYiY8OyV6X783pVUmQyHQYBlfuKUCFJZxG+Yjcqgy/yyvUkVoKPKkkKjI7xSL3DCLUeuvAbfaEJfJFnyGmgWTDNeRIZzwcwkDTiYLHKUvPnW26oZnrwPI2F/8VmHBX0fhX+bS1bO/unl1wVYH+qYHXvyRKMgQwXuIhNQZwxL9zGzHSwEj50LqNw2XEJcFZV+55e1uIG2mplhGia1Z4UK3cUKj8Ta1vwDzM7bkkx6Gz/cUXtHIkbExNsOpfpQeyqTXKeRYmmUMy3wSrCzfg3TAo+56bYdAjqtGkDgLB03+ZIUV15L0GiEesh/Gq892OREzDe1YDw4RZTco5y82tmo1QmZB064vjXJEzg4M1D1N7MCuwi1YcBwnIOLYn0gD2lklyvj0//1RlGxOVP21Xe8FG5msnFM9qQemj3SKPkfISRDKsiY7ypt81xOh2GTS/XByUZGhk7S56/FoTIdDZkp/HamnCtrcKpA8ninX53P6IDwArpX4D2wYSjLYn51VK9FQ864xDFWUXWyLtWmMhU9BNCtBrK0j550bp/hEIyNDHHY21VwZxITlLX+1aeIG4+sb+qFeKP7MglqmdPpvC6i+FnXQlchwBvSf7YJ99eA3QNZqnJHYvWQCcAZJI5ILEDvTc1HBS5j3F+t2ejUVQdibGGaG7uTL0MFomHCEYgU8SoQL42O4PHIz9dDCWPG6A+UbJsvjbsacfi6EVwWV7UWM1VJRvmfji/dg7Mh57sUdxKPxbWwAo7QSCaatdXJ22E9yhoUGWQMj80lE45gGUTTu13eWzNNln8cF4r1O0aIqf7o770h1yGo7bsKX1YLO1hctHhANj9GoRHqsJlNB0CnyZsE0mwYJjv+A5Y5zYucVgj09mzXhSfEBtfr2bS386NvYRNhc8GU1hT/KEpTCMchJiyZhaR+HoYDwrVzlI/7f68LGVAV8MF0vfmoLe/PyqPw4Fa5OVfSWmMVm9KaS4iY2Z1+btq6GRKj4lnhDs5L5VfzGa1d5IQR7siYtUCf18N00nJg0HRJOU6cmOsrDZ2YvGt9XLJambKhrOO2NEnXtVtnRSWinTktPPmj2hS/NxCqAjLopz6bAjdHKT2zpTsMv5ZPJdIE5cVVaHFkOsJx3w5A10n0yCY/lm X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: mic/G0WeqAv6Bw6Dh5iutDSYsdGI2O+6ijbi07XjjGStOoRzVsWHBhkNRfQPZ7EwG1Dus9C3EgAcXo+AMQ5LFLvSoPWNHFJXvAGqC/KZ32fvtSIzAJAJRTZK3IdGYFb6xajQ4lFG1HUH9iscF4bgDtZSRKan8usi4Ji6UhOTOh6VAlCA9tr2cUBqx3KQjsQu4Gl2owXFttb2poVVpV/AGWfMzD4W/gn+Wr//rpCiCUZbWj0PFSMWO2A13I2FHkALSbPFSyaTm9Zid6aOyBafZ/ZIW0lflOBNmdO6fcp4Pfrkv7EmLnojk0ADJYhtc8Vk9yrROXJl3znqfqkIA/qsLUBLvpa77jMB+8+2Pd5HXO9P5YHADUCCVdfEeRSx72VEpuwXwX847WuXpbnjCFf9iTGVE+RwABvuMkLumZfRpPmvFpzKnCgydwdtyKsC7Ef/GCWjWu3FHRo9LnLsldMHCWfbFoPK2Hw7jhmNDKS7wYx41Bpthp/PX0EURNPSYzP1t9I+50ZCl67B3KuG5nP27YyqfxB/LIH3sz4B4sTXsgxrgAZGDLqWcn/oerOChGCXuu57ZJ2br7pWRsILQUgsZD4C8QCd/ApUorKcPOL6ktKn3cP/z6EQoGg4jdL+vImZms1bsWwvgkVKjzL8NwSSGA2pbvy8a2I15fOpy6UTnOy2NUFKmOGkBhN5TJFaPNeHEGqok662KNVFRMJT47iSnqiet0Wy87zabLx7lLqikjth26aHmP9S+uYKoohibAS0PdNrdqcG39hNcFI6aM7+G7ydkqa4xCGqBNMZI0avIVyHwaRNYkG1PrAqZm8hX7EWuLMm4XO+ACbslOp5WCORWebGKUvNytvuBk716Jl9BWB4lE6PKuwZ22b5TNJuYktRo8x+eTQsbEPorxPhIHdN7tlPbWTPgDCimW/xsGM3Hpqg2ifJ0MiXhszC0hqMTUGGJ6+Xfd21q2NGyPfAyCuQASmI5Wqe4DaGGbpqt5keF3MpWlLMBeTuliNOqq45qrfIW/NZbYzHxK9K2sAm4sI8DHWPE2yVPjdiMD2MiqY13TSQb6Kl8LuOv1cwkREvO6pOvIHxRV+O3m5sFeA6lxJeyc/FblvynL9GC9miOMxbDZGWvMTlty/+tWgilvDXn/xMje54Fa2rvfTgv1rS4xWb28cwdESffwBqvZ1bZEdwqp+eKDSalwd1DvL9Co56usAO6JEsyRgrdyOjDSIljfPE5I0IOVEYnhRUN32/PKMnFEM3vj5XJUnqpsgwixLPXSnKQnAi0d0OYL1jM3aljG+6CybZ8gFvAEseEzAx+W+ZRrqRqesJmeQDA7vQvQAv/oaOUfzCaG9N5ERNfYy+LMHjYSjY+5q/FheXids5qCUGyEa7zBlGsmJpzC5nz9HtHeIYvUwRr+xBGkApCugFDkZDE9lkzAnho8SqLmJL39jd+19qwcONO1CW/cJtE0o7KlB9/dagYQ4Ba/ZjkobFM95vsCogdZK6mCRhZ3sufIqZtbRrQ+Q3XtcJnTiN1zEYglagxWMem7tNRF1EEFtz8dVCpMeM3aQBfFzFm0LzMHWIDTS4G8YwLa4AXFwkHfJh98bfNAHrPIJ57G5Fpu/hiOEItA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: LLckYKQC7ERRet/JH/K0LiccnxybR7c7eIU03sqUMlZRcG5rF5cJMSV53Grtp91NfZQDF49nw1B5CCz5thr+qmXNJXCTUKt6vIfI6myLwdl7o5+nv62rk+0p1L8lW1zQy/KkyZwaA6TZoA+Fy94a2d//u+lSB00Cdy0ZGQYx1fdQ8doqM0mflINgSzHlF/mROQ0BESWJLqeKpsSYZ/hSoZDmsLl2ddyDbcgoUslqiPMH0GrH06MwqS6LClJHSGod/5sS+Kdg2EA6vXTihnQlWErxT75TsCxwQtBJ20ZgCB7Kx+IW5xnV292G6FoFQjQkQ75eAV+w+ievFVlSKkj8ND9jeV+Ibl45QB9IBLkkRt3XcXptHePLLro72Iv2weKozivd+MjVhofMZVUG5vuFTZYTalhKlqoXRmDyYBLnRgiNwtb22/+oZBofIrvfL2k6AX8MxsTlbKFXD+HyTJznN966GhESADhZtcafmuZGiEeEtb2wyk/TqJjGuF0FGscufOHF+vhSth7P1/PgnPoqDoTvTgEzcuaAcw42AcvTsAba3JbJb1RNg0e8yAGsSAWjRGB+mjmgj35RvMbWqV3V7fCo4RwV1JHECC3jBNrdOM8= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: bbaaf9b8-61e8-4be8-4e53-08dceec43702 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:08.5324 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4QjTKbpGXY/el6NZkMDj+lSy0duF1yG9CGqSOUbCqLj1bDmjGGiyJm5PSrZvCiGWqkLAiki5dbg+ghDa7fNswBQ+7ArxV6cMJKEmTdRFVCc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5846 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: dft_VKIB8sPRI9Ng7Q83w5RfjJ2yswtH X-Proofpoint-ORIG-GUID: dft_VKIB8sPRI9Ng7Q83w5RfjJ2yswtH Add the ability for the clavis boot param to persist across kexec. This is done by creating a RT variable before ExitBootServices is called. The new variable is called Clavis with a new GUID 193ccef6-348b-4f1f-a81b-0ea4b899dbf2. This variable does not have NVRAM set, signifying it was created during the Boot Services phase. This variable will persist across a kexec, however it will not persist across a power on reset. This same type of functionality is currently used within EFI shim to mirror MOK variables into the kernel. It is being used here so the clavis boot param can not be changed via kexec. If a different clavis boot param is used, the one stored in the RT variable will be used instead. Enforcement of which boot param to use will be done in a follow on patch. Signed-off-by: Eric Snowberg --- drivers/firmware/efi/Kconfig | 12 +++++++ drivers/firmware/efi/libstub/Makefile | 1 + drivers/firmware/efi/libstub/clavis.c | 33 +++++++++++++++++++ .../firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 2 ++ drivers/firmware/efi/libstub/efistub.h | 8 +++++ drivers/firmware/efi/libstub/x86-stub.c | 2 ++ include/linux/efi.h | 1 + 8 files changed, 61 insertions(+) create mode 100644 drivers/firmware/efi/libstub/clavis.c diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 72f2537d90ca..8dcb5326d05d 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -186,6 +186,18 @@ config RESET_ATTACK_MITIGATION have been evicted, since otherwise it will trigger even on clean reboots. +config EARLY_CLAVIS + bool "Early clavis" + depends on EFI_STUB + help + Allow the clavis boot param to persist across kexec. This will create a + variable called Clavis with a 193ccef6-348b-4f1f-a81b-0ea4b899dbf2 GUID. + This variable does not have NVRAM set, signifying it was created during + the Boot Services phase. This variable will persist across a kexec, + however it will not persist across a power on reset. During kexec, if + a different clavis boot param is used, the one stored in the RT variable + will be used instead. + config EFI_RCI2_TABLE bool "EFI Runtime Configuration Interface Table Version 2 Support" depends on X86 || COMPILE_TEST diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index ed4e8ddbe76a..b5243543ccc9 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -86,6 +86,7 @@ lib-$(CONFIG_X86) += x86-stub.o smbios.o lib-$(CONFIG_X86_64) += x86-5lvl.o lib-$(CONFIG_RISCV) += kaslr.o riscv.o riscv-stub.o lib-$(CONFIG_LOONGARCH) += loongarch.o loongarch-stub.o +lib-$(CONFIG_EARLY_CLAVIS) += clavis.o CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET) diff --git a/drivers/firmware/efi/libstub/clavis.c b/drivers/firmware/efi/libstub/clavis.c new file mode 100644 index 000000000000..3a715e87a13a --- /dev/null +++ b/drivers/firmware/efi/libstub/clavis.c @@ -0,0 +1,33 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include "efistub.h" + +#define MAX_PARAM_LENGTH 64 +static const efi_char16_t clavis_param_name[] = L"Clavis"; +static const efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID; +static unsigned char param_data[MAX_PARAM_LENGTH]; +static size_t param_len; + +void efi_parse_clavis(char *option) +{ + if (!option) + return; + + param_len = strnlen(option, MAX_PARAM_LENGTH); + memcpy(param_data, option, param_len); +} + +void efi_setup_clavis(void) +{ + efi_status_t error; + + if (param_len) { + error = set_efi_var(clavis_param_name, &clavis_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + param_len, ¶m_data); + } + + if (error) + efi_err("Failed to set Clavis\n"); +} diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index de659f6a815f..3c45eaec325d 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -100,6 +100,8 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); + } else if (!strcmp(param, "clavis") && val) { + efi_parse_clavis(val); } } efi_bs_call(free_pool, buf); diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 958a680e0660..c15cd0d9e71f 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -183,6 +183,8 @@ efi_status_t efi_stub_common(efi_handle_t handle, install_memreserve_table(); + efi_setup_clavis(); + status = efi_boot_kernel(handle, image, image_addr, cmdline_ptr); free_screen_info(si); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index 685098f9626f..ddd51d7f19c3 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -1142,6 +1142,14 @@ static inline void efi_enable_reset_attack_mitigation(void) { } #endif +#ifdef CONFIG_EARLY_CLAVIS +void efi_parse_clavis(char *option); +void efi_setup_clavis(void); +#else +static inline void efi_parse_clavis(char *option) { } +static inline void efi_setup_clavis(void) { } +#endif + void efi_retrieve_eventlog(void); struct screen_info *alloc_screen_info(void); diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index f8e465da344d..facec319d978 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -1044,6 +1044,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle, setup_unaccepted_memory(); + efi_setup_clavis(); + status = exit_boot(boot_params, handle); if (status != EFI_SUCCESS) { efi_err("exit_boot() failed!