From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com
Cc: dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
dmitry.kasatkin@gmail.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
noodles@fb.com, tiwai@suse.de, bp@suse.de,
eric.snowberg@oracle.com, kanth.ghatraju@oracle.com,
konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com,
coxu@redhat.com, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed
Date: Wed, 7 Dec 2022 12:12:35 -0500 [thread overview]
Message-ID: <20221207171238.2945307-8-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com>
Currently X.509 Intermediate CA certs do not have the endorsed CA
(KEY_FLAG_ECA) set. Allow intermediate CA certs to be added. Requirements
for an intermediate CA include: Usage extension defined as keyCertSign,
Basic Constrains for CA is false, and Intermediate CA cert is signed by a
current endorsed CA.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
crypto/asymmetric_keys/x509_public_key.c | 14 ++++++++++++--
include/linux/ima.h | 11 +++++++++++
include/linux/key-type.h | 1 +
security/keys/key.c | 5 +++++
4 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 64cffedc4dd0..7a87d5c0c32b 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -208,8 +208,18 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
goto error_free_kids;
}
- if (cert->kcs_set && cert->self_signed && cert->root_ca)
- prep->payload_flags |= KEY_ALLOC_PECA;
+ if (cert->kcs_set) {
+ if (cert->self_signed && cert->root_ca)
+ prep->payload_flags |= KEY_ALLOC_PECA;
+ /*
+ * In this case it could be an Intermediate CA. Set
+ * KEY_MAYBE_PECA for now. If the restriction check
+ * passes later, the key will be allocated with the
+ * correct CA flag
+ */
+ else if (!cert->self_signed && !cert->root_ca)
+ prep->payload_flags |= KEY_MAYBE_PECA;
+ }
/* We're pinning the module by being linked against it */
__module_get(public_key_subtype.owner);
diff --git a/include/linux/ima.h b/include/linux/ima.h
index 81708ca0ebc7..6597081b6b1a 100644
--- a/include/linux/ima.h
+++ b/include/linux/ima.h
@@ -12,6 +12,7 @@
#include <linux/security.h>
#include <linux/kexec.h>
#include <crypto/hash_info.h>
+#include <keys/system_keyring.h>
struct linux_binprm;
#ifdef CONFIG_IMA
@@ -181,6 +182,16 @@ static inline void ima_post_key_create_or_update(struct key *keyring,
bool create) {}
#endif /* CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS */
+#ifdef CONFIG_ASYMMETRIC_KEY_TYPE
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+#define ima_validate_builtin_ca restrict_link_by_ca_builtin_and_secondary_trusted
+#else
+#define ima_validate_builtin_ca restrict_link_by_ca_builtin_trusted
+#endif
+#else
+#define ima_validate_builtin_ca restrict_link_reject
+#endif
+
#ifdef CONFIG_IMA_APPRAISE
extern bool is_ima_appraise_enabled(void);
extern void ima_inode_post_setattr(struct user_namespace *mnt_userns,
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 0b500578441c..0d2f95f6b8a1 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -38,6 +38,7 @@ struct key_preparsed_payload {
time64_t expiry; /* Expiry time of key */
unsigned int payload_flags; /* Proposed payload flags */
#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */
+#define KEY_MAYBE_PECA 0x0002 /* Proposed possible ECA key */
} __randomize_layout;
typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
diff --git a/security/keys/key.c b/security/keys/key.c
index e6b4946aca70..69d5f143683f 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -900,6 +900,11 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
}
}
+ /* Previous restriction check passed therefore try to validate endorsed ca */
+ if ((prep.payload_flags & KEY_MAYBE_PECA) &&
+ !(ima_validate_builtin_ca(keyring, index_key.type, &prep.payload, NULL)))
+ prep.payload_flags |= KEY_ALLOC_PECA;
+
/* if we're going to allocate a new key, we're going to have
* to modify the keyring */
ret = key_permission(keyring_ref, KEY_NEED_WRITE);
--
2.27.0
next prev parent reply other threads:[~2022-12-07 17:13 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 17:12 [PATCH v2 00/10] Add CA enforcement keyring restrictions Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 01/10] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-12-07 17:52 ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 02/10] KEYS: Add missing function documentation Eric Snowberg
2022-12-08 5:22 ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 04/10] KEYS: X.509: Parse Key Usage Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 05/10] KEYS: Introduce a CA endorsed flag Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust Eric Snowberg
2022-12-07 17:12 ` Eric Snowberg [this message]
2022-12-07 17:12 ` [PATCH v2 08/10] integrity: Use root of trust signature restriction Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 09/10] KEYS: CA link restriction Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-12-09 10:26 ` [PATCH v2 00/10] Add CA enforcement keyring restrictions Coiby Xu
2022-12-09 15:44 ` Eric Snowberg
2022-12-12 21:44 ` Mimi Zohar
2022-12-13 2:41 ` Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221207171238.2945307-8-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=bp@suse.de \
--cc=coxu@redhat.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=erpalmer@linux.vnet.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kanth.ghatraju@oracle.com \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=noodles@fb.com \
--cc=paul@paul-moore.com \
--cc=pvorel@suse.cz \
--cc=serge@hallyn.com \
--cc=tiwai@suse.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).