From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
noodles@fb.com, tiwai@suse.de, bp@suse.de,
eric.snowberg@oracle.com, kanth.ghatraju@oracle.com,
konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com,
coxu@redhat.com, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v2 05/10] KEYS: Introduce a CA endorsed flag
Date: Wed, 7 Dec 2022 12:12:33 -0500 [thread overview]
Message-ID: <20221207171238.2945307-6-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com>
Some subsystems are interested in knowing if a key has been endorsed
as a Certificate Authority (CA). From the data contained in struct
key, it is not possible to make this determination after the key
parsing is complete. Introduce a new Endorsed Certificate Authority
flag called KEY_FLAG_ECA.
The first type of key to use this is X.509. When a X.509 certificate
is self signed, has the keyCertSign Key Usage set and contains the
CA bit set, this new flag is set. In the future, other usage fields
could be added as flags, i.e. digitialSignature.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
crypto/asymmetric_keys/x509_public_key.c | 3 +++
include/linux/key-type.h | 2 ++
include/linux/key.h | 2 ++
security/keys/key.c | 8 ++++++++
4 files changed, 15 insertions(+)
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 0b4943a4592b..64cffedc4dd0 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
goto error_free_kids;
}
+ if (cert->kcs_set && cert->self_signed && cert->root_ca)
+ prep->payload_flags |= KEY_ALLOC_PECA;
+
/* We're pinning the module by being linked against it */
__module_get(public_key_subtype.owner);
prep->payload.data[asym_subtype] = &public_key_subtype;
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 7d985a1dfe4a..0b500578441c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -36,6 +36,8 @@ struct key_preparsed_payload {
size_t datalen; /* Raw datalen */
size_t quotalen; /* Quota length for proposed payload */
time64_t expiry; /* Expiry time of key */
+ unsigned int payload_flags; /* Proposed payload flags */
+#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */
} __randomize_layout;
typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
diff --git a/include/linux/key.h b/include/linux/key.h
index d27477faf00d..21d5a13ee4a9 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -236,6 +236,7 @@ struct key {
#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
+#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type,
#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
#define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */
+#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
diff --git a/security/keys/key.c b/security/keys/key.c
index c45afdd1dfbb..e6b4946aca70 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key->flags |= 1 << KEY_FLAG_UID_KEYRING;
if (flags & KEY_ALLOC_SET_KEEP)
key->flags |= 1 << KEY_FLAG_KEEP;
+ if (flags & KEY_ALLOC_ECA)
+ key->flags |= 1 << KEY_FLAG_ECA;
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC;
@@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
perm |= KEY_POS_WRITE;
}
+ /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */
+ if (prep.payload_flags & KEY_ALLOC_PECA)
+ flags |= KEY_ALLOC_ECA;
+ else
+ flags &= ~KEY_ALLOC_ECA;
+
/* allocate a new key */
key = key_alloc(index_key.type, index_key.description,
cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
--
2.27.0
next prev parent reply other threads:[~2022-12-07 17:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 17:12 [PATCH v2 00/10] Add CA enforcement keyring restrictions Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 01/10] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-12-07 17:52 ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 02/10] KEYS: Add missing function documentation Eric Snowberg
2022-12-08 5:22 ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 04/10] KEYS: X.509: Parse Key Usage Eric Snowberg
2022-12-07 17:12 ` Eric Snowberg [this message]
2022-12-07 17:12 ` [PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 08/10] integrity: Use root of trust signature restriction Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 09/10] KEYS: CA link restriction Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-12-09 10:26 ` [PATCH v2 00/10] Add CA enforcement keyring restrictions Coiby Xu
2022-12-09 15:44 ` Eric Snowberg
2022-12-12 21:44 ` Mimi Zohar
2022-12-13 2:41 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221207171238.2945307-6-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=bp@suse.de \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=noodles@fb.com \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).