\n"); diff --git a/include/linux/efi.h b/include/linux/efi.h index e28d88066033..a6ab5d30d25c 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -423,6 +423,7 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_UNACCEPTED_MEM_TABLE_GUID EFI_GUID(0xd5d1de3c, 0x105c, 0x44f9, 0x9e, 0xa9, 0xbc, 0xef, 0x98, 0x12, 0x00, 0x31) #define RISCV_EFI_BOOT_PROTOCOL_GUID EFI_GUID(0xccd15fec, 0x6f73, 0x4eec, 0x83, 0x95, 0x3e, 0x69, 0xe4, 0xb9, 0x40, 0xbf) +#define LINUX_EFI_CLAVIS_GUID EFI_GUID(0x193ccef6, 0x348b, 0x4f1f, 0xa8, 0x1b, 0x0e, 0xa4, 0xb8, 0x99, 0xdb, 0xf2) /* * This GUID may be installed onto the kernel image's handle as a NULL protocol From patchwork Thu Oct 17 15:55:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840264 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D92041DF72E; Thu, 17 Oct 2024 15:56:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180612; cv=fail; b=TJwfovB0Vc+zBmye480omkYCrMhmN61xwr8/+zkTUDMJuewyK3fWBpjeACMeLx9FT6+mRfcJrPVWm/fKLRE+k6nZltt8GBouoTdgBIHRsJORaG+WeFaqntZqAUx3D4S6nH3x9zCWHcbs8GYXR3jY9hhZT/hO228wO4x4Ft70xSs= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180612; c=relaxed/simple; bh=x/CcI3fQAAd0veGAxEafJSDwns91EQsfiQZpLj5XPow=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Slbvaz7DohpDD7RcnO1w5A2CHvZAY/UpBGUxqY9HDxBCt25i7sf77WnDkQSgsXkanuaOiDXFOIaj7o1TXUx9/LZvlf9JxaEoYD1AipQs4jFmuf4LUfVoeEyWRbHnC9Tzm6oSCzMPF5mPdDl97sSZQMUZQSEcycCKRjD8e6nHlKM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=a47L6yVj; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=alulh14B; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="a47L6yVj"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="alulh14B" Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBouM002189; Thu, 17 Oct 2024 15:56:13 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=TZx36VR1eQTgQmDSXLoJmgghs8JvzuaCDjMBl3Kt0VE=; b= a47L6yVj3eZkX7PFEP+6QtGyL89opTol9dQMpX+jUS02NH4nAg8lHonpfPZrpBGr J1sBPV1JZH6OA3ppMU30b+IJju48Vu39t440jM7aqlLkRUOZy1Je2NL/UchLDRaN SZG0fiYzB4NXsPP1W6qa+T2L6b2yn+VtDzdSArgJ8XFMVEHhlgMS+ZyWghhHKRdF seZK92Meiflnl2Jn2jS7pgnw7HEvh5i7GTnOqv2hmlhTIu5osBGAnZSOI/ScLb+A UEesBo5bluCh/ZIxDlPfbof3g5yKOXRE+JPk92F4cpoWmfofvOdHTliulV8EQtAT p8EVSZYLc+wJTLJ6OE29Ng== Received: from iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta01.appoci.oracle.com [130.35.100.223]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fw2pxf3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:13 +0000 (GMT) Received: from pps.filterd (iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFojgZ035993; Thu, 17 Oct 2024 15:56:13 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2042.outbound.protection.outlook.com [104.47.70.42]) by iadpaimrmta01.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 427fjgwp92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=mEpBGFBpeWSe1sk35BB8SHl4qJmR36hEbad5igKVaJetsylVT6/dae3ioHJNb8TEUc0FJ7gnAt+lbL2urcS5dVKgS6ArZ1ZaacYbHcaEKeE+5HHu6MsZiMxJmwgZ/IdrMIprWOouLJUs0+5recBoxm/DnodhduEL0v9XXMoKYwOYzrKHH9h+QPIr9zBNWR4kTnH4oZ3Ht7YTR4d0D+wADMQmZiwQpxN0gpuUrPA7pz3y/3uAm/we6N5+4NoCGz4IcV3jMd+nXVlQ1Ntnlk5SZ+KeFq53QtvcTHXGQjboKLjjxUgPSxzJm2YTIzapch7PjEQpVw9VO8JvNW1mP6mrcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TZx36VR1eQTgQmDSXLoJmgghs8JvzuaCDjMBl3Kt0VE=; b=Oqdk//fMMemA34dYZbTcwxtDZnljK7CJbFmeeXUcplXuXUU7QMzryyB9V+mNMZSeNSkXx5vTprO7mTF1wzlEg/TLe63THV4PjWOfzdNFJnIrqFseIJ+eQUEXR15KGMdPzOvuX8TzXblOFvkMRTrUggUhiUZO6k+6+boDEGDyHXGKUC0lo/IULRTeFnHP1xxZ02CpoDwPAUG1zUIbVlq6Fknxje6Dnue1A7T8BeEQNyi0CEdwAJCs1NQ7XEjfDlNHjzNMiQbnUElUyYq/3NGiN9GyWEHbvxQqcvDAknF2RmB992luzl9/EAgwWrRHie5Cd9CCPCiLDTwpVVAuI9fMWw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TZx36VR1eQTgQmDSXLoJmgghs8JvzuaCDjMBl3Kt0VE=; b=alulh14BwIZtvmaODe9Ch2XTIBL1ew14Avl/LNip5D7z+1mGPspmROBVmw2fEN1J1D5mGxla18DVeVkN1DGNOinXHbLNphwfbZ99/WJzASdxwf/UxE1UOm6lNTmW2acyF0AIXSQZeA8qFA4wye1fm7aOgF+Po5xA0DDFiMP088k= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by PH0PR10MB5846.namprd10.prod.outlook.com (2603:10b6:510:14c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.17; Thu, 17 Oct 2024 15:56:10 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:10 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 11/13] clavis: Prevent boot param change during kexec Date: Thu, 17 Oct 2024 09:55:14 -0600 Message-ID: <20241017155516.2582369-12-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: SJ0P220CA0012.NAMP220.PROD.OUTLOOK.COM (2603:10b6:a03:41b::24) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|PH0PR10MB5846:EE_ X-MS-Office365-Filtering-Correlation-Id: cf4c639e-9797-4e9b-91ee-08dceec43810 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: xCn0BZQd1wQm6ine7lxE1QWy9WBwxUE7JDSXIYFiFHMt3q/MzEyFwuCLDMVf4SgIyZwTwsimT1tIse8qirnV9KkLLQjlondCpgZ4OxgMS7KawYfagTbfhf5O/lFPduQchKNrpgC/9iAQBCqt4x/EeYz+/1cBE4EiliYQwv8Br2O+lCFeohdVHG9YE2+7ohes1RibJZuJVNmkjtT4MnFQJ+cViebcDK4iuT9iODfJGthgX2yxSvV9vtOr5ieHL+5qt2rJ2JzxIqrfJuorxNoYP6t88F6ymuyHSTM9JaLxkJJXzLTTv9NXDd8QPtPpaSvtYABfLdBsrzQMhrxkoqosPOayeIR2j27SU/t1NR/ZJBzDvJe5bZz0s64v8MoVGJY4QgjlAsoZI/UI5OFfCeR0KIZX/n5DVwD82mtzgqeccaG0WNNYTO3yNIO0VMFaEmAuLCeqHsAfJd0tbES6e8lnt8881AePgQMXXT0EZuTEXbifvAuhj9VH79pbPWSBGc1FWMd5Oyc41x/K6sWvH6q8qp3PhMZQkKSlbcIbxyEd/Omw8thdZk9VcjnIf8rjfLkRTcxhHsstStVmRxhMb2IPGJVxxrPY09MlebjUrUVRcj6icOiRLOve+9KSXwP29xipoiIDfWCv+jFQwb+1TOWa8dwPvv2cp4NUuehN+aFQYSxROtd3VmOlderWbww2G5u7PJnAcdOazi5POWIP3rL4sCtg862/yZp9vnHLkUPBbfx3hPGkcmlC2UqYv8y9zwjZ38yP63qI8L78U9+6PmK97IL72kEAuBQFanlnsy1clAj9AQqido6U8c76Q90r6iHqlsVr0Gy5ebrf3zafae4I/2jViqhA3/PfnisZYKxSV2xJinxJH/554QEAZ3b59ecfAXIj5nbohm0TML5yQOg01hLtS6hg6zp3ZMM1tLgrU29+Y6reCpr/wuhPUIoUbxiIFuOHB1xq21MVYEmzw6NV2kHFKNIC0Di/RnvybwTybEhoxNG1nTYbvI2VDT6QB15oDZ47uZLTZdhRuHudpgehpJA3OEO37Bd3NrdpLqla8bMFaHW3YQnmI+RYZ7kn9rSt1vIF6pRD7QKYJSUNfYHFd8ko4wbVAguRFHFJSWYXu0GhSMCSWs4pvNbrMPUIdgEz8KAUpWUMIupS1mbWUyW9kiF0i9zp6PZKIs/lkdD6RS5zi8gu/huqmDVJVgu5/Ln7txaEQAGLJ1QlNZ9lf6oE/nMl9yeI1r70vNbpZXWXxPEXhpfnzXhbaOlFs1NfWvy8ZylhdOu8ZoDBDyQLglVWxWPNKSIMkWxmuSbZhvi28NM3O1mdO61CVJ7kv9ddgPqt X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: jn3q+zMgokeiAcqcoK8xrDPj8ERlHnjV9zIVru3Ex+Me2IPwZS1NvlDloamZcgsGJegXTgL2m1E2F1c96RBIDXmGMBrs7NuaW3uCDIk9gjDOP+FGPGjflW98cW5xBsOY/ITT9gtHlCSoNXOQj4UaZKy1c1NRq+tPGHoK713nzbnTkE228S19JUlI3qtpgc1TkS+PVWY6SGyJjCPUZMzQDqv92oDyOsVzM/3n3COWzER6uYbj3uzJ1gvyWUIEuzjU2VEnirjgtN+uEgPZHkuS1gHBTt2nR9eKFAo7kzPA3VfkCoOGY/39ms79E82a/ushzGOFvSEVhskfO0NSrDhlpK5wgThd0RV8havvZUAOaQU0TmoC6ZPOLFgDXeUhb9idzj6DeMjJcKa40zy2BVn/vMM3gg8QsATaBruRfXT/BvWNJ132xacPK1ohFdEAzmbCj5moypZ9VYTJ0mt5KvdL4QqTVL3/orx2+cBLwPQof/Ud75qVHyke/+Z8wB1Q0fFIhpP6VNE5s3CcopiUY2ewHA2vFu7+8ybtZJhup0bDY8JyccVhLOYdA7/8IeCyqCxAGo4K0IZSmVH53HteYskTKtd/yDn5kNAxBqUiIZtVGY7ZKq4crcYf4eK2R41eS6jmH9IueUrFaZOyuf6gFBFJW6yNXoMl0J8JJxHYJb6EY6fE7LQDNJwr7tfJENMuNhFYLv05ou/PsWvE44jo1pc/Zd/wbMKH7UH4LrmiKdN+TTjy5P6VJv7VFw8marG6ybnXptZ2WDYQoTe7jxlSuEOy7Mcphm58xzBA0GLEWD2YmD4sath9El1pMy+EhRYxKJ7sSbdhu6iCYfHg4AkTQIrtpLNU9BOmA128rq2ov18kdDC3hqRfOqroJsQVMFg3JzgEhqC8ZGASROPQBDP/Z0UaQ/YnCVOCiU0xx3dFUdELFqMPCceMTLYZB7jF2LJh5C4LMnuhl+49LjKKS7HkT00igy408NESUOG6cnx2xVVoc9OQudQAeUIJe4kEOKl0jQzpDWKtcyQHXotNKxBqCvS1NzP1WXx3y3dwzgoexMAE0D+oi0RNkLkSCWIFKJn6smaf/0T6zswFfPpnAypzAi6EWYWy0aofR0UMIjyUM2n5Uia2Vrhky1leDNRWmDFtzdvkD8fB/YNY7Zk2Z48Y3Y2CUBYW2Prde7u1UaaJRYf35q62Rwa3Xk5eEW7tlbvFeAC/CW2v7G3sT9rIK5VaH+aiTXseNER2VS3J2h5pDHXRsajyTh+nwtlTOLXXbImJL4mfKiwuEVN64XSoaWcnlVTsQtdU6QcX8yijVulPii5qeGZ+tUX1bMx7B93TBBWraB3+jEgJ1Njb8/om0vTkt7BtCwk4251FRgVzISaQOvpO0la9dm54coNiLWqSxRoD6V2E8H+ZFtflRAT8SdvuUIzQK0GNrPWfDQ32D4ftXhAV+1jnbFBP6iSZ6rVxxjvt581GmVumylpbApDltOy3LiFpnzxURLJ8sUL4Uw03dx1mAmDrxm9WBd8Mb0D1UIrl6siuKBBf4Qom+QQ6KEiBWY2PEWZqbMPBpmOX9FHLlJjnbBbcN35lzZlgzWMpHkrStn+LwNP2yFYzinpnRNFIZY2pJw== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: Re9ueWdUbkQFSmthlVdiuiK297JBsi4O6SpfGSUj21InSZu6E9Yqdd75i8MJ5pnSxQuvkdHitcJEKkIfRggMXRTHbd5fW9ZGrTpnPv4sjriZuqxU5mLIzX5zvBlHAprPPviKRMHofNqwWjWp0ztY4+18SU+Ln3TGNCBZraw3QGUk1PhE6Zua5aK6lt6aRXI9IrprvLrZ4C+bkdpokJXumvcC0Ts15vNyW88T4kD/39930ZYDtW703mfz398mQBaYUhx23dPN4OzM0GEF1jK6cqbANEq5TsCEenD7gYVnhk/x+AlainH/xLPsTNVvMR/K8OVIPY25JZvtOACLRAPMmiZPu/JWsfVGUvD9AJyoZX/gEdqDvC1pbemahXrkApsL51WOVc8RId6qIv4aiGityoIbnFpOer5d4x4bQMHnNUcG2mLt2PH4RNJi2BASkwbINS1+HfuoKG5hMW/ksRF05LQYdaQ4S5SGyuZy51ZvL1Qv3+lnZNxBHdmEBEAYgFAzFIM5ruSjdkeI1wiJqoIg7uCzT2LyS/jHufKEs6yMZ0SQye3yJW3rp+SgIRrU6xGz0rQIMC8HMbX2gKwofmgQ94D6fCHvFqaaTVjYLHVWx5A= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: