[PATCH 0/3] Add digitalSignature enforcement keyring restrictions

[PATCH 0/3] Add digitalSignature enforcement keyring restrictions

[Eric Snowberg]

X.509 certificates may contain a key usage extension [1]. The key usage
extension defines the purpose of the certificate. One area of
interest is the digitalSignature. The digitalSignature usage is
typically used for code signing (integrity). 

Within the "Add CA enforcement key restrictions" [2] series, the
digitalSignature is being saved.  This series builds upon the previous
one and adds restrictions based on the digitalSignature usage.  

A new keyring restriction called restrict_link_by_digsig is added. The new
restriction only allows keys that contain digitalSignature usage within
it.

The first two keyrings to use this restriction are the .ima and .evm
keyrings.  With this update, only keys containing a digitalSignature 
will be allowed in either keyring.

1. https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
2. https://lore.kernel.org/all/20230329220231.h6afgarrvdlwwdjc@kernel.org/T/

Eric Snowberg (3):
  KEYS: DigitalSignature link restriction
  integrity: Enforce digitalSignature usage in the ima and evm keyrings
  integrity: Remove EXPERIMENTAL from Kconfig

 certs/system_keyring.c            | 52 +++++++++++++++++++++++++++++++
 crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++
 include/crypto/public_key.h       | 11 +++++++
 include/keys/system_keyring.h     | 11 +++++++
 security/integrity/digsig.c       |  4 +--
 security/integrity/evm/Kconfig    |  3 +-
 security/integrity/ima/Kconfig    |  5 +--
 7 files changed, 125 insertions(+), 5 deletions(-)


base-commit: ac9a78681b921877518763ba0e89202254349d1b
-- 
2.27.0

[PATCH 1/3] KEYS: DigitalSignature link restriction

[Eric Snowberg]

Add a new link restriction.  Restrict the addition of keys in a keyring
based on the key having digitalSignature usage set. Additionally, verify
the new certificate against the ones in the system keyrings.  Add two
additional functions to use the new restriction within either the builtin
or secondary keyrings.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c            | 52 +++++++++++++++++++++++++++++++
 crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++
 include/crypto/public_key.h       | 11 +++++++
 include/keys/system_keyring.h     | 11 +++++++
 4 files changed, 118 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index a7a49b17ceb1..4249c49bd43b 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -51,6 +51,27 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
 					  builtin_trusted_keys);
 }
 
+/**
+ * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions
+ *   by the built-in keyring.
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @restriction_key: A ring of keys that can be used to vouch for the new cert.
+ *
+ * Restrict the addition of keys into a keyring based on the key-to-be-added
+ * being vouched for by a key in the built in system keyring. The new key
+ * must have the digitalSignature usage field set.
+ */
+int restrict_link_by_digsig_builtin(struct key *dest_keyring,
+				    const struct key_type *type,
+				    const union key_payload *payload,
+				    struct key *restriction_key)
+{
+	return restrict_link_by_digsig(dest_keyring, type, payload,
+				       builtin_trusted_keys);
+}
+
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 /**
  * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
@@ -83,6 +104,37 @@ int restrict_link_by_builtin_and_secondary_trusted(
 					  secondary_trusted_keys);
 }
 
+/**
+ * restrict_link_by_digsig_builtin_and_secondary - Restrict digitalSignature
+ *   key additions by both built-in and secondary keyrings.
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @restrict_key: A ring of keys that can be used to vouch for the new cert.
+ *
+ * Restrict the addition of keys into a keyring based on the key-to-be-added
+ * being vouched for by a key in either the built-in or the secondary system
+ * keyrings. The new key must have the digitalSignature usage field set.
+ */
+int restrict_link_by_digsig_builtin_and_secondary(
+	struct key *dest_keyring,
+	const struct key_type *type,
+	const union key_payload *payload,
+	struct key *restrict_key)
+{
+	/* If we have a secondary trusted keyring, then that contains a link
+	 * through to the builtin keyring and the search will follow that link.
+	 */
+	if (type == &key_type_keyring &&
+	    dest_keyring == secondary_trusted_keys &&
+	    payload == &builtin_trusted_keys->payload)
+		/* Allow the builtin keyring to be added to the secondary */
+		return 0;
+
+	return restrict_link_by_digsig(dest_keyring, type, payload,
+				       secondary_trusted_keys);
+}
+
 /*
  * Allocate a struct key_restriction for the "builtin and secondary trust"
  * keyring. Only for use in system_trusted_keyring_init().
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 276bdb627498..6b69ea40da23 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -148,6 +148,50 @@ int restrict_link_by_ca(struct key *dest_keyring,
 	return 0;
 }
 
