From: Mimi Zohar <zohar@linux.ibm.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: keescook@chromium.org, torvalds@linux-foundation.org,
weiyongjun1@huawei.com, nayna@linux.ibm.com, ebiggers@google.com,
ardb@kernel.org, nramas@linux.microsoft.com, lszubowi@redhat.com,
jason@zx2c4.com, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: Re: [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys
Date: Thu, 18 Nov 2021 19:20:06 -0500 [thread overview]
Message-ID: <f1007bba5daa81d6abdb89fffa6237b54d1ad496.camel@linux.ibm.com> (raw)
In-Reply-To: <20211116001545.2639333-12-eric.snowberg@oracle.com>
Hi Eric,
On Mon, 2021-11-15 at 19:15 -0500, Eric Snowberg wrote:
> Introduce a new link restriction that includes the trusted builtin,
> secondary and machine keys. The restriction is based on the key to be
> added being vouched for by a key in any of these three keyrings.
>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
> v3: Initial version
> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING
> v5: Rename to machine keyring
> v6: Change subject name (suggested by Mimi)
> Rename restrict_link_by_builtin_secondary_and_ca_trusted
> to restrict_link_by_builtin_secondary_and_machine (suggested by
> Mimi)
> v7: Unmodified from v6
> ---
> certs/system_keyring.c | 23 +++++++++++++++++++++++
> include/keys/system_keyring.h | 6 ++++++
> 2 files changed, 29 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index bc7e44fc82c2..71a00add9805 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring)
> {
> machine_trusted_keys = keyring;
> }
> +
> +/**
This begins the start of kernel doc.
> + * restrict_link_by_builtin_secondary_and_machine
Missing are the parameter defintions. Please refer to
Documentation/doc-guide/kernel-doc.rst for details.
Mimi
> + *
> + * Restrict the addition of keys into a keyring based on the key-to-be-added
> + * being vouched for by a key in either the built-in, the secondary, or
> + * the machine keyrings.
> + */
> +int restrict_link_by_builtin_secondary_and_machine(
> + struct key *dest_keyring,
> + const struct key_type *type,
> + const union key_payload *payload,
> + struct key *restrict_key)
> +{
> + if (machine_trusted_keys && type == &key_type_keyring &&
> + dest_keyring == secondary_trusted_keys &&
> + payload == &machine_trusted_keys->payload)
> + /* Allow the machine keyring to be added to the secondary */
> + return 0;
> +
> + return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
> + payload, restrict_key);
> +}
> #endif
>
> /*
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 98c9b10cdc17..2419a735420f 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -39,8 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> #endif
>
> #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> +extern int restrict_link_by_builtin_secondary_and_machine(
> + struct key *dest_keyring,
> + const struct key_type *type,
> + const union key_payload *payload,
> + struct key *restrict_key);
> extern void __init set_machine_trusted_keys(struct key *keyring);
> #else
> +#define restrict_link_by_builtin_secondary_and_machine restrict_link_by_builtin_trusted
> static inline void __init set_machine_trusted_keys(struct key *keyring)
> {
> }
next prev parent reply other threads:[~2021-11-19 0:20 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-16 0:15 [PATCH v7 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 01/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-17 13:01 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 02/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-17 13:18 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-17 13:32 ` Mimi Zohar
2021-11-17 13:53 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 04/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-18 22:59 ` Mimi Zohar
2021-11-18 23:29 ` Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 05/17] KEYS: CA link restriction Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2021-11-23 2:09 ` kernel test robot
2021-11-23 2:09 ` kernel test robot
2021-11-16 0:15 ` [PATCH v7 07/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-17 15:16 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-19 0:05 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-19 0:05 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2021-11-19 0:20 ` Mimi Zohar [this message]
2021-11-19 2:50 ` Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-19 0:23 ` Mimi Zohar
2021-11-16 0:15 ` [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-11-18 12:32 ` Mimi Zohar
2021-11-18 21:37 ` Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 14/17] integrity: store reference to machine keyring Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 15/17] efi/mokvar: move up init order Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-11-16 0:15 ` [PATCH v7 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-11-16 16:00 ` [PATCH v7 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-11-16 16:18 ` Konrad Rzeszutek Wilk
2021-11-16 16:24 ` Jarkko Sakkinen
2021-11-16 16:39 ` Konrad Rzeszutek Wilk
2021-11-17 7:50 ` Jarkko Sakkinen
2021-11-17 7:51 ` Jarkko Sakkinen
2021-11-17 17:02 ` Konrad Rzeszutek Wilk
2021-11-17 17:20 ` Eric Snowberg
2021-11-18 3:14 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f1007bba5daa81d6abdb89fffa6237b54d1ad496.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jason@zx2c4.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.