cf4c639e-9797-4e9b-91ee-08dceec43810 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:10.3057 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nHG5Omhetv3C/5IDn2FwWLNH09kO9C68VV+IceG4Jkf2XM60Tqh5ClyKs8q4P7QS91ulYtNZvV2SsAEUcR7t+S2sRzi3xmoAM1ZIGqFnrsM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5846 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 bulkscore=0 spamscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: zFFgjQcA91m2kxyTRujMxdgUPjYZbqUW X-Proofpoint-ORIG-GUID: zFFgjQcA91m2kxyTRujMxdgUPjYZbqUW If found, use the new Clavis EFI RT variable to validate the clavis boot param didn't change during a reboot. If the boot param is different or missing, use the one stored in EFI instead. This will prevent a pivot in the root of trust for the upcoming Clavis LSM. If CONFIG_EARLY_CLAVIS is not enabled, the Clavis EFI RT variable will never be set and therefore not used. Signed-off-by: Eric Snowberg --- security/clavis/Makefile | 4 +++ security/clavis/clavis.h | 9 ++++++ security/clavis/clavis_efi.c | 50 ++++++++++++++++++++++++++++++++ security/clavis/clavis_keyring.c | 11 ++++++- 4 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 security/clavis/clavis_efi.c diff --git a/security/clavis/Makefile b/security/clavis/Makefile index 082e6d3c0934..af68a44a0cb4 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -18,3 +18,7 @@ $(obj)/builtin_acl: $(CONFIG_SECURITY_CLAVIS_ACL_LIST) FORCE $(call if_changed,make_builtin_acl) $(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl + +ifeq ($(CONFIG_EFI),y) +obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o +endif diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 7099a517b111..6f68b560311e 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -24,6 +24,15 @@ const char __initconst *const clavis_module_acl[] = { extern const char __initconst *const clavis_module_acl[]; #endif +#ifdef CONFIG_EFI +int clavis_efi_param(struct asymmetric_key_id *kid, int len); +#else +static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len) +{ + return -EINVAL; +} +#endif + int __init clavis_keyring_init(void); int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig); #endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_efi.c b/security/clavis/clavis_efi.c new file mode 100644 index 000000000000..0d9c392f4697 --- /dev/null +++ b/security/clavis/clavis_efi.c @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include "clavis.h" + +static efi_char16_t clavis_param_name[] = L"Clavis"; +static efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID; + +int __init clavis_efi_param(struct asymmetric_key_id *kid, int len) +{ + unsigned char buf[64]; + unsigned long ascii_len = sizeof(buf); + efi_status_t error; + int hex_len; + u32 attr; + + if (!efi_enabled(EFI_BOOT)) { + pr_debug("efi_enabled(EFI_BOOT) not set"); + return -EPERM; + } + + if (!efi_enabled(EFI_RUNTIME_SERVICES)) { + pr_debug("%s : EFI runtime services are not enabled\n", __func__); + return -EPERM; + } + + error = efi.get_variable(clavis_param_name, &clavis_guid, &attr, &ascii_len, &buf); + + if (error) { + pr_debug("Error reading clavis parm or not found\n"); + return -EINVAL; + } + + if (attr & EFI_VARIABLE_NON_VOLATILE) { + pr_debug("Error: NV access set\n"); + return -EINVAL; + } else if (ascii_len > 0) { + hex_len = ascii_len / 2; + + if (hex_len > len) { + pr_debug("invalid length\n"); + return -EINVAL; + } + kid->len = hex_len; + return hex2bin(kid->data, buf, kid->len); + } + + pr_debug("Error: invalid size\n"); + return -EINVAL; +} diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index a4a95a931b50..81bfc3ed02a3 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -307,9 +307,18 @@ int __init clavis_keyring_init(void) void __init late_init_clavis_setup(void) { - if (!clavis_boot_akid) + struct asymmetric_setup_kid efi_keyid; + struct asymmetric_key_id *keyid = &efi_keyid.id; + int error; + + error = clavis_efi_param(keyid, ARRAY_SIZE(efi_keyid.data)); + + if (error && !clavis_boot_akid) return; + if (error) + keyid = clavis_boot_akid; + system_key_link(clavis_keyring, clavis_boot_akid); } From patchwork Thu Oct 17 15:55:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840261 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D64EF1DF24C; Thu, 17 Oct 2024 15:56:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180610; cv=fail; b=tu5eqHj/UO8NJnZqVqGSbdgyFPyqUSU44gublPUt/oMMk5WOJM7RmheE1KO0JSbuNQLvUT0To7pVNGZLKM+TWZN+djvv0cfRsdbNqvuTYR+3vUKhRLYpL94qR/Xjbrd09ZfP5zyLxoCvCryZ8JVpvZ8TOD+JLhlKxdarHAhyYwE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180610; c=relaxed/simple; bh=jf2VTlHUcrrD++SlXTfEnLEsdou5s/LUahpZnmfs7pk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=OoSx9BOU74LWSgOfDzBsseLOx+CpzHErQ3SFqcANcWDdxwwk2pcDJyrwCkyghoQcPySaDuUripFGceP3l/P1kqYlhIXfzenLbZoD3QYBR8gUPv39yZbL4ZFHQW6rAqek3pGVYUPt0HakhUMRtK4QIyLJ/gqBg3qsD8Psx2TtjaM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=fybM0SQk; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=kMZ3/oNU; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="fybM0SQk"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="kMZ3/oNU" Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBr3S028917; Thu, 17 Oct 2024 15:56:16 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=jOiKJn835/HEb8EO5CbkLpGBeWv1xaVUAOT2NYtg31Y=; b= fybM0SQkCbFON2SROtD3/JNWs4NCNu4/NmKm4uaLDALMxV9N7I1va4nDOUccdbSP SMjeWGXrmb0nA3ZU9vLbFRQYFeCyVH9KFlEsdiCDjQukGJwo6wpis5xPb7tpWDxv Jg7fCI6uTNY85X1U3DS9zabO8TlC6knzcsaiYm4XlczlbiKTMYkQN7TdRZgRikHk gOg+pO7QW6n8++vggEOHdPZr+rAjmIBw7jMi/iPkwoCKXr5FC0+aQmuvWKFKCgyI uo7vps3JFt7CptBAsfei43/nK7E8TJBl571yObqQ91XrnkM/HZKKGlendt6PMhtT UyBhx+KQTXdP2qrc56MDTg== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427gqt6teb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:15 +0000 (GMT) Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFqmgi026553; Thu, 17 Oct 2024 15:56:15 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2046.outbound.protection.outlook.com [104.47.70.46]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 427fjh180d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:15 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WULQ9THPiCZhtxPmfvQXfU6yTzqH6GMDtq3mohQTCRzzrCVAQPZLoRbOePfPKjtWLOfioIQIxxt1XkdgPXizT05uXwd4bY5+55UGX8THMFf8NSQSbTmiTkO9T/6dpe9L5g/kwd5chTMzluwPWzHj72IzmJpvdnOidLSfzyh8FNKQH19XXP0w3BWIT9oqaPxIyh0c1PETWgsg+RsuiUtOX3DigjiWsrNJA5BnOiXOylFQDqYVhyqJERTYalDgr0n4ewwZXyxcagx1z4jpxiMdRMRi2Ey/oiP8kdGqDmDr01JZ7K/1AiQq1Ny+CNmWwWDjCWUZnSst0Qw2J9AT+akiWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jOiKJn835/HEb8EO5CbkLpGBeWv1xaVUAOT2NYtg31Y=; b=cobPJ5IrX4/Ekoon81LTCpAm9x+oVWFFfC3KM6pOJUJVZNbLmnFgrkcIWWnarSNDyYQ7ekyAU2WPmX4NjnzTKanO0q86HnqACUP8k1Qpukl64AH8/IkVZRnmhhJa4OZGFKXxZbRkvrQw2C6z6Mu/pJonlc02HwMm990cQH053K4sm5/WawOABaZVBzE1AqQDCWLkLkhQMZoYZr5HP0oqg9eGm9QjkYbFros+o7kreCq6MTomSuJ+iMi8BVyJVgHREagtqSsCV623hEuwVr2tKQIIDUHPwYfmiqqoZJBwOeu78JJ6Sai9yWNdirzuibr7UNgnQ++BI21IGTwda5vd+Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jOiKJn835/HEb8EO5CbkLpGBeWv1xaVUAOT2NYtg31Y=; b=kMZ3/oNUA/LQyE/DR2UrjeHuj/vMej4iqU34NJJKrsb5vxT9zjvDcAvZK/H0+NtXCNQN0kNmvLlx8kyxGpxG2/KXmMyVl5XMEPrrmmbAg0mj+4KCfy9ef7Hg+51TpjIoLnCG0XWXn+F4ETrlNEeXzDJYCDEzykfRnYzKIlLXNts= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by PH0PR10MB5846.namprd10.prod.outlook.com (2603:10b6:510:14c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.17; Thu, 17 Oct 2024 15:56:12 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:12 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 12/13] clavis: Add function redirection for Kunit support Date: Thu, 17 Oct 2024 09:55:15 -0600 Message-ID: <20241017155516.2582369-13-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR08CA0020.namprd08.prod.outlook.com (2603:10b6:a03:100::33) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|PH0PR10MB5846:EE_ X-MS-Office365-Filtering-Correlation-Id: 12262d9c-58ee-4d5c-847e-08dceec43922 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: Xb5VbgQn+de4KiK85EaVBPfoK9hMIHbt7MnVx5BU2dxshPJs+mBmwSZZYGREGLuAPMz1OjTuXAoghRlaf/RPk9HxDct3rTYoJMtSNd8Ya3sLed96U5OmfRG/VAI5pU5JHREci84by+tLKgA9vpH59Wx7DMgMBmUsLFBjmdT1ep3jmIW1v5NpFDeStC+Df3KWdfqOaygiLDnkEdC8aZ//yELvKDu6wqfc39QAtQoSdDLHQvRA+2lLk9y3FPMOb81+wEnEFuKxXupnwSibpYWb+Yj8qluaC0IxzCcJwsO+staowKOgIrkydXHav+QlVU+Ieznhb+ZYoCUkuJERPWM09ARqepeXRuqQuY5WlZU0nsD/kdhAtTpIL1W6NYqpNNKHTwCnWJAEIYLodGCRWxvqWLehhg7KLQaJjPAPW98vPBB2KfQ9jPfqv0r/1LCPkfF4D0u4xL4g50ALG0MYASwWDYthRnEKJX5NbfEZZCjqLYfwh+5vaNSrLLn9SHEhzKQu2hIU68BSav2RcI7AuTb2ynUAbjO30Xo8gi4/tAcZwESXmMyNl0c788YyEbidVvNIcbWxy+psTuStSNEZtPbHcEJfN/5kiTgsYqGJFp8jQMKLi/hqheqXSJqj8NmwxmRuoOiDQ+Jlr4pckzch58ZxRDfcsBXJVPZmL9MZ3Px2lJ5WPPaBAef3XNC8mHIKewap29tRW8exQiaDduggBytLaoKlfp17pskpQ5zlrHYB5dlnqPDlDkzbDN+T725ZfwrfPvlNqYUt7FsnOek3j386UkIjQ2w9N9req0MGPOnfJ2AsozX5aXtgk7i3NBk9F0KEctpj+Q5DkJFGW3y+dAm+rWOy5HESrLZEXTp6hwo2tYwkpVlkd49VxGzCSkPaZAd6mfYfdSND7GDggWPdYITZG7sLd5Q4MUojjMPvqYVMWvm3mg2hWspCwivz7X1rfE7RSMGKnFz8TK8y9xM32Z3eG8o+vBVD6ROq1jYncxqnL4IfN8d4HM8trobCWuUppdeHhJ29xqTFZWt5lKNrxTOuDZl8sndIDbcIo8ezJzRhDYKVxiT5YDjGtG7RHgxY8VzdvxCsTtp226QUUOHYYyhAA3EjTHgmUr3UwGliOD3qb4iX4LFBFx1GAzJJZySYGo8iDHwJURy7ZYFD5cGEgzmXWQ7S7oLCpBcS/WIqfGAMH4PCxvMagenBDQmfHcpZNwkor9JCsl/Jr3NUyTss2T7OcclQtqaWwj0WLSUB8+TOo6b/7TnIShNsnjAITl0P1Rgr2GDvaSzGKBp5IBR5cCJaN0gdqChy1yjA3qJ6JW9RuKf6DnZpeyY+kggjQh1SEYcZ X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: Uk/PcEtJHbJ1a+O2G2zefQVAQBH6PxaN7bC3gT82X1IP2PUoBQ4n9FiK3UgDuC0h4ctmO4XJu1hHYPUM1ArfMGTRDgX+tRBeFBbMEZTTjtwEsTNEofT6naMqhjXWoqr3AQ6wK3oriscU4vWQRxFJ5r/DRwnM6mAHiCnHQ0NlBLYagDu0QRIgH4Sa3CvZtEjcg2Z1kueIJI1pSmGUkISQ5kjSrkM79Bm2IOsMuqY+QKPBWBFAEts6u8VvvMy4FWKWjymW36gi2/yimACe3Vpl/Ih7HCcT8JlwzJEasoRrCRzjkw6lpi3gx8fu8ur4CQv/gFhEis3fd7W8VMCwnZ6n7JPKS6n3YhglvJnEet/a+zlskgQ/JOD8ym2BdchlDrqHH4TkPkWHD5cxTgPJSMsRsG6DRQqbXtpYXefjcLWAXYxtBaLryyj9DlB1x4aFbl+p3mM99v64MY/7vUufvdzyrpIBz8cV3fE+mCUDfTCoWwOehbJc7l2StZcnUvnSebgLIMVbVNnEzpTt8/PeR/yG0qatf6cE8uOgM9OaYTLPGjjCDFswzdC9E5WT2SXKd5zwBtsYXL1apjBP5MgVpYju+Uywsuxawgdi7xygRsD4vObH+cOpnme+Z6Njx0jP2tQ5B2aM/uQLd0RrY1YEOTkjutjVNkIZ+TP0d8X1Nn8v68z531U4tHY36WvzCjA7BwDGqSDA7jg1Gt2Bqu8AKz+SHtPqSIUaElUHlQIG/UmOXuBot2NBbUBQM/jaE+k0n9t5epjbxfgCAWeZ4F/PqbnrJrefaSPqC52c7EIt/o5QsV1t40GnLmmP9nhVNnVlWOvJ+XxCzWJhbRKAhx8hJMs7OCskxBdYnWm6WwtUS3s7U+tG3gIKUZzGWvNM3HM0C1e6ejqO8RvsQGqRmJ8ISN+Sk6hbU2aFUjUq5X6fMXD22ZH17H6RHbAuPmp5dVKdRo7YqtgT6mlIMZiw6D1lcM6L2JGuh+y2IZTgUEdMtg9FQoDGtcpyJgyVTt573vjAN9sGxGzob9uv5K7oN5MplrCxLEfuLusGmMKlPCMZqAh0oV/ZYDyp8H7I7zD7GgW5rQeNQC7vQezT3e4RPUw5GRbpZQ0de8UejfrBnKr/Thw98asQhWI6q+Bacp4tjXNxtGM+cfLw1TjY/wAM+sRfvXtC5KcfhzcgvnmR4vGT6VrDDDJn6iQfQTe9WW+EokWCELFI3qXxOm6KNYiRDj+U3BmfFzfK6K0RcB+KER8DbL6HCBNSBrovfNJv6hx+8la6YKVOeZGyXrcAYWVzU9cddun1mHuC0lZvJ6E5DMA+LpNig/PUsDxernPi5Yvf7RvfAxRZYYkMJzp+N1wqUEp/d2bJaZhhfT0aMcAtksTAHId9cpmvGW60nfBlmLVzbEn5+bR2ak8N3IlIzBZwxCN5Z5cC2ehbk54qj0VFlwgUL+MFs3gcbTa4iyhETNaC1al4GMP6v1+gSYqsY3b4PC5eZN9JBF4CD2Y6Bem1MlVCUccDETcMxs89Cvl73uJNQh2OvAdNacjwXOU9pGTA6a8emW2eQPS6jZ365qvuw+QHPsHxwoXFQNOQm9bdZc5twxQ+sbi99u98EjAueVuWPwTxZNyTog== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: sstEE93gqPmL2o88UtPIEQVCPcoRfEVtmq0l51QAayEPDKHqrfvla1o4S8nmYG+3M/Q2xUWzq77/cMN+YuAKSei/V7GBW+gJjtaQjNPObaS+gQFJzVAP3Fr68vvYlIl4DqF85TtrWZBQ5fmAe+pFQ38Z/rgB5agvfuR6nQsKA4oMj3RJEaPRacoMLL4dmkwxJ1LipFKXBHbh2m188LziGBp0AS3y9M6V2H5kmYU/7mc97Rj16qqEzJ451jJLok/blMHY9bhoKDdb2MJKS0c9SDqHKKcg8M8vOpkn1kDS8p7eYlXs+5wfHL3HisRLLdKc6zobr6EzbEX2iFKUrjHMHgu4xq4oLYLaajJHjhq2i6DuE4SdicONxfUJtY8aLZh6JKseSVV2ZHT8gAm6I5v4Ugb7pYecqkUVglGuAY1++GtDsUYDy/3f6CJ0tvmHtDkY6odxANXdffGOvaHr/uAZcbsDgMxYs1q9gF5AySb4wPe/F1Qk+UgJkNgBeL9Qge1MQG30oFsg5pYM+vGOuwp0nkZ9shClG5Q0eZ0/EXG9TSjm9h4SgNE//IcXiJwrGlpUtnz9hyc27bcyZZnPysdV4moXl/EpxRrlny9hdfdMQVg= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 12262d9c-58ee-4d5c-847e-08dceec43922 X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:12.0710 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: UHCy6GKhs0GeF2Opzb/ZzJg4zhYFXjEJi+6uS17/hiHWqQXwSfUsM5hbACFWF3c67XQsdWDvhlJZqpfDFRPqMn+dPPayg85uBOPdqYjwJiE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5846 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 spamscore=0 malwarescore=0 bulkscore=0 suspectscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: CKrPMP9Je5zV-3ys8x0MdtOHlyGk9RzC X-Proofpoint-ORIG-GUID: CKrPMP9Je5zV-3ys8x0MdtOHlyGk9RzC In preparation for Kunit support within Clavis, add function redirection for some of the static functions. Also Add KUNIT_STATIC_STUB_REDIRECT to a few functions that will be redirected in the future. This should have no functional change. Signed-off-by: Eric Snowberg --- security/clavis/clavis_keyring.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/clavis/clavis_keyring.c b/security/clavis/clavis_keyring.c index 81bfc3ed02a3..339af707b612 100644 --- a/security/clavis/clavis_keyring.c +++ b/security/clavis/clavis_keyring.c @@ -8,6 +8,7 @@ #include #include #include +#include #include "clavis.h" static struct key *clavis_keyring; @@ -46,6 +47,9 @@ static int pkcs7_preparse_content(void *ctx, const void *data, size_t len, size_ return ret; } +int (* const pkcs7_preparse_content_fn_ptr)(void *ctx, const void *data, size_t len, + size_t asn1hdrlen) = pkcs7_preparse_content; + static void key_acl_free_preparse(struct key_preparsed_payload *prep) { kfree(prep->description); @@ -54,16 +58,24 @@ static void key_acl_free_preparse(struct key_preparsed_payload *prep) static struct key *clavis_keyring_get(void) { + KUNIT_STATIC_STUB_REDIRECT(clavis_keyring_get); return clavis_keyring; } +struct key * (* const clavis_keyring_get_fn_ptr)(void) = clavis_keyring_get; + static bool clavis_acl_enforced(void) { + KUNIT_STATIC_STUB_REDIRECT(clavis_acl_enforced); return clavis_enforced; } +bool (* const clavis_acl_enforced_fn_ptr)(void) = clavis_acl_enforced; + static int key_acl_preparse(struct key_preparsed_payload *prep) { + KUNIT_STATIC_STUB_REDIRECT(key_acl_preparse, prep); + /* * Only allow the description to be set via the pkcs7 data contents. * The exception to this rule is if the entry was builtin, it will have @@ -79,6 +91,8 @@ static int key_acl_preparse(struct key_preparsed_payload *prep) prep); } +int (* const key_acl_preparse_fn_ptr)(struct key_preparsed_payload *prep) = key_acl_preparse; + static int key_acl_instantiate(struct key *key, struct key_preparsed_payload *prep) { /* @@ -225,6 +239,10 @@ static struct asymmetric_key_id *clavis_parse_boot_param(char *kid, struct asymm return akid; } +struct asymmetric_key_id * + (* const parse_boot_param_fn_ptr)(char *kid, struct asymmetric_key_id *akid, + int akid_max_len) = clavis_parse_boot_param; + static int __init clavis_param(char *kid) { clavis_boot_akid = clavis_parse_boot_param(kid, &clavis_setup_akid.id, @@ -247,6 +265,10 @@ static struct key *clavis_keyring_alloc(const char *desc, struct key_restriction return keyring; } +struct key * + (* const keyring_alloc_fn_ptr)(const char *desc, struct key_restriction *restriction) = + clavis_keyring_alloc; + static struct key_restriction *clavis_restriction_alloc(key_restrict_link_func_t check_func) { struct key_restriction *restriction; @@ -259,6 +281,10 @@ static struct key_restriction *clavis_restriction_alloc(key_restrict_link_func_t return restriction; } +struct key_restriction * + (* const restriction_alloc_fn_ptr)(key_restrict_link_func_t + check_func) = clavis_restriction_alloc; + static void clavis_add_acl(const char *const *skid_list, struct key *keyring) { const char *const *acl; @@ -284,6 +310,9 @@ static void clavis_add_acl(const char *const *skid_list, struct key *keyring) } } +void (* const clavis_add_acl_fn_ptr)(const char *const *skid_list, + struct key *keyring) = clavis_add_acl; + int __init clavis_keyring_init(void) { struct key_restriction *restriction; From patchwork Thu Oct 17 15:55:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Snowberg X-Patchwork-Id: 13840268 X-Patchwork-Delegate: paul@paul-moore.com Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4C9E81E0B64; Thu, 17 Oct 2024 15:57:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=205.220.177.32 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180627; cv=fail; b=MQUBPqmEjeSfDWtfsRRDDxoW+XuWR0S/fGRrunSpDjQkWBBGBH77DSZvyODiIkP0eI6pl+zMHN++qW5ShJRSEcNfQy0K2Wlc6BgHx7T3AAnXesjBE390ghZAE3To0XXyJWu2rC0pJeL+/jEADSMQFIM4fymwS8Z9gB//W5RCcsc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729180627; c=relaxed/simple; bh=xXwAwtCsevXxVT63QDniH9yydolJGv2jCITLAb3CTF8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=SajG9oq4y++T8xGSlJdasqJql9XDZJZ/r55VSxVV1lZOMDSLdS3+pjcACWcyLJLH2RkxMEzrt83ql0eryCyFqOUWaXy300t8ku2LMqmep//HnsY/EpV5s2SHJ6XgnBQjznrPsausFPHQ+9Zf8NS/DlwzVtyn41lGMDTTdkBMrD8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=I2vN3Qs0; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b=i4EvjnLw; arc=fail smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="I2vN3Qs0"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.i=@oracle.onmicrosoft.com header.b="i4EvjnLw" Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFBvEA024561; Thu, 17 Oct 2024 