+/**
+ * restrict_link_by_digsig - Restrict additions to a ring of digsig keys
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @trust_keyring: A ring of keys that can be used to vouch for the new cert.
+ *
+ * Check if the new certificate has digitalSignature usage set. If it is,
+ * then mark the new certificate as being ok to link. Afterwards verify
+ * the new certificate against the ones in the trust_keyring.
+ *
+ * Returns 0 if the new certificate was accepted, -ENOKEY if the
+ * certificate is not a digsig. -ENOPKG if the signature uses unsupported
+ * crypto, or some other error if there is a matching certificate but
+ * the signature check cannot be performed.
+ */
+int restrict_link_by_digsig(struct key *dest_keyring,
+			    const struct key_type *type,
+			    const union key_payload *payload,
+			    struct key *trust_keyring)
+{
+	const struct public_key *pkey;
+
+	if (type != &key_type_asymmetric)
+		return -EOPNOTSUPP;
+
+	pkey = payload->data[asym_crypto];
+
+	if (!pkey)
+		return -ENOPKG;
+
+	if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
+		return -ENOKEY;
+
+	if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags))
+		return -ENOKEY;
+
+	if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
+		return -ENOKEY;
+
+	return restrict_link_by_signature(dest_keyring, type, payload,
+					  trust_keyring);
+}
+
 static bool match_either_id(const struct asymmetric_key_id **pair,
 			    const struct asymmetric_key_id *single)
 {
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 653992a6e941..8eb5eff059f3 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -80,6 +80,10 @@ extern int restrict_link_by_ca(struct key *dest_keyring,
 			       const struct key_type *type,
 			       const union key_payload *payload,
 			       struct key *trust_keyring);
+int restrict_link_by_digsig(struct key *dest_keyring,
+			    const struct key_type *type,
+			    const union key_payload *payload,
+			    struct key *trust_keyring);
 #else
 static inline int restrict_link_by_ca(struct key *dest_keyring,
 				      const struct key_type *type,
@@ -88,6 +92,13 @@ static inline int restrict_link_by_ca(struct key *dest_keyring,
 {
 	return 0;
 }
+static inline int restrict_link_by_digsig(struct key *dest_keyring,
+					  const struct key_type *type,
+					  const union key_payload *payload,
+					  struct key *trust_keyring)
+{
+	return 0;
+}
 #endif
 
 extern int query_asymmetric_key(const struct kernel_pkey_params *,
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 91e080efb918..38f63f1c2cbe 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
 					    const struct key_type *type,
 					    const union key_payload *payload,
 					    struct key *restriction_key);
+int restrict_link_by_digsig_builtin(struct key *dest_keyring,
+				    const struct key_type *type,
+				    const union key_payload *payload,
+				    struct key *restriction_key);
 extern __init int load_module_cert(struct key *keyring);
 
 #else
 #define restrict_link_by_builtin_trusted restrict_link_reject
+#define restrict_link_by_digsig_builtin restrict_link_reject
 
 static inline __init int load_module_cert(struct key *keyring)
 {
@@ -41,8 +46,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 	const struct key_type *type,
 	const union key_payload *payload,
 	struct key *restriction_key);
+extern int restrict_link_by_digsig_builtin_and_secondary(
+	struct key *keyring,
+	const struct key_type *type,
+	const union key_payload *payload,
+	struct key *restriction_key);
 #else
 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
 #endif
 
 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
-- 
2.27.0

Re: [PATCH 1/3] KEYS: DigitalSignature link restriction

[Jarkko Sakkinen]

On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote:
> Add a new link restriction.  Restrict the addition of keys in a keyring
> based on the key having digitalSignature usage set. Additionally, verify
> the new certificate against the ones in the system keyrings.  Add two
> additional functions to use the new restriction within either the builtin
> or secondary keyrings.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  certs/system_keyring.c            | 52 +++++++++++++++++++++++++++++++
>  crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++
>  include/crypto/public_key.h       | 11 +++++++
>  include/keys/system_keyring.h     | 11 +++++++
>  4 files changed, 118 insertions(+)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index a7a49b17ceb1..4249c49bd43b 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -51,6 +51,27 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
>  					  builtin_trusted_keys);
>  }
>  
> +/**
> + * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions
> + *   by the built-in keyring.

BTW, does checkpatch complain if you put that to a single line (I don't
know this)?

