From: Darren Kenny <darren.kenny@oracle.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: eric.snowberg@oracle.com, keescook@chromium.org,
torvalds@linux-foundation.org, weiyongjun1@huawei.com,
nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
James.Bottomley@HansenPartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: Re: [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca
Date: Mon, 14 Feb 2022 12:42:04 +0000 [thread overview]
Message-ID: <m235kltyar.fsf@oracle.com> (raw)
In-Reply-To: <20211124044124.998170-8-eric.snowberg@oracle.com>
On Tuesday, 2021-11-23 at 23:41:14 -05, Eric Snowberg wrote:
> Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to
> restrict_link_by_ca. This will only allow CA keys into the machine
> keyring.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> ---
> v1: Initial version
> v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok
> keyring gets created even when it isn't enabled
> v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca
> v4: removed unnecessary restriction->check set
> v5: Rename to machine keyring
> v6: split line over 80 char (suggested by Mimi)
> v8: Unmodified from v6
> ---
> security/integrity/digsig.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 910fe29a5037..e7dfc55a7c55 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -132,14 +132,18 @@ int __init integrity_init_keyring(const unsigned int id)
> goto out;
> }
>
> - if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
> + if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) &&
> + id != INTEGRITY_KEYRING_MACHINE)
> return 0;
>
> restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
> if (!restriction)
> return -ENOMEM;
>
> - restriction->check = restrict_link_to_ima;
> + if (id == INTEGRITY_KEYRING_MACHINE)
> + restriction->check = restrict_link_by_ca;
> + else
> + restriction->check = restrict_link_to_ima;
>
> /*
> * No additional keys shall be allowed to load into the machine
> --
> 2.18.4
next prev parent reply other threads:[~2022-02-14 12:43 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-24 4:41 [PATCH v8 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 01/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 02/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-25 2:49 ` Mimi Zohar
2021-11-29 22:50 ` Eric Snowberg
2021-11-27 0:39 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 04/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-27 0:42 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 05/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-27 0:43 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 06/17] KEYS: CA link restriction Eric Snowberg
2021-11-27 0:44 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-02-14 12:42 ` Darren Kenny [this message]
2021-11-24 4:41 ` [PATCH v8 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-27 0:46 ` Jarkko Sakkinen
2021-11-24 4:41 ` [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-27 0:49 ` Jarkko Sakkinen
2021-11-30 17:21 ` Eric Snowberg
2021-12-01 10:27 ` Jarkko Sakkinen
2021-12-01 13:46 ` Mimi Zohar
2021-12-04 17:39 ` Jarkko Sakkinen
2021-12-15 18:14 ` Eric Snowberg
2021-12-15 19:54 ` Mimi Zohar
2021-11-24 4:41 ` [PATCH v8 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2022-02-14 12:18 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-02-14 12:23 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-24 4:41 ` [PATCH v8 13/17] integrity: store reference to " Eric Snowberg
2022-02-14 12:27 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 14/17] KEYS: link machine trusted keys to secondary_trusted_keys Eric Snowberg
2022-02-14 12:28 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 15/17] efi/mokvar: move up init order Eric Snowberg
2022-02-14 12:29 ` Darren Kenny
2021-11-24 4:41 ` [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-02-14 12:31 ` Darren Kenny
2022-11-10 0:01 ` Morten Linderud
2022-11-10 0:54 ` Eric Snowberg
2022-11-10 15:06 ` Morten Linderud
2022-11-10 15:27 ` James Bottomley
2022-11-10 15:30 ` Ard Biesheuvel
2022-11-10 7:42 ` Ard Biesheuvel
2022-11-10 14:27 ` Morten Linderud
2022-11-10 14:15 ` James Bottomley
2021-11-24 4:41 ` [PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-02-14 12:37 ` Darren Kenny
2022-02-20 23:23 ` [PATCH v8 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m235kltyar.fsf@oracle.com \
--to=darren.kenny@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@google.com \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jason@zx2c4.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=nayna@linux.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.