15:56:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s= corp-2023-11-20; bh=DCAUm+ORlFm5e7acijGQlERtZB1nOJhzoA4wRHy2NeE=; b= I2vN3Qs0LbxEdsrLMPo0RC5GlOHvHuJ1yl4AxcYQzrRf/RgVCszX87q9bbrrRnSZ uHLuU6alW1D7V+AHocGGThcPJw4wmMbfDHL7o+qkEnQ0uUM4BOw+M+2ZG8pyhk7S htI523PnO7yffGLEVhgN7Ok8f9HuL22Pkw0zvMMFT0eBjPSSZawcMbdvFlZ+Gb1b rvpRrDSLyV27+7RVUnxx7jN0m17eAY4TVZ3vtLUeOlfgQ05cnmbEFrZQkCJXE+gz xXJESw/AFGI86cgN+02mcMMhiPJ7rGeGi6Y3db4FeEi0w05JPXP4WwenV/9IcXDX KykB2/YsPFLZutXGe2xjHw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 427fhcpd3n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:18 +0000 (GMT) Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.18.1.2/8.18.1.2) with ESMTP id 49HFEJ0X026193; Thu, 17 Oct 2024 15:56:17 GMT Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2044.outbound.protection.outlook.com [104.47.55.44]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 427fjaej7y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 17 Oct 2024 15:56:17 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Eks2iENzhRhBExuP6ThyadYxUIOs2+cbAvr6WyZC6dluoaLjzq/vIUp/Re+wdAsFo/c29DRUwYXDmfRi03Pqh4U5DurXiImOsRCBSfxKBVtB1CoGgnZGrR30m7pUBw41f/MYvWyKvmZDx7asD+mFIKQykNhJ1es5kOG1Ma/Wlr/rkbyobhUNirtGA369CZFLMnB2sLNizsD+iZHmbqLUW/BXaIyY6NeUNh/3PdRWGNudclMegmSVtCvFF7eD2gs2xiXbb2jnZ09WKCPWjvfofkYj/MhKv/5U/w7CdCbaCrZfTtfPTK0QhN06DYxilN+232SB1YBOHVt8/rbqKj7kHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DCAUm+ORlFm5e7acijGQlERtZB1nOJhzoA4wRHy2NeE=; b=hT0yBusWKjGoJycH3QTLcsvGc5AAznburVoWBQFeFI1uZxsk6WxkzkUAPzoTnzaMIoSn5OyAK1T20MU8qC9aXR9kkOO/piZRcP1teTqfqerKKi/8FznYsI//ZuLu8jhTuHn+muw8u+20VneeJgUgKl+U1+Iifk9TnifK1w07H+W0/nNh12uzg90xeMWVXVlTHaoLc8VPJxUE6IdlhHDvrdDMqsyN6Ifnv+vXrTousId9uTt8+OB4PBuJZx4rUqLjp0+3CKbt1sIQkME6u58ub4R5L4wYEx5ipxoGJ07aBYkUfQCAV8ERD5GsBPuYnsAyI8Gw++YuWbOFmAM3qy07/A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DCAUm+ORlFm5e7acijGQlERtZB1nOJhzoA4wRHy2NeE=; b=i4EvjnLwj7DYQ92PPpog8D7CMQonjo5cIfMI4WiG3voCdg9hwbxDB++ieAx9YxpC2LHVKPhv+GWBtooAyKlEiJmo1TiRE+Rrv38spA7OjPGtPHrUAyR+6moZGEgs8nUBt4NU0fRwi7zB48nz4BRBaqDTtIb3zWWj7Tzjw1MBpfE= Received: from PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) by PH0PR10MB5846.namprd10.prod.outlook.com (2603:10b6:510:14c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8069.17; Thu, 17 Oct 2024 15:56:13 +0000 Received: from PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411]) by PH7PR10MB7730.namprd10.prod.outlook.com ([fe80::7ac6:2653:966f:9411%5]) with mapi id 15.20.8048.017; Thu, 17 Oct 2024 15:56:13 +0000 From: Eric Snowberg To: linux-security-module@vger.kernel.org Cc: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net, ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com, mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com, eric.snowberg@oracle.com, ebiggers@kernel.org, rdunlap@infradead.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Subject: [RFC PATCH v3 13/13] clavis: Kunit support Date: Thu, 17 Oct 2024 09:55:16 -0600 Message-ID: <20241017155516.2582369-14-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.45.0 In-Reply-To: <20241017155516.2582369-1-eric.snowberg@oracle.com> References: <20241017155516.2582369-1-eric.snowberg@oracle.com> X-ClientProxiedBy: BYAPR07CA0079.namprd07.prod.outlook.com (2603:10b6:a03:12b::20) To PH7PR10MB7730.namprd10.prod.outlook.com (2603:10b6:510:308::13) Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR10MB7730:EE_|PH0PR10MB5846:EE_ X-MS-Office365-Filtering-Correlation-Id: 03cd1588-5df2-465d-9ba0-08dceec43a1f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|7416014|376014|366016|1800799024; X-Microsoft-Antispam-Message-Info: Npg0V/T4Z6x/0xQTIZghVuKwFiszVRWl/w8Cy8mh2eRkBUck2+Qz+BW6fKrups7A+qQm/V7nuxWI8Tcj+ei4E4N7Hv76aJDIlsu7by31Ts0TWZvGQnmUzOJHoZ2KnLImeDFrInXL1ax/WJ0hD0A3NrQNDHlszXYIIEDn/mInmZTnsWRPgXypHrnaf9pC7vNFgqf2BC1A2zNgHb53xAcee7aBZF7F3oomnDeUKKA8yWl8OPE5/0QL2t4Xib2vKgfYvsi4qr9Ux+AvK+RyT3+CM4gvYhpS2pnA+LSUvuNrIMsVlXZHW8+5XMtxV2rUp0KSl3Yq1xUTT1Oz76rURCCdbqNsnXatEOi2n/EzNl4M2dNKLpYBzmDr+7asYL4SsJD0qajJ+vwTVgniCdqWNP3pViNRkkF35MIA4CMI1iEFMtV+868cJhZUBjRohYn4DbBIRKusTRKG1NLQwSi+yQktMs8PyVE5Sb88cIcpSSX+B+qFEfDEOi6umX2xV+FKlbgbSLdtroBpIO873grJChAhNyIgyXG0mowY7ZNC8vCJKQAY8s/uWuLjq32GAz2aFzhEWY9eXjf2aAEGzSHDt2Uh8lKoh6qUgKrTmymJKO9+KbF5GFem95G6X33KDGzdjyV6BNwYhvlZZc9k6htxmkmov1F2nCTYfdiDq2wUFDs1yyLF5SVE7KyPIimG7gyor8qEDpGWAWXmKKi00gQ2P/go+L1+CumMFljfb54lPg0nRoHkOW1lnF7LNs+iVTwWkN+ZKaPvyhGHAZuZZc03BjnGdLskjAYbpz5CapCo3YazzpZfFBIf2YRZ85xgD25Q/yZLtRpFFpRmVcN0NGwK7nOTcU/xXb/S6uW69Ni1saK0g6Nm3aoRxAda/sSyKqGTFyqhiKpn4IrK3DutKLaBXAqeiWlAQemBiNiXcGHeT7LECkkf5K/o96x2sbHl/0GegtXbCl4m/0trf5wxjigDN0dF0mCiSOT+rcF2QDERhS+Ugpx37xrOuy5MfrINg304EL71bsO2UETDk+RvcmRXHQ1TfkLz6KzvpO0/FCvmcW59qSzE/VnCKp0/60bo0IIstv6gIBfDCc0uDwbIrJCP9xZfhq6XD/k1Cv7SVlaCFEOq4KiieiObPzrntNCv7KwZiEetOCY9DIqe6dpeuH71v9FTo4Bq0SjTdNxtJv8MVNhRQyQlExwfPuPw4K3gSVr6bfexqeLR1nF/8OHlNzgbeaD89K2uizcwG9huuVDttbLkrlv+2wbhJ4zFAnKev0ahMeP2cl7HWQSv/OL9qVeh8MBV/UEhkeEYmAmZepL9YmTjbIyvK+Vto7WcxqjglBi+fUR7 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR10MB7730.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(7416014)(376014)(366016)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: bOBySBKSSC3fKkjFwvFe34wYBc80pDRxGYgYXsQ/ktDi3WkeSFEOGRYw5Bg0zOhoTDsEgCBZVRAJbtzfLQx0O+Qhk48lRag01JcKsxMrYOkgKvamLxw/b+ggmfU9DnJouS2s0+DghwxL5fuQ3hDPDNQGZBLkCd6+X9ayQDHbT15zvBjBJYGPEP90nipWuZuDHRsZFOpWexcfe1aeqs1bROG3j1at8FskQ5w9eb81798tfDqf4G5DD6BBl9i1S3OB8hYxSIvQ0Jld0eyQ1PsztsRThU6zjguQKQjLlr/Way88vVeiBZfBNoLX9e+lJ+qDju25CIOpnIEkv9P3PU5Ok89hYCXR8hiuSAPQxEtCrf5EPvLZjZO8NKhaZ0XOa0Muj/6girvrjfYRrX3z4bCO/F9jspaNryNVyZTYuo9qM17XLjlMBaZNmxlfHNIOiAOyGHtdIwqTzjDrf6TIRdMdRdNgHh5xjmX09zhEvID1+LO8+MMqPhsMQH81wDdq4NkPatWkRX8t3BC+AFVVXop2icJTmrgUaNx1lwg0uXG2jS8jmlHwIplRTlUrb2/VaFCP++TJkWnUANBGZ+FpeQGGWszT5ARW2fJ0BRV/28VdmkGwUIN3syjM9eJrN1UTuE1ZNbXi1BLpP9A4lhOyfbUcJFR6bdR7TakXJUP2DhqlRispE1ksORcZbajqnITBc1Un0PSTgxDvLT8BnEulX58DAA38CFX/M1fy7x2iMrXd7k7eXGfKpPcnXvunBkimvdkLy0uXUV691UjdvaZYcKTbGTT6O36GnZGiAh4v4q6rtORqcWZ70eEL0iUByD+7Jq2HRoMX/WPH1U2A4+aTxGFWbOZDo2187+9HjQmFV+vlI6RQETONP4Jjs9eE42g3RK5oLfJPwkO4e9JJUmy9KLWeYnUoqrQn2E+scSCbqQQMjBUFc/ugo9yJLt/OwVnQwqASpYZ7htCtSPrNES3Nz/TRen88S6t71EAnqFBXtMkdHTnOG1hDBev0L1SsM0G46wGO4Qi6cqDywY2nx26BdYGPWCCzlYPVrBabzv7JFNEJ5t+rn3CWeicp/fHoy2PVZTxTvryIBk/UqTOY25k6dr2IRs7oxGDQrPlTRIY0NmqRFLSsJgxZpk6RGnBLKUbd/OqaEGTJyMwZzjMzrGHb530caEVOhdO9CEhhfT1LLfsFgnEGd/J/Nd5k0XI3h6328Vw46Xp3P2LCEHKLieTIle1EWBOwwk1vJUoY3Z/L50bD+hGzdufgqVDnjDCDlnuCuf7N1eQrOBCiaBt5PXV8svZiGEu7LTdMy1Lfqd9/RDwVwBrmKODFHOqE5LhjkJwgAkhSQuZ3UIoJp70MiXSEqU1D9Xg9tBt1FxnPBm4JcMPS7jVWnHHwqK4H0XQiRw/JfNyaSJT7ghq1/9fOyZkV8PirXyNeFwk3WSydpgI5v8T/r+CqYA1fPgnJGz+rHULBHlj65UntqulXEc/iDPxeXLMkHM+UNgrcPd502QL5Y0k0GBh/WEwBicbUVOTYOQd+lnkqCv24Q0JaUc+8SycLkUGhggJJ/U/R07drNvb6AppoqOxWiF9mLhQIj6WkSkRiT1FlWkX67fpPncPF8GmR5AR/fA== X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: JIKL34BmaKLpD/+KJrZ2GWJQz1rDCCehbJs3JTCAZ0wSPW5BM/PyFSPNXR5Iz2qMrC/Fid2Tpnry/jPwtXzAuolgZ+MFQK7+K8vBUI1FTZ9vNFRzZbBuTPHOPg3v6GCuSuKQRTgaG7EaQvJbB8aI1NLWl8T7KcW2Uut+/6152MUDxrNfvMCgJT1IuZa/mtzgqfXZO0UAsjYBQbXisCTaq7rbRVxY+7pu8X4YXHJvu0uA7QIK4d7q41OyvPjaAu7lpGYq3WArKYuX5vqh/gZtIXFmVpXyHuNOY5MnO41gx2s6jXCdxCo5saYIkkTeFu1+SdgxuUmwpsG1YMgWFg41sy9SVXxMxlqDopelhwPAvQvbvdoD/xTtarF23CWO+53rdUJHX9nF2azrhKwdg/9AuJpoDzHBbMuNO/6DkznyMCj9t1FjfXKVVUYvnvW6YbRSsNka5GuETlZwHJIxklmbqF2Qu9L/AiprKh4Lq0KVs9gVOWgK4F/gggFf3lPEDfPdqFDndPZi0XJoyQlmrLxgUvA01kNr16RqcAympjv2XZRZfKkEFXHNPO75vhxduczviBdorJ3TtYtM6IAzyq/aJwdfYF4GfX3JOdYKHmap/UI= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 03cd1588-5df2-465d-9ba0-08dceec43a1f X-MS-Exchange-CrossTenant-AuthSource: PH7PR10MB7730.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Oct 2024 15:56:13.8027 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: x4hdDyZUySwjKbJlQeGDj5QHJbWTDquwi7X9xSo53+gEaU1Z5D6lYXaXf7GzfDmYBtXqDq9xzmJSvJUcgkaQ3JhlWIqS4cgLRxRxbRwJTfc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB5846 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-17_18,2024-10-17_01,2024-09-30_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 mlxlogscore=999 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2409260000 definitions=main-2410170110 X-Proofpoint-GUID: VnjlpIfLZpJ5KLV7CumRXusG-DtqhMHH X-Proofpoint-ORIG-GUID: VnjlpIfLZpJ5KLV7CumRXusG-DtqhMHH Add Kunit coverage to Clavis. The Makefile will generate multiple test vectors. All test vectors will end up in the x509.h, acl.h or signed_data.h file. The clavis test vectors (ctv) include: 6 different x509 certs. One for each of the different key usage types. This will be loaded into the machine_kunit keyring. ctv_0[x]_x509 1 x509 cert that will be used for revocations: ctv_rev_x509 6 different Clavis ACL's. One for each usage type: ctv_0[x]_x509_acl 2 different Clavis keys ctv_ca0_x509 and ctv_ca1_x509. 