Re: [RFC PATCH 00/15] KEYS: Restrict additions to 'trusted' keyrings

From: Mimi Zohar
Date: Fri Jan 08 2016 - 13:55:30 EST


On Fri, 2016-01-08 at 18:33 +0000, David Howells wrote:
> Here's a set of patches that changes how keys are determined to be trusted
> - currently, that's a case of whether a key has KEY_FLAG_TRUSTED set upon
> it. A keyring can then have a flag set (KEY_FLAG_TRUSTED ONLY) that
> indicates that only keys with this flag set may be added to that keyring.
>
> Further, any time an X.509 certificate is instantiated without this flag
> set, the certificate is judged against the contents of the system trusted
> keyring to determine whether KEY_FLAG_TRUSTED should be set upon it.
>
> With these patches, KEY_FLAG_TRUSTED and KEY_FLAG_TRUSTED_ONLY are removed.
>
> The kernel may add implicitly trusted keys to a trusted-only keyring by
> asserting KEY_ALLOC_BYPASS_RESTRICTION when the key is created, but
> otherwise the key will only be allowed to be added to the keyring if it can
> be verified. The system trusted keyring is not then special in this sense
> and other trusted keyrings can be set up that are wholly independent of it.

In order to have a certificate chain of trust on any of these trusted
keyrings, the system keyring needs to be special. Even if we permit
transitive trust, meaning keys on a keyring can be used to validate
other keys being added to the same keyring, the first key added to a
trusted keyring needs to be vetted against something. That something
needs to be the builtin keys on the system keyring.

Mimi

> Each keyring can be given a vetting function that allows it to reject
> attempts to add keys to that keyring based on the type and payload of the
> new key. This can be set separately for each keyring.
>
> To make this work, we have to retain sufficient data from the X.509
> certificate that we can then verify the signature at need.
>
> The patches can be found here also:
>
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-trust
>
> and are tagged with:
>
> keys-trust-20160108
>
> David
> ---
> David Howells (15):
> X.509: Partially revert patch to add validation against IMA MOK keyring
> X.509: Don't treat self-signed keys specially
> KEYS: Generalise system_verify_data() to provide access to internal content
> PKCS#7: Make trust determination dependent on contents of trust keyring
> KEYS: Add an alloc flag to convey the builtinness of a key
> KEYS: Add a facility to restrict new links into a keyring
> KEYS: Allow authentication data to be stored in an asymmetric key
> KEYS: Add identifier pointers to public_key_signature struct
> X.509: Retain the key verification data
> X.509: Extract signature digest and make self-signed cert checks earlier
> PKCS#7: Make the signature a pointer rather than embedding it
> X.509: Move the trust validation code out to its own file
> KEYS: Generalise x509_request_asymmetric_key()
> KEYS: Move the point of trust determination to __key_link()
> KEYS: Remove KEY_FLAG_TRUSTED
>
>
> Documentation/security/keys.txt | 14 +
> arch/x86/kernel/kexec-bzimage64.c | 18 --
> certs/system_keyring.c | 72 +++++--
> crypto/asymmetric_keys/Kconfig | 1
> crypto/asymmetric_keys/Makefile | 2
> crypto/asymmetric_keys/asymmetric_keys.h | 2
> crypto/asymmetric_keys/asymmetric_type.c | 7 -
> crypto/asymmetric_keys/mscode_parser.c | 21 +-
> crypto/asymmetric_keys/pkcs7_key_type.c | 64 +++---
> crypto/asymmetric_keys/pkcs7_parser.c | 59 +++---
> crypto/asymmetric_keys/pkcs7_parser.h | 11 -
> crypto/asymmetric_keys/pkcs7_trust.c | 44 ++--
> crypto/asymmetric_keys/pkcs7_verify.c | 109 ++++------
> crypto/asymmetric_keys/public_key.c | 24 ++
> crypto/asymmetric_keys/public_key.h | 6 +
> crypto/asymmetric_keys/public_key_trust.c | 206 ++++++++++++++++++++
> crypto/asymmetric_keys/verify_pefile.c | 40 +---
> crypto/asymmetric_keys/verify_pefile.h | 5
> crypto/asymmetric_keys/x509_cert_parser.c | 51 +++--
> crypto/asymmetric_keys/x509_parser.h | 12 -
> crypto/asymmetric_keys/x509_public_key.c | 304 ++++++++---------------------
> fs/cifs/cifsacl.c | 2
> fs/nfs/nfs4idmap.c | 2
> include/crypto/pkcs7.h | 6 -
> include/crypto/public_key.h | 35 +--
> include/keys/asymmetric-subtype.h | 2
> include/keys/asymmetric-type.h | 8 -
> include/keys/system_keyring.h | 20 --
> include/linux/key.h | 40 +++-
> include/linux/verification.h | 49 +++++
> include/linux/verify_pefile.h | 22 --
> kernel/module_signing.c | 7 -
> net/dns_resolver/dns_key.c | 2
> net/rxrpc/ar-key.c | 4
> security/integrity/digsig.c | 34 +++
> security/integrity/digsig_asymmetric.c | 5
> security/integrity/ima/ima_mok.c | 9 -
> security/keys/key.c | 43 +++-
> security/keys/keyring.c | 26 ++
> security/keys/persistent.c | 4
> security/keys/process_keys.c | 16 +-
> security/keys/request_key.c | 4
> security/keys/request_key_auth.c | 2
> 43 files changed, 804 insertions(+), 610 deletions(-)
> create mode 100644 crypto/asymmetric_keys/public_key_trust.c
> create mode 100644 include/linux/verification.h
> delete mode 100644 include/linux/verify_pefile.h
>