If not, I would just put "Restrict by digitalSignature"

> + * @dest_keyring: Keyring being linked to.
> + * @type: The type of key being added.
> + * @payload: The payload of the new key.
> + * @restriction_key: A ring of keys that can be used to vouch for the new cert.
> + *
> + * Restrict the addition of keys into a keyring based on the key-to-be-added
> + * being vouched for by a key in the built in system keyring. The new key
> + * must have the digitalSignature usage field set.
> + */
> +int restrict_link_by_digsig_builtin(struct key *dest_keyring,
> +				    const struct key_type *type,
> +				    const union key_payload *payload,
> +				    struct key *restriction_key)
> +{
> +	return restrict_link_by_digsig(dest_keyring, type, payload,
> +				       builtin_trusted_keys);
> +}
> +
>  #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
>  /**
>   * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
> @@ -83,6 +104,37 @@ int restrict_link_by_builtin_and_secondary_trusted(
>  					  secondary_trusted_keys);
>  }
>  
> +/**
> + * restrict_link_by_digsig_builtin_and_secondary - Restrict digitalSignature
> + *   key additions by both built-in and secondary keyrings.
> + * @dest_keyring: Keyring being linked to.
> + * @type: The type of key being added.
> + * @payload: The payload of the new key.
> + * @restrict_key: A ring of keys that can be used to vouch for the new cert.
> + *
> + * Restrict the addition of keys into a keyring based on the key-to-be-added
> + * being vouched for by a key in either the built-in or the secondary system
> + * keyrings. The new key must have the digitalSignature usage field set.
> + */
> +int restrict_link_by_digsig_builtin_and_secondary(
> +	struct key *dest_keyring,
> +	const struct key_type *type,
> +	const union key_payload *payload,
> +	struct key *restrict_key)
> +{
> +	/* If we have a secondary trusted keyring, then that contains a link
> +	 * through to the builtin keyring and the search will follow that link.
> +	 */
> +	if (type == &key_type_keyring &&
> +	    dest_keyring == secondary_trusted_keys &&
> +	    payload == &builtin_trusted_keys->payload)
> +		/* Allow the builtin keyring to be added to the secondary */
> +		return 0;
> +
> +	return restrict_link_by_digsig(dest_keyring, type, payload,
> +				       secondary_trusted_keys);
> +}
> +
>  /*
>   * Allocate a struct key_restriction for the "builtin and secondary trust"
>   * keyring. Only for use in system_trusted_keyring_init().
> diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
> index 276bdb627498..6b69ea40da23 100644
> --- a/crypto/asymmetric_keys/restrict.c
> +++ b/crypto/asymmetric_keys/restrict.c
> @@ -148,6 +148,50 @@ int restrict_link_by_ca(struct key *dest_keyring,
>  	return 0;
>  }
>  
> +/**
> + * restrict_link_by_digsig - Restrict additions to a ring of digsig keys
> + * @dest_keyring: Keyring being linked to.
> + * @type: The type of key being added.
> + * @payload: The payload of the new key.
> + * @trust_keyring: A ring of keys that can be used to vouch for the new cert.
> + *
> + * Check if the new certificate has digitalSignature usage set. If it is,
> + * then mark the new certificate as being ok to link. Afterwards verify
> + * the new certificate against the ones in the trust_keyring.
> + *
> + * Returns 0 if the new certificate was accepted, -ENOKEY if the
> + * certificate is not a digsig. -ENOPKG if the signature uses unsupported
> + * crypto, or some other error if there is a matching certificate but
> + * the signature check cannot be performed.
> + */
> +int restrict_link_by_digsig(struct key *dest_keyring,
> +			    const struct key_type *type,
> +			    const union key_payload *payload,
> +			    struct key *trust_keyring)
> +{
> +	const struct public_key *pkey;
> +
> +	if (type != &key_type_asymmetric)
> +		return -EOPNOTSUPP;
> +
> +	pkey = payload->data[asym_crypto];
> +
> +	if (!pkey)
> +		return -ENOPKG;
> +
> +	if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
> +		return -ENOKEY;
> +
> +	if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags))
> +		return -ENOKEY;
> +
> +	if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
> +		return -ENOKEY;
> +
> +	return restrict_link_by_signature(dest_keyring, type, payload,
> +					  trust_keyring);
> +}
> +
>  static bool match_either_id(const struct asymmetric_key_id **pair,
>  			    const struct asymmetric_key_id *single)
>  {
> diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
> index 653992a6e941..8eb5eff059f3 100644
> --- a/include/crypto/public_key.h
> +++ b/include/crypto/public_key.h
> @@ -80,6 +80,10 @@ extern int restrict_link_by_ca(struct key *dest_keyring,
>  			       const struct key_type *type,
>  			       const union key_payload *payload,
>  			       struct key *trust_keyring);
> +int restrict_link_by_digsig(struct key *dest_keyring,
> +			    const struct key_type *type,
> +			    const union key_payload *payload,
> +			    struct key *trust_keyring);
>  #else
>  static inline int restrict_link_by_ca(struct key *dest_keyring,
>  				      const struct key_type *type,
> @@ -88,6 +92,13 @@ static inline int restrict_link_by_ca(struct key *dest_keyring,
>  {
>  	return 0;
>  }
> +static inline int restrict_link_by_digsig(struct key *dest_keyring,
> +					  const struct key_type *type,
> +					  const union key_payload *payload,
> +					  struct key *trust_keyring)
> +{
> +	return 0;
> +}
>  #endif
>  
>  extern int query_asymmetric_key(const struct kernel_pkey_params *,
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 91e080efb918..38f63f1c2cbe 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
>  					    const struct key_type *type,
>  					    const union key_payload *payload,
>  					    struct key *restriction_key);
> +int restrict_link_by_digsig_builtin(struct key *dest_keyring,
> +				    const struct key_type *type,
> +				    const union key_payload *payload,
> +				    struct key *restriction_key);
>  extern __init int load_module_cert(struct key *keyring);
>  
>  #else
>  #define restrict_link_by_builtin_trusted restrict_link_reject
> +#define restrict_link_by_digsig_builtin restrict_link_reject
>  
>  static inline __init int load_module_cert(struct key *keyring)
>  {
> @@ -41,8 +46,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
>  	const struct key_type *type,
>  	const union key_payload *payload,
>  	struct key *restriction_key);
> +extern int restrict_link_by_digsig_builtin_and_secondary(
> +	struct key *keyring,
> +	const struct key_type *type,
> +	const union key_payload *payload,
> +	struct key *restriction_key);
>  #else
>  #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
> +#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin
>  #endif
>  
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> -- 
> 2.27.0