12 different PCKS7 signed Clavis ACLs. 6 signed by ctv_ca0: ctv_ca0_0[x]_pkcs7 6 signed by ctv_ca1 ctv_ca1_0[x]_pkcs7 1 signed module (with random data) signed by a key in the module ACL: ctv_module_ca0_signed 1 signed module (with random data) signed by a revoked key: ctv_module_rev_signed 1 Unspecified data that is PKCS7 signed the key unspecified data ACL: ctv_data_05_signed The tests can be enabled through a new Kconfig: SECURITY_CLAVIS_KUNIT_TEST. Run all KUnit tests for Clavis with: ./tools/testing/kunit/kunit.py run --kunitconfig security/clavis The only areas missing are stubbing out EFI and system_key_link. Everything else should be covered with this patch. Signed-off-by: Eric Snowberg --- security/clavis/.gitignore | 1 + security/clavis/.kunitconfig | 4 + security/clavis/Kconfig | 16 + security/clavis/Makefile | 132 ++++++++ security/clavis/clavis.h | 24 ++ security/clavis/clavis_test.c | 566 ++++++++++++++++++++++++++++++++++ 6 files changed, 743 insertions(+) create mode 100644 security/clavis/.kunitconfig create mode 100644 security/clavis/clavis_test.c diff --git a/security/clavis/.gitignore b/security/clavis/.gitignore index c1b60bee049e..2c160c45fc53 100644 --- a/security/clavis/.gitignore +++ b/security/clavis/.gitignore @@ -1 +1,2 @@ /builtin_acl +/sign-file* diff --git a/security/clavis/.kunitconfig b/security/clavis/.kunitconfig new file mode 100644 index 000000000000..c3d2e0eccb06 --- /dev/null +++ b/security/clavis/.kunitconfig @@ -0,0 +1,4 @@ +CONFIG_KUNIT=y +CONFIG_SECURITY=y +CONFIG_SECURITY_CLAVIS=y +CONFIG_SECURITY_CLAVIS_KUNIT_TEST=y diff --git a/security/clavis/Kconfig b/security/clavis/Kconfig index b702311ec905..32cd9799cac9 100644 --- a/security/clavis/Kconfig +++ b/security/clavis/Kconfig @@ -19,3 +19,19 @@ config SECURITY_CLAVIS_ACL_LIST acl list into the kernel. The file contents must be in the following format: :. If more than one entry is added, add a carriage return after each entry. + +config SECURITY_CLAVIS_KUNIT_TEST + bool "KUnit tests for Clavis" if !KUNIT_ALL_TESTS + depends on SECURITY_CLAVIS && KUNIT + default KUNIT_ALL_TESTS + select SYSTEM_BLACKLIST_KEYRING + select SYSTEM_REVOCATION_LIST + help + Build KUnit tests for Clavis. + + See the KUnit documentation in Documentation/dev-tools/kunit + + Run all KUnit tests for Clavis with: + ./tools/testing/kunit/kunit.py run --kunitconfig security/clavis + + If you are unsure how to answer this question, answer N. diff --git a/security/clavis/Makefile b/security/clavis/Makefile index af68a44a0cb4..c0915af4f180 100644 --- a/security/clavis/Makefile +++ b/security/clavis/Makefile @@ -3,6 +3,7 @@ obj-$(CONFIG_SECURITY_CLAVIS) += clavis_keyring.o obj-$(CONFIG_SECURITY_CLAVIS) += clavis.o obj-$(CONFIG_SECURITY_CLAVIS) += clavis_builtin_acl.o +obj-$(CONFIG_SECURITY_CLAVIS_KUNIT_TEST) += clavis_test.o ifeq ($(CONFIG_SECURITY_CLAVIS_ACL_LIST),) quiet_cmd_make_builtin_acl = GEN $@ @@ -22,3 +23,134 @@ $(obj)/clavis_builtin_acl.o: $(obj)/builtin_acl ifeq ($(CONFIG_EFI),y) obj-$(CONFIG_SECURITY_CLAVIS) += clavis_efi.o endif + +ifeq ($(CONFIG_SECURITY_CLAVIS_KUNIT_TEST),y) +ctv := include/generated/clavis +$(shell mkdir -p $(ctv)) + +quiet_cmd_make_test_key = GEN $@ + cmd_make_test_key = \ + openssl req -x509 -out $@ -outform der -keyout \ + $@.priv -new \ + -nodes -sha512 -days 3650 -subj '/CN=Clavis Kunit' -extensions EXT -config <( \ + printf "[cert]\nCN=Clavis Kunit\n[req]\ndistinguished_name = cert\ndefault_bits \ + = 4096\n[EXT]\nkeyUsage=keyCertSign,digitalSignature\n\ + extendedKeyUsage=codeSigning\nsubjectKeyIdentifier=hash\n\ + basicConstraints=critical,CA:TRUE\nauthorityKeyIdentifier=keyid:always,issuer") \ + > /dev/null 2>&1 + +# These are in the same order as enum key_being_used_for +KEY_USAGE = 0 1 2 3 4 5 +CLAVIS_KEYS = 0 1 + +$(ctv)/ctv_%.x509: FORCE + $(call if_changed,make_test_key) + +quiet_cmd_make_include_bin_array = GEN $@ + cmd_make_include_bin_array = \ + echo "/* Autogenerated file, do not modify. */" > $@; \ + for cfile in $(filter-out FORCE $(ctv)/x509.h $(ctv)/acl.h,$^); do \ + filename=$$(basename $$cfile); \ + varname=$$(echo "$$filename" | sed 's/\./_/g'); \ + { echo -n "const u32 $$varname"_len" = "; \ + cat $$cfile | wc -c | tr -d '\n'; echo ";"; \ + echo "const u8 $$varname[] = {"; \ + od -t x1 -An -v $$cfile | sed 's/\([0-9a-fA-F]\{2\}\)/0x\1,/g'; \ + echo "};"; } >> $@; \ + done + +quiet_cmd_make_include_char_array = GEN $@ + cmd_make_include_char_array = \ + echo "/* Autogenerated file, do not modify. */" > $@; \ + for cfile in $(filter-out FORCE $(ctv)/x509.h,$^); do \ + filename=$$(basename $$cfile); \ + varname=$$(echo "$$filename" | sed 's/\./_/g'); \ + { echo -n "const char $$varname[] = "\"; \ + cat $$cfile; echo "\";"; } >> $@; \ + done + +quiet_cmd_gen_acl = GEN $@ + cmd_gen_acl = \ + { echo -n $*:; \ + openssl x509 -in $< -inform der -ext subjectKeyIdentifier -nocert | \ + tail -n +2 | cut -f4 -d '=' | tr -d ':' | tr '[:upper:]' '[:lower:]' | \ + tr -d '[:space:]'; } > $@ + +$(ctv)/ctv_%.x509.acl: $(ctv)/ctv_%.x509 FORCE + $(call if_changed,gen_acl) + +quiet_cmd_ca0_sign_pkcs7 = GEN $@ + cmd_ca0_sign_pkcs7 = \ + openssl smime -sign -signer $(ctv)/ctv_ca0.x509 -inkey \ + $(ctv)/ctv_ca0.x509.priv -in $< -out $@ -binary -outform DER \ + -nodetach -noattr > /dev/null 2>&1 + +$(ctv)/ctv_ca0_%.pkcs7: $(ctv)/ctv_%.x509.acl $(ctv)/ctv_ca0.x509 FORCE + $(call if_changed,ca0_sign_pkcs7) + +quiet_cmd_ca1_sign_pkcs7 = GEN $@ + cmd_ca1_sign_pkcs7 = \ + openssl smime -sign -signer $(ctv)/ctv_ca1.x509 -inkey \ + $(ctv)/ctv_ca1.x509.priv -in $< -out $@ -binary -outform DER \ + -nodetach -noattr > /dev/null 2>&1 + +$(ctv)/ctv_ca1_%.pkcs7: $(ctv)/ctv_%.x509.acl $(ctv)/ctv_ca1.x509 FORCE + $(call if_changed,ca1_sign_pkcs7) + +quiet_cmd_sign_data_pkcs7 = GEN $@ + cmd_sign_data_pkcs7 = \ + openssl smime -sign -signer $(ctv)/ctv_$*.x509 -inkey \ + $(ctv)/ctv_$*.x509.priv -in $< -out $@ -binary -outform DER \ + -nodetach -noattr > /dev/null 2>&1 + +quiet_cmd_gen_file = GEN $@ + cmd_gen_file = head -c 4096 /dev/urandom > $@ + +$(ctv)/ctv_data_%_signed: $(ctv)/ctv_%.x509 FORCE + $(call cmd,gen_file) + $(call cmd,sign_data_pkcs7) + +quiet_cmd_copy_sign-file = COPY $@ + cmd_copy_sign-file = cat $(src)/../../scripts/sign-file.c >$@ + +quiet_cmd_sign = KSIGN $@ + cmd_sign = $(obj)/sign-file sha256 $<.priv $< $@ + +$(src)/sign-file.c: FORCE + $(call cmd,copy_sign-file) + +hostprogs := sign-file +HOSTCFLAGS_sign-file.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 3> /dev/null) -I$(srctree)/scripts +HOSTLDLIBS_sign-file = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto) + +$(ctv)/ctv_module_%_signed: $(ctv)/ctv_%.x509 $(obj)/sign-file FORCE + $(call cmd,gen_file) + $(call cmd,sign) + +$(ctv)/x509.h: $(foreach n, $(KEY_USAGE), $(ctv)/ctv_0$n.x509) $(ctv)/ctv_rev.x509 \ + $(foreach n, $(CLAVIS_KEYS), $(ctv)/ctv_ca$n.x509) FORCE + $(call if_changed,make_include_bin_array) + +$(ctv)/acl.h: $(ctv)/x509.h $(foreach n, $(KEY_USAGE), $(ctv)/ctv_0$n.x509.acl) FORCE + $(call if_changed,make_include_char_array) + +$(ctv)/signed_data.h: $(ctv)/x509.h $(ctv)/acl.h \ + $(foreach n, $(KEY_USAGE), $(ctv)/ctv_ca0_0$n.pkcs7) \ + $(foreach n, $(KEY_USAGE), $(ctv)/ctv_ca1_0$n.pkcs7) \ + $(ctv)/ctv_module_00_signed $(ctv)/ctv_module_ca0_signed \ + $(ctv)/ctv_module_rev_signed $(ctv)/ctv_data_05_signed FORCE + $(call if_changed,make_include_bin_array) + +targets += $(foreach n, $(CLAVIS_KEYS), $(ctv)/ctv_ca$n.x509) +targets += $(foreach n, $(KEY_USAGE), $(ctv)/ctv_0$n.x509) +targets += $(foreach n, $(KEY_USAGE), $(ctv)/ctv_0$n.x509.acl) +targets += $(foreach n, $(KEY_USAGE), $(ctv)/ctv_ca0_0$n.pkcs7) +targets += $(foreach n, $(KEY_USAGE), $(ctv)/ctv_ca1_0$n.pkcs7) +targets += $(ctv)/x509.h $(ctv)/acl.h $(ctv)/signed_data.h +targets += $(ctv)/ctv_module_00_signed $(ctv)/ctv_module_ca0_signed +targets += $(ctv)/ctv_module_rev_signed $(ctv)/ctv_data_05_signed +targets += $(ctv)/ctv_rev.x509 +targets += $(src)/sign-file.c $(obj)/sign-file + +$(obj)/clavis_test.o: $(ctv)/x509.h $(ctv)/acl.h $(ctv)/signed_data.h +endif diff --git a/security/clavis/clavis.h b/security/clavis/clavis.h index 6f68b560311e..2f08c8af1d66 100644 --- a/security/clavis/clavis.h +++ b/security/clavis/clavis.h @@ -35,4 +35,28 @@ static inline int __init clavis_efi_param(struct asymmetric_key_id *kid, int len int __init clavis_keyring_init(void); int clavis_sig_verify(const struct key *key, const struct public_key_signature *sig); +#ifdef CONFIG_SECURITY_CLAVIS_KUNIT_TEST +extern void key_type_put(struct key_type *ktype); +extern struct key_type *key_type_lookup(const char *type); +extern long keyctl_update_key(key_serial_t id, const void __user *_payload, size_t plen); +extern struct key * (* const clavis_keyring_get_fn_ptr)(void); +extern int (* const key_acl_preparse_fn_ptr)(struct key_preparsed_payload *prep); +extern void (* const clavis_add_acl_fn_ptr)(const char *const *skid_list, struct key *keyring); + +extern struct key * + (*const keyring_alloc_fn_ptr)(const char *desc, struct key_restriction *restriction); + +extern struct key_restriction * + (* const restriction_alloc_fn_ptr)(key_restrict_link_func_t check_func); + +extern struct asymmetric_key_id * + (* const parse_boot_param_fn_ptr)(char *kid, struct asymmetric_key_id *akid, + int akid_max_len); + +extern int + (* const pkcs7_preparse_content_fn_ptr)(void *ctx, const void *data, size_t len, + size_t asn1hdrlen); + +extern bool (* const clavis_acl_enforced_fn_ptr)(void); +#endif #endif /* _SECURITY_CLAVIS_H_ */ diff --git a/security/clavis/clavis_test.c b/security/clavis/clavis_test.c new file mode 100644 index 000000000000..67fe5d6c6037 --- /dev/null +++ b/security/clavis/clavis_test.c @@ -0,0 +1,566 @@ +// SPDX-License-Identifier: GPL-2.0 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "clavis.h" +#include +#include +#include + +static struct key *machine_keyring; +static struct key *clavis_keyring; +static bool clavis_enforced; + +const char *const clavis_builtin_test_acl_list[] = { + "01:02b4e19c7efc4512ae4911d9e7e6c3c9", + "05:b6c202e7710544a885e425387cd344f6", + "04:ca5b4645541c4e828ef460806f9a61bc", + NULL +}; + +static int clavis_suite_init(struct kunit_suite *suite) +{ + kunit_info(suite, "Initializing Clavis Suite\n"); + + machine_keyring = keyring_alloc(".machine_kunit", + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ | + KEY_USR_SEARCH, + KEY_ALLOC_NOT_IN_QUOTA, + NULL, NULL); + + x509_load_certificate_list(ctv_00_x509, ctv_00_x509_len, machine_keyring); + x509_load_certificate_list(ctv_01_x509, ctv_01_x509_len, machine_keyring); + x509_load_certificate_list(ctv_02_x509, ctv_02_x509_len, machine_keyring); + x509_load_certificate_list(ctv_03_x509, ctv_03_x509_len, machine_keyring); + x509_load_certificate_list(ctv_04_x509, ctv_04_x509_len, machine_keyring); + x509_load_certificate_list(ctv_05_x509, ctv_05_x509_len, machine_keyring); + x509_load_certificate_list(ctv_ca0_x509, ctv_ca0_x509_len, machine_keyring); + x509_load_certificate_list(ctv_ca1_x509, ctv_ca1_x509_len, machine_keyring); + x509_load_certificate_list(ctv_rev_x509, ctv_rev_x509_len, machine_keyring); + + /* + * Note, this will leave the machine with one additional revocation in the + * blacklist keyring when done. + */ + add_key_to_revocation_list(ctv_rev_x509, ctv_rev_x509_len); + + return 0; +} + +static void clavis_suite_exit(struct kunit_suite *suite) +{ + key_put(machine_keyring); +} + +static int restrict_link_for_clavis_test(struct key *dest_keyring, const struct key_type *type, + const union key_payload *payload, struct key *restrict_key) +{ + struct key_type *clavis; + int rval = 0; + + if (type == &key_type_asymmetric && dest_keyring == clavis_keyring && !clavis_enforced) { + clavis_enforced = true; + return 0; + } + + clavis = key_type_lookup("clavis_key_acl"); + if (type != clavis) + rval = -EOPNOTSUPP; + + if (clavis != ERR_PTR(-ENOKEY)) + key_type_put(clavis); + + return rval; +} + +static int clavis_test_keyring_init(struct kunit *test) +{ + struct key_restriction *restriction; + + restriction = restriction_alloc_fn_ptr(restrict_link_for_clavis_test); + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, restriction); + clavis_keyring = keyring_alloc_fn_ptr(".clavis_test", restriction); + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, clavis_keyring); + KUNIT_EXPECT_EQ(test, clavis_keyring->perm, KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | + KEY_POS_WRITE | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | + KEY_USR_WRITE); + clavis_enforced = false; + return 0; +} + +static void clavis_test_keyring_exit(struct kunit *test) +{ + key_put(clavis_keyring); + clavis_keyring = NULL; + clavis_enforced = false; +} + +static void builtin_acl_tests(struct kunit *test) +{ + key_ref_t key; + const char *const *desc; + + clavis_add_acl_fn_ptr(clavis_builtin_test_acl_list, clavis_keyring); + + for (desc = clavis_builtin_test_acl_list; *desc; desc++) { + key = keyring_search(make_key_ref(clavis_keyring, true), + key_type_lookup("clavis_key_acl"), + *desc, + true); + KUNIT_EXPECT_FALSE(test, (IS_ERR(key))); + KUNIT_EXPECT_EQ(test, strcmp(key_ref_to_ptr(key)->description, *desc), 0); + KUNIT_EXPECT_EQ(test, + keyctl_update_key(key_ref_to_ptr(key)->serial, NULL, 0), + -EACCES); + KUNIT_EXPECT_EQ(test, key_ref_to_ptr(key)->perm, KEY_POS_SEARCH | KEY_POS_VIEW | + KEY_USR_SEARCH | KEY_USR_VIEW); + key_ref_put(key); + } +} + +static void register_key_type_tests(struct kunit *test) +{ + struct key_type *clavis; + + clavis = key_type_lookup("clavis_key_acl"); + KUNIT_EXPECT_PTR_NE(test, clavis, ERR_PTR(-ENOKEY)); + if (clavis != ERR_PTR(-ENOKEY)) + key_type_put(clavis); + + clavis = key_type_lookup("bogus"); + KUNIT_EXPECT_PTR_EQ(test, clavis, ERR_PTR(-ENOKEY)); + if (clavis != ERR_PTR(-ENOKEY)) + key_type_put(clavis); +} + +static void clavis_parse_boot_param_tests(struct kunit *test) +{ + char *huge = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01"; + struct asymmetric_setup_kid ask; + struct asymmetric_key_id *kid; + + KUNIT_EXPECT_PTR_EQ(test, parse_boot_param_fn_ptr(NULL, &ask.id, ARRAY_SIZE(ask.data)), + NULL); + KUNIT_EXPECT_PTR_EQ(test, parse_boot_param_fn_ptr(huge, &ask.id, ARRAY_SIZE(ask.data)), + NULL); + KUNIT_EXPECT_PTR_EQ(test, parse_boot_param_fn_ptr("0x1000", &ask.id, ARRAY_SIZE(ask.data)), + NULL); + KUNIT_EXPECT_PTR_EQ(test, parse_boot_param_fn_ptr("nothex", &ask.id, ARRAY_SIZE(ask.data)), + NULL); + kid = parse_boot_param_fn_ptr("01234567", &ask.id, ARRAY_SIZE(ask.data)); + + KUNIT_EXPECT_EQ(test, kid->len, 4); + KUNIT_EXPECT_EQ(test, kid->data[0], 0x01); + KUNIT_EXPECT_EQ(test, kid->data[1], 0x23); + KUNIT_EXPECT_EQ(test, kid->data[2], 0x45); + KUNIT_EXPECT_EQ(test, kid->data[3], 0x67); +} + +static inline bool vet_description_test(struct key *keyring, const char *desc) +{ + key_ref_t key; + + key = key_create(make_key_ref(keyring, true), + "clavis_key_acl", + desc, + NULL, + 0, + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | KEY_USR_VIEW, + KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) + return false; + + return true; +} + +static void key_acl_vet_description_tests(struct kunit *test) +{ + char *huge = "01:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef01"; + char *large = "01:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"; + char buf[64]; + int i; + + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, "00:nothex")); + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, "0:1234")); + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, "01:123")); + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, "X0:123")); + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, huge)); + KUNIT_EXPECT_TRUE(test, vet_description_test(clavis_keyring, large)); + + for (i = 0; i < 255; i++) { + snprintf(buf, sizeof(buf), "%2hx:01234567", i); + if (i < VERIFYING_CLAVIS_SIGNATURE) + KUNIT_EXPECT_TRUE(test, vet_description_test(clavis_keyring, buf)); + else + KUNIT_EXPECT_FALSE(test, vet_description_test(clavis_keyring, buf)); + } +} + +static void key_usage_tests(struct kunit *test) +{ + KUNIT_EXPECT_EQ(test, VERIFYING_CLAVIS_SIGNATURE + 1, NR__KEY_BEING_USED_FOR); +} + +static int key_acl_preparse_kunit(struct key_preparsed_payload *prep) +{ + if (prep->orig_description) + return 0; + + return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, clavis_keyring, + VERIFYING_CLAVIS_SIGNATURE, pkcs7_preparse_content_fn_ptr, + prep); +} + +static void signed_acl_tests(struct kunit *test) +{ + int i; + const unsigned char *ca0_acl_pkcs7[] = { ctv_ca0_00_pkcs7, ctv_ca0_01_pkcs7, + ctv_ca0_02_pkcs7, ctv_ca0_03_pkcs7, + ctv_ca0_04_pkcs7, ctv_ca0_05_pkcs7 + }; + + const u32 ca0_acl_pkcs7_buf_size[] = { ctv_ca0_00_pkcs7_len, ctv_ca0_01_pkcs7_len, + ctv_ca0_02_pkcs7_len, ctv_ca0_03_pkcs7_len, + ctv_ca0_04_pkcs7_len, ctv_ca0_05_pkcs7_len + }; + + const unsigned char *ca1_acl_pkcs7[] = { ctv_ca1_00_pkcs7, ctv_ca1_01_pkcs7, + ctv_ca1_02_pkcs7, ctv_ca1_03_pkcs7, + ctv_ca1_04_pkcs7, ctv_ca1_05_pkcs7 + }; + + const u32 ca1_acl_pkcs7_buf_size[] = { ctv_ca1_00_pkcs7_len, ctv_ca1_01_pkcs7_len, + ctv_ca1_02_pkcs7_len, ctv_ca1_03_pkcs7_len, + ctv_ca1_04_pkcs7_len, ctv_ca1_05_pkcs7_len + }; + + char const *acl_list[] = { ctv_00_x509_acl, ctv_01_x509_acl, ctv_02_x509_acl, + ctv_03_x509_acl, ctv_04_x509_acl, ctv_05_x509_acl }; + + key_ref_t key; + + KUNIT_EXPECT_EQ(test, + x509_load_certificate_list(ctv_ca0_x509, ctv_ca0_x509_len, clavis_keyring), + 0); + + clavis_enforced = true; + + for (i = 0; i < 6; i++) { + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ca0_acl_pkcs7[i], + ca0_acl_pkcs7_buf_size[i], + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | KEY_USR_VIEW, + KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_TRUE(test, IS_ERR(key)); + + key = keyring_search(make_key_ref(clavis_keyring, true), + key_type_lookup("clavis_key_acl"), + acl_list[i], + true); + + KUNIT_EXPECT_TRUE(test, IS_ERR(key)); + } + + kunit_activate_static_stub(test, key_acl_preparse_fn_ptr, key_acl_preparse_kunit); + + for (i = 0; i < 6; i++) { + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ca0_acl_pkcs7[i], + ca0_acl_pkcs7_buf_size[i], + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | KEY_USR_VIEW, + KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, key); + + key = keyring_search(make_key_ref(clavis_keyring, true), + key_type_lookup("clavis_key_acl"), + acl_list[i], + true); + + KUNIT_EXPECT_NOT_ERR_OR_NULL(test, key); + } + + for (i = 0; i < 6; i++) { + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ca1_acl_pkcs7[i], + ca1_acl_pkcs7_buf_size[i], + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | KEY_USR_VIEW, + KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_TRUE(test, IS_ERR(key)); + } + + kunit_deactivate_static_stub(test, key_acl_preparse_fn_ptr); +} + +static struct key *clavis_key_get(void) +{ + return clavis_keyring; +} + +static bool clavis_acl_enforced(void) +{ + return clavis_enforced; +} + +static void module_invalid_signed_tests(struct kunit *test) +{ + const void *mod = ctv_module_ca0_signed; + struct module_signature ms; + key_ref_t key; + size_t sig_len, mod_len; + + kunit_activate_static_stub(test, clavis_keyring_get_fn_ptr, clavis_key_get); + kunit_activate_static_stub(test, clavis_acl_enforced_fn_ptr, clavis_acl_enforced); + + /* Remove the module signature appended information at the end. */ + mod_len = ctv_module_ca0_signed_len - 28; + KUNIT_EXPECT_GT(test, mod_len, sizeof(ms)); + memcpy(&ms, mod + (mod_len - sizeof(ms)), sizeof(ms)); + sig_len = be32_to_cpu(ms.sig_len); + mod_len -= sig_len + sizeof(ms); + + /* + * Enforcement has not been set yet, therefore the verification passes + * without an ACL. The module signing key is in the machine_kunit + * keyring. + */ + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), 0); + + /* Load the clavis CA0 in the clavis keyring. */ + KUNIT_EXPECT_EQ(test, + x509_load_certificate_list(ctv_ca0_x509, ctv_ca0_x509_len, clavis_keyring), + 0); + + clavis_enforced = true; + + /* Enforcement has been enabled without an ACL set. */ + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), -EKEYREJECTED); + + /* Add the module ACL. */ + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ctv_ca0_00_pkcs7, + ctv_ca0_00_pkcs7_len, + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | + KEY_USR_VIEW, KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_FALSE(test, IS_ERR(key)); + + /* This module was not signed by the module ACL in the clavis keyring. */ + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), -EKEYREJECTED); + + kunit_deactivate_static_stub(test, clavis_keyring_get_fn_ptr); + kunit_deactivate_static_stub(test, clavis_acl_enforced_fn_ptr); +} + +static void module_signed_tests(struct kunit *test) +{ + const void *mod = ctv_module_00_signed; + struct module_signature ms; + key_ref_t key; + size_t sig_len, mod_len; + + kunit_activate_static_stub(test, clavis_keyring_get_fn_ptr, clavis_key_get); + kunit_activate_static_stub(test, clavis_acl_enforced_fn_ptr, clavis_acl_enforced); + + /* Remove the module signature appended information at the end. */ + mod_len = ctv_module_00_signed_len - 28; + KUNIT_EXPECT_GT(test, mod_len, sizeof(ms)); + memcpy(&ms, mod + (mod_len - sizeof(ms)), sizeof(ms)); + sig_len = be32_to_cpu(ms.sig_len); + mod_len -= sig_len + sizeof(ms); + + /* + * Enforcement has not been set yet, therefore the verification passes + * without an ACL. + */ + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), 0); + + /* Load the clavis CA0 in the clavis keyring. */ + KUNIT_EXPECT_EQ(test, + x509_load_certificate_list(ctv_ca0_x509, ctv_ca0_x509_len, clavis_keyring), + 0); + + clavis_enforced = true; + + /* Enforcement has been enabled without an ACL set. */ + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), -EKEYREJECTED); + + /* Add the module ACL. */ + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ctv_ca0_00_pkcs7, + ctv_ca0_00_pkcs7_len, + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | + KEY_USR_VIEW, KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_FALSE(test, IS_ERR(key)); + + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), 0); + + kunit_deactivate_static_stub(test, clavis_keyring_get_fn_ptr); + kunit_deactivate_static_stub(test, clavis_acl_enforced_fn_ptr); +} + +static void module_revocation_tests(struct kunit *test) +{ + /* + * When this test starts, the cert used to sign the module is both in + * the machine_kunit keyring and the blacklist keyring. Also the + * clavis_kunit is not in enforcement mode. This will test the + * PKS_REVOCATION_PASS. + */ + + const void *mod = ctv_module_rev_signed; + struct module_signature ms; + size_t sig_len, mod_len; + + kunit_activate_static_stub(test, clavis_keyring_get_fn_ptr, clavis_key_get); + kunit_activate_static_stub(test, clavis_acl_enforced_fn_ptr, clavis_acl_enforced); + + /* Remove the module signature appended information at the end. */ + mod_len = ctv_module_rev_signed_len - 28; + KUNIT_EXPECT_GT(test, mod_len, sizeof(ms)); + memcpy(&ms, mod + (mod_len - sizeof(ms)), sizeof(ms)); + sig_len = be32_to_cpu(ms.sig_len); + mod_len -= sig_len + sizeof(ms); + + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), -EKEYREJECTED); + + clavis_enforced = true; + + KUNIT_EXPECT_EQ(test, verify_pkcs7_signature(mod, mod_len, + mod + mod_len, sig_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL), -EKEYREJECTED); + + kunit_deactivate_static_stub(test, clavis_keyring_get_fn_ptr); + kunit_deactivate_static_stub(test, clavis_acl_enforced_fn_ptr); +} + +static void unspecified_signed_tests(struct kunit *test) +{ + key_ref_t key; + + kunit_activate_static_stub(test, clavis_keyring_get_fn_ptr, clavis_key_get); + kunit_activate_static_stub(test, clavis_acl_enforced_fn_ptr, clavis_acl_enforced); + + KUNIT_EXPECT_EQ(test, + verify_pkcs7_signature(NULL, 0, ctv_data_05_signed, ctv_data_05_signed_len, + machine_keyring, + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL), + 0); + + /* Load the clavis CA0 in the clavis keyring. */ + KUNIT_EXPECT_EQ(test, + x509_load_certificate_list(ctv_ca0_x509, ctv_ca0_x509_len, clavis_keyring), + 0); + + clavis_enforced = true; + + KUNIT_EXPECT_EQ(test, + verify_pkcs7_signature(NULL, 0, ctv_data_05_signed, ctv_data_05_signed_len, + machine_keyring, + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL), + -EKEYREJECTED); + + /* Add the unspecified ACL. */ + key = key_create(make_key_ref(clavis_keyring, true), + "clavis_key_acl", + NULL, + ctv_ca0_05_pkcs7, + ctv_ca0_05_pkcs7_len, + KEY_POS_SEARCH | KEY_POS_VIEW | KEY_USR_SEARCH | + KEY_USR_VIEW, KEY_ALLOC_BUILT_IN); + + KUNIT_EXPECT_FALSE(test, IS_ERR(key)); + + KUNIT_EXPECT_EQ(test, + verify_pkcs7_signature(NULL, 0, ctv_data_05_signed, ctv_data_05_signed_len, + machine_keyring, + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL), + 0); + + KUNIT_EXPECT_EQ(test, + verify_pkcs7_signature(NULL, 0, ctv_data_05_signed, ctv_data_05_signed_len, + machine_keyring, + VERIFYING_MODULE_SIGNATURE, NULL, NULL), + -EKEYREJECTED); + + kunit_deactivate_static_stub(test, clavis_keyring_get_fn_ptr); + kunit_deactivate_static_stub(test, clavis_acl_enforced_fn_ptr); +} + +static struct kunit_case clavis_test_cases[] = { + KUNIT_CASE(builtin_acl_tests), + KUNIT_CASE(register_key_type_tests), + KUNIT_CASE(clavis_parse_boot_param_tests), + KUNIT_CASE(key_acl_vet_description_tests), + KUNIT_CASE(key_usage_tests), + KUNIT_CASE(signed_acl_tests), + KUNIT_CASE(module_signed_tests), + KUNIT_CASE(module_invalid_signed_tests), + KUNIT_CASE(module_revocation_tests), + KUNIT_CASE(unspecified_signed_tests), + {} +}; + +static struct kunit_suite clavis_test_suite = { + .name = "clavis", + .suite_init = clavis_suite_init, + .suite_exit = clavis_suite_exit, + .init = clavis_test_keyring_init, + .exit = clavis_test_keyring_exit, + .test_cases = clavis_test_cases, +}; + +kunit_test_suites(&clavis_test_suite);