Re: [RFC PATCH 00/15] KEYS: Restrict additions to 'trusted' keyrings

[Mimi Zohar <zohar@linux.vnet.ibm.com>]

On Fri, 2016-01-08 at 18:33 +0000, David Howells wrote:
> Here's a set of patches that changes how keys are determined to be trusted
> - currently, that's a case of whether a key has KEY_FLAG_TRUSTED set upon
> it.  A keyring can then have a flag set (KEY_FLAG_TRUSTED ONLY) that
> indicates that only keys with this flag set may be added to that keyring.
> 
> Further, any time an X.509 certificate is instantiated without this flag
> set, the certificate is judged against the contents of the system trusted
> keyring to determine whether KEY_FLAG_TRUSTED should be set upon it.
> 
> With these patches, KEY_FLAG_TRUSTED and KEY_FLAG_TRUSTED_ONLY are removed.
> 
> The kernel may add implicitly trusted keys to a trusted-only keyring by
> asserting KEY_ALLOC_BYPASS_RESTRICTION when the key is created, but
> otherwise the key will only be allowed to be added to the keyring if it can
> be verified.  The system trusted keyring is not then special in this sense
> and other trusted keyrings can be set up that are wholly independent of it.

In order to have a certificate chain of trust on any of these trusted
keyrings, the system keyring needs to be special.  Even if we permit
transitive trust, meaning keys on a keyring can be used to validate
other keys being added to the same keyring, the first key added to a
trusted keyring needs to be vetted against something.  That something
needs to be the builtin keys on the system keyring.

Mimi 

> Each keyring can be given a vetting function that allows it to reject
> attempts to add keys to that keyring based on the type and payload of the
> new key.  This can be set separately for each keyring.
> 
> To make this work, we have to retain sufficient data from the X.509
> certificate that we can then verify the signature at need.
> 
> The patches can be found here also:
> 
> 	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-trust
> 
> and are tagged with:
> 
> 	keys-trust-20160108
> 
> David
> ---
> David Howells (15):
>       X.509: Partially revert patch to add validation against IMA MOK keyring
>       X.509: Don't treat self-signed keys specially
>       KEYS: Generalise system_verify_data() to provide access to internal content
>       PKCS#7: Make trust determination dependent on contents of trust keyring
>       KEYS: Add an alloc flag to convey the builtinness of a key
>       KEYS: Add a facility to restrict new links into a keyring
>       KEYS: Allow authentication data to be stored in an asymmetric key
>       KEYS: Add identifier pointers to public_key_signature struct
>       X.509: Retain the key verification data
>       X.509: Extract signature digest and make self-signed cert checks earlier
>       PKCS#7: Make the signature a pointer rather than embedding it
>       X.509: Move the trust validation code out to its own file
>       KEYS: Generalise x509_request_asymmetric_key()
>       KEYS: Move the point of trust determination to __key_link()
>       KEYS: Remove KEY_FLAG_TRUSTED
> 
> 
>  Documentation/security/keys.txt           |   14 +
>  arch/x86/kernel/kexec-bzimage64.c         |   18 --
>  certs/system_keyring.c                    |   72 +++++--
>  crypto/asymmetric_keys/Kconfig            |    1 
>  crypto/asymmetric_keys/Makefile           |    2 
>  crypto/asymmetric_keys/asymmetric_keys.h  |    2 
>  crypto/asymmetric_keys/asymmetric_type.c  |    7 -
>  crypto/asymmetric_keys/mscode_parser.c    |   21 +-
>  crypto/asymmetric_keys/pkcs7_key_type.c   |   64 +++---
>  crypto/asymmetric_keys/pkcs7_parser.c     |   59 +++---
>  crypto/asymmetric_keys/pkcs7_parser.h     |   11 -
>  crypto/asymmetric_keys/pkcs7_trust.c      |   44 ++--
>  crypto/asymmetric_keys/pkcs7_verify.c     |  109 ++++------
>  crypto/asymmetric_keys/public_key.c       |   24 ++
>  crypto/asymmetric_keys/public_key.h       |    6 +
>  crypto/asymmetric_keys/public_key_trust.c |  206 ++++++++++++++++++++
>  crypto/asymmetric_keys/verify_pefile.c    |   40 +---
>  crypto/asymmetric_keys/verify_pefile.h    |    5 
>  crypto/asymmetric_keys/x509_cert_parser.c |   51 +++--
>  crypto/asymmetric_keys/x509_parser.h      |   12 -
>  crypto/asymmetric_keys/x509_public_key.c  |  304 ++++++++---------------------
>  fs/cifs/cifsacl.c                         |    2 
>  fs/nfs/nfs4idmap.c                        |    2 
>  include/crypto/pkcs7.h                    |    6 -
>  include/crypto/public_key.h               |   35 +--
>  include/keys/asymmetric-subtype.h         |    2 
>  include/keys/asymmetric-type.h            |    8 -
>  include/keys/system_keyring.h             |   20 --
>  include/linux/key.h                       |   40 +++-
>  include/linux/verification.h              |   49 +++++
>  include/linux/verify_pefile.h             |   22 --
>  kernel/module_signing.c                   |    7 -
>  net/dns_resolver/dns_key.c                |    2 
>  net/rxrpc/ar-key.c                        |    4 
>  security/integrity/digsig.c               |   34 +++
>  security/integrity/digsig_asymmetric.c    |    5 
>  security/integrity/ima/ima_mok.c          |    9 -
>  security/keys/key.c                       |   43 +++-
>  security/keys/keyring.c                   |   26 ++
>  security/keys/persistent.c                |    4 
>  security/keys/process_keys.c              |   16 +-
>  security/keys/request_key.c               |    4 
>  security/keys/request_key_auth.c          |    2 
>  43 files changed, 804 insertions(+), 610 deletions(-)
>  create mode 100644 crypto/asymmetric_keys/public_key_trust.c
>  create mode 100644 include/linux/verification.h
>  delete mode 100644 include/linux/verify_pefile.h
>