BR, Jarkko

Re: [PATCH 1/3] KEYS: DigitalSignature link restriction

[Eric Snowberg]

> On May 10, 2023, at 4:34 PM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> 
> On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote:
>> Add a new link restriction.  Restrict the addition of keys in a keyring
>> based on the key having digitalSignature usage set. Additionally, verify
>> the new certificate against the ones in the system keyrings.  Add two
>> additional functions to use the new restriction within either the builtin
>> or secondary keyrings.
>> 
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>> ---
>> certs/system_keyring.c            | 52 +++++++++++++++++++++++++++++++
>> crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++
>> include/crypto/public_key.h       | 11 +++++++
>> include/keys/system_keyring.h     | 11 +++++++
>> 4 files changed, 118 insertions(+)
>> 
>> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
>> index a7a49b17ceb1..4249c49bd43b 100644
>> --- a/certs/system_keyring.c
>> +++ b/certs/system_keyring.c
>> @@ -51,6 +51,27 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
>> 					  builtin_trusted_keys);
>> }
>> 
>> +/**
>> + * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions
>> + *   by the built-in keyring.
> 
> BTW, does checkpatch complain if you put that to a single line (I don't
> know this)?
> 
> If not, I would just put "Restrict by digitalSignature”

It looks like check patch will allow up to 100 chars.  I will update it to a single line.
Thanks.

Re: [PATCH 1/3] KEYS: DigitalSignature link restriction

[Mimi Zohar]

On Mon, 2023-05-08 at 18:07 -0400, Eric Snowberg wrote:
> Add a new link restriction.  Restrict the addition of keys in a keyring
> based on the key having digitalSignature usage set. Additionally, verify
> the new certificate against the ones in the system keyrings.  Add two
> additional functions to use the new restriction within either the builtin
> or secondary keyrings.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Thanks, Eric.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

[PATCH 2/3] integrity: Enforce digitalSignature usage in the ima and evm keyrings

[Eric Snowberg]

After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.

Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/digsig.c    | 4 ++--
 security/integrity/evm/Kconfig | 3 ++-
 security/integrity/ima/Kconfig | 3 ++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 6f31ffe23c48..d0704b1597d4 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
 };
 
 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
+#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary
 #else
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
+#define restrict_link_to_ima restrict_link_by_digsig_builtin
 #endif
 
 static struct key *integrity_keyring_from_id(const unsigned int id)
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index a6e19d23e700..fba9ee359bc9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -64,7 +64,8 @@ config EVM_LOAD_X509
 
 	   This option enables X509 certificate loading from the kernel
 	   onto the '.evm' trusted keyring.  A public key can be used to
-	   verify EVM integrity starting from the 'init' process.
+	   verify EVM integrity starting from the 'init' process. The
+	   key must have digitalSignature usage set.
 
 config EVM_X509_PATH
 	string "EVM X509 certificate path"
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 60a511c6b583..684425936c53 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	help
 	  Keys may be added to the IMA or IMA blacklist keyrings, if the
 	  key is validly signed by a CA cert in the system built-in or
-	  secondary trusted keyrings.
+	  secondary trusted keyrings. The key must also have the
+	  digitalSignature usage set.
 
