[RFC PATCH v2 1/8] certs: Introduce ability to link to a system key

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Eric Snowberg <eric.snowberg@oracle.com>
To: linux-security-module@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	ardb@kernel.org, jarkko@kernel.org, paul@paul-moore.com,
	jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com,
	roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
	mic@digikod.net, casey@schaufler-ca.com, stefanb@linux.ibm.com,
	eric.snowberg@oracle.com, ebiggers@kernel.org,
	rdunlap@infradead.org, linux-kernel@vger.kernel.org,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org
Subject: [RFC PATCH v2 1/8] certs: Introduce ability to link to a system key
Date: Thu, 30 May 2024 18:39:38 -0600	[thread overview]
Message-ID: <20240531003945.44594-2-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20240531003945.44594-1-eric.snowberg@oracle.com>

Introduce a new function to allow a keyring to link to a key contained
within one of the system keyrings (builtin, secondary, or platform).
Depending on how the kernel is built, if the machine keyring is
available, it will be checked as well, since it is linked to the secondary
keyring. If the asymmetric key id matches a key within one of these
system keyrings, the matching key is linked into the passed in
keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c        | 31 +++++++++++++++++++++++++++++++
 include/keys/system_keyring.h |  7 ++++++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..94e47b6b3333 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -426,3 +426,34 @@ void __init set_platform_trusted_keys(struct key *keyring)
 	platform_trusted_keys = keyring;
 }
 #endif
+
+/**
+ * system_key_link - Link to a system key
+ * @keyring: The keyring to link into
+ * @id: The asymmetric key id to look for in the system keyring
+ */
+int system_key_link(struct key *keyring, struct asymmetric_key_id *id)
+{
+	struct key *system_keyring;
+	struct key *key;
+
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+	system_keyring = secondary_trusted_keys;
+#else
+	system_keyring = builtin_trusted_keys;
+#endif
+
+	key = find_asymmetric_key(system_keyring, id, NULL, NULL, false);
+	if (!IS_ERR(key))
+		goto found;
+
+	key = find_asymmetric_key(platform_trusted_keys, id, NULL, NULL, false);
+	if (!IS_ERR(key))
+		goto found;
+
+	return -ENOKEY;
+
+found:
+	key_link(keyring, key);
+	return 0;
+}
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 8365adf842ef..b47ac8e2001a 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -9,6 +9,7 @@
 #define _KEYS_SYSTEM_KEYRING_H
 
 #include <linux/key.h>
+struct asymmetric_key_id;
 
 enum blacklist_hash_type {
 	/* TBSCertificate hash */
@@ -28,7 +29,7 @@ int restrict_link_by_digsig_builtin(struct key *dest_keyring,
 				    const union key_payload *payload,
 				    struct key *restriction_key);
 extern __init int load_module_cert(struct key *keyring);
-
+extern int system_key_link(struct key *keyring, struct asymmetric_key_id *id);
 #else
 #define restrict_link_by_builtin_trusted restrict_link_reject
 #define restrict_link_by_digsig_builtin restrict_link_reject
@@ -38,6 +39,10 @@ static inline __init int load_module_cert(struct key *keyring)
 	return 0;
 }
 
+static inline int system_key_link(struct key *keyring, struct asymmetric_key_id *id)
+{
+	return 0;
+}
 #endif
 
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
-- 
2.43.0

next prev parent reply	other threads:[~2024-05-31  0:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-31  0:39 [RFC PATCH v2 0/8] Clavis LSM Eric Snowberg
2024-05-31  0:39 ` Eric Snowberg [this message]
2024-06-04 18:08   ` [RFC PATCH v2 1/8] certs: Introduce ability to link to a system key Jarkko Sakkinen
2024-06-05 20:36     ` Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 2/8] clavis: Introduce a new system keyring called clavis Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 3/8] efi: Make clavis boot param persist across kexec Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 4/8] clavis: Prevent clavis boot param from changing during kexec Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 5/8] keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE) Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 6/8] keys: Add ability to track intended usage of the public key Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 7/8] clavis: Introduce a new key type called clavis_key_acl Eric Snowberg
2024-05-31  0:39 ` [RFC PATCH v2 8/8] clavis: Introduce new LSM called clavis Eric Snowberg
2024-06-11  2:33   ` Randy Dunlap
2024-06-11 14:36     ` Eric Snowberg
2024-06-04 17:59 ` [RFC PATCH v2 0/8] Clavis LSM Jarkko Sakkinen
2024-06-05 20:41   ` Eric Snowberg
2024-06-19 15:22 ` Mimi Zohar
2024-06-20 20:18   ` Eric Snowberg

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9de610bf1f4 dfblob:94e47b6b333 dfblob:8365adf842e
dfblob:b47ac8e2001 )
 OR (
bs:"[RFC PATCH v2 1/8] certs: Introduce ability to link to a system key" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240531003945.44594-2-eric.snowberg@oracle.com \
    --to=eric.snowberg@oracle.com \
    --cc=ardb@kernel.org \
    --cc=casey@schaufler-ca.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=paul@paul-moore.com \
    --cc=rdunlap@infradead.org \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=stefanb@linux.ibm.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).