[PATCH v2 08/10] integrity: Use root of trust signature restriction

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eric Snowberg <eric.snowberg@oracle.com>
To: jarkko@kernel.org, zohar@linux.ibm.com
Cc: dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	dmitry.kasatkin@gmail.com, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz,
	noodles@fb.com, tiwai@suse.de, bp@suse.de,
	eric.snowberg@oracle.com, kanth.ghatraju@oracle.com,
	konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com,
	coxu@redhat.com, keyrings@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [PATCH v2 08/10] integrity: Use root of trust signature restriction
Date: Wed,  7 Dec 2022 12:12:36 -0500	[thread overview]
Message-ID: <20221207171238.2945307-9-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20221207171238.2945307-1-eric.snowberg@oracle.com>

Keys added to the IMA keyring must be vouched for by keys contained
within the builtin or secondary keyrings.  These keys must also be self
signed, have the CA bit set and have the keyCertSign KeyUsage bit set.
Or they could be validated by a properly formed intermediate CA.
Currently these restrictions are not enforced. Use the new
restrict_link_by_ca_builtin_and_secondary_trusted and
restrict_link_by_ca_builtin_trusted to enforce the missing
CA restrictions when adding keys to the IMA keyring. With the
CA restrictions enforced, allow the machine keyring to be
enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 security/integrity/Kconfig     | 1 -
 security/integrity/digsig.c    | 4 ++--
 security/integrity/ima/Kconfig | 6 +++---
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 599429f99f99..14cc3c767270 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
 	depends on INTEGRITY_ASYMMETRIC_KEYS
 	depends on SYSTEM_BLACKLIST_KEYRING
 	depends on LOAD_UEFI_KEYS
-	depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	help
 	 If set, provide a keyring to which Machine Owner Keys (MOK) may
 	 be added. This keyring shall contain just MOK keys.  Unlike keys
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 8a82a6c7f48a..1fe8d1ed6e0b 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
 };
 
 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
+#define restrict_link_to_ima restrict_link_by_ca_builtin_and_secondary_trusted
 #else
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
+#define restrict_link_to_ima restrict_link_by_ca_builtin_trusted
 #endif
 
 static struct key *integrity_keyring_from_id(const unsigned int id)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 7249f16257c7..6fe3bd0e5c82 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -269,13 +269,13 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	default n
 	help
 	  Keys may be added to the IMA or IMA blacklist keyrings, if the
-	  key is validly signed by a CA cert in the system built-in or
-	  secondary trusted keyrings.
+	  key is validly signed by a CA cert in the system built-in,
+	  secondary trusted, or machine keyrings.
 
 	  Intermediate keys between those the kernel has compiled in and the
 	  IMA keys to be added may be added to the system secondary keyring,
 	  provided they are validly signed by a key already resident in the
-	  built-in or secondary trusted keyrings.
+	  built-in, secondary trusted or machine keyrings.
 
 config IMA_BLACKLIST_KEYRING
 	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
-- 
2.27.0

next prev parent reply	other threads:[~2022-12-07 17:13 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-07 17:12 [PATCH v2 00/10] Add CA enforcement keyring restrictions Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 01/10] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2022-12-07 17:52   ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 02/10] KEYS: Add missing function documentation Eric Snowberg
2022-12-08  5:22   ` Petr Vorel
2022-12-07 17:12 ` [PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 04/10] KEYS: X.509: Parse Key Usage Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 05/10] KEYS: Introduce a CA endorsed flag Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as endorsed Eric Snowberg
2022-12-07 17:12 ` Eric Snowberg [this message]
2022-12-07 17:12 ` [PATCH v2 09/10] KEYS: CA link restriction Eric Snowberg
2022-12-07 17:12 ` [PATCH v2 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2022-12-09 10:26 ` [PATCH v2 00/10] Add CA enforcement keyring restrictions Coiby Xu
2022-12-09 15:44   ` Eric Snowberg
2022-12-12 21:44     ` Mimi Zohar
2022-12-13  2:41       ` Eric Snowberg

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:599429f99f9 dfblob:14cc3c76727 dfblob:8a82a6c7f48
dfblob:1fe8d1ed6e0 dfblob:7249f16257c dfblob:6fe3bd0e5c8 )
 OR (
bs:"[PATCH v2 08/10] integrity: Use root of trust signature restriction" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221207171238.2945307-9-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=bp@suse.de \
    --cc=coxu@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=erpalmer@linux.vnet.ibm.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=kanth.ghatraju@oracle.com \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=noodles@fb.com \
    --cc=paul@paul-moore.com \
    --cc=pvorel@suse.cz \
    --cc=serge@hallyn.com \
    --cc=tiwai@suse.de \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).