 	  Intermediate keys between those the kernel has compiled in and the
 	  IMA keys to be added may be added to the system secondary keyring,
-- 
2.27.0

Re: [PATCH 2/3] integrity: Enforce digitalSignature usage in the ima and evm keyrings

[Mimi Zohar]

On Mon, 2023-05-08 at 18:07 -0400, Eric Snowberg wrote:
> After being vouched for by a system keyring, only allow keys into the .ima
> and .evm keyrings that have the digitalSignature usage field set.
> 
> Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Acked-by: Mimi Zohar <zohar@linux.ibm.com>

[PATCH 3/3] integrity: Remove EXPERIMENTAL from Kconfig

[Eric Snowberg]

Remove the EXPERIMENTAL from the
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig
now that digitalSignature usage enforcement is set.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/ima/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 684425936c53..225c92052a4d 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -261,7 +261,7 @@ config IMA_TRUSTED_KEYRING
 	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
 
 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
+	bool "Permit keys validly signed by a built-in or secondary CA cert"
 	depends on SYSTEM_TRUSTED_KEYRING
 	depends on SECONDARY_TRUSTED_KEYRING
 	depends on INTEGRITY_ASYMMETRIC_KEYS
-- 
2.27.0

Re: [PATCH 3/3] integrity: Remove EXPERIMENTAL from Kconfig

[Jarkko Sakkinen]

On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote:
> Remove the EXPERIMENTAL from the
> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig
> now that digitalSignature usage enforcement is set.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  security/integrity/ima/Kconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 684425936c53..225c92052a4d 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -261,7 +261,7 @@ config IMA_TRUSTED_KEYRING
>  	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
>  
>  config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
> -	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
> +	bool "Permit keys validly signed by a built-in or secondary CA cert"
>  	depends on SYSTEM_TRUSTED_KEYRING
>  	depends on SECONDARY_TRUSTED_KEYRING
>  	depends on INTEGRITY_ASYMMETRIC_KEYS
> -- 
> 2.27.0

Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko

Re: [PATCH 3/3] integrity: Remove EXPERIMENTAL from Kconfig

[Mimi Zohar]

On Mon, 2023-05-08 at 18:07 -0400, Eric Snowberg wrote:
> Remove the EXPERIMENTAL from the
> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig
> now that digitalSignature usage enforcement is set.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Re: [PATCH 0/3] Add digitalSignature enforcement keyring restrictions

[Jarkko Sakkinen]

On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote:
> X.509 certificates may contain a key usage extension [1]. The key usage
> extension defines the purpose of the certificate. One area of
> interest is the digitalSignature. The digitalSignature usage is
> typically used for code signing (integrity). 
>
> Within the "Add CA enforcement key restrictions" [2] series, the
> digitalSignature is being saved.  This series builds upon the previous
> one and adds restrictions based on the digitalSignature usage.  
>
> A new keyring restriction called restrict_link_by_digsig is added. The new
> restriction only allows keys that contain digitalSignature usage within
> it.
>
> The first two keyrings to use this restriction are the .ima and .evm
> keyrings.  With this update, only keys containing a digitalSignature 
> will be allowed in either keyring.

... and disallowed if not (for completeness)?

Maybe you want to say that "With this update, keys can be filtered based
on digitalSignature"?

I know, it is only cover letter, not a big deal...

>
> 1. https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
> 2. https://lore.kernel.org/all/20230329220231.h6afgarrvdlwwdjc@kernel.org/T/
>
> Eric Snowberg (3):
>   KEYS: DigitalSignature link restriction
>   integrity: Enforce digitalSignature usage in the ima and evm keyrings
>   integrity: Remove EXPERIMENTAL from Kconfig
>
>  certs/system_keyring.c            | 52 +++++++++++++++++++++++++++++++
>  crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++
>  include/crypto/public_key.h       | 11 +++++++
>  include/keys/system_keyring.h     | 11 +++++++
>  security/integrity/digsig.c       |  4 +--
>  security/integrity/evm/Kconfig    |  3 +-
>  security/integrity/ima/Kconfig    |  5 +--
>  7 files changed, 125 insertions(+), 5 deletions(-)
>
>
> base-commit: ac9a78681b921877518763ba0e89202254349d1b
> -- 
> 2.27.0


BR, Jarkko