[PATCH 0/4] Add CA enforcement in the machine keyring
From: Eric Snowberg
Date: Tue Mar 01 2022 - 12:39:50 EST
A key added to the IMA keyring must be signed by a key contained in either the
built-in trusted or secondary trusted keyring. IMA also requires these keys
to be a CA. The only option for an end-user to add their own CA is to compile
it into the kernel themselves or to use the insert-sys-cert. Many end-users
do not want to compile their own kernels. With the insert-sys-cert option,
there are missing upstream changes.
Currently, all Machine Owner Keys (MOK) load into the machine keyring. Add
a new Kconfig option to only allow CA keys into the machine keyring. When
compiled with the new INTEGRITY_MACHINE_KEYRING_CA_ENFORCED Kconfig, non CA
keys will load into the platform keyring instead. This will allow the end-
user to enroll their own CA key into the machine keyring for use with IMA.
These patches are based on Jarkko's linux-tpmdd tree.
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
Eric Snowberg (4):
KEYS: Create static version of public_key_verify_signature
X.509: Parse Basic Constraints for CA
KEYS: CA link restriction
integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca
certs/system_keyring.c | 9 ++--
crypto/asymmetric_keys/restrict.c | 43 +++++++++++++++++++
crypto/asymmetric_keys/x509_cert_parser.c | 9 ++++
include/crypto/public_key.h | 25 +++++++++++
include/keys/system_keyring.h | 3 +-
security/integrity/Kconfig | 21 +++++++++
security/integrity/Makefile | 1 +
security/integrity/digsig.c | 14 ++++--
security/integrity/integrity.h | 3 +-
.../platform_certs/keyring_handler.c | 4 +-
10 files changed, 123 insertions(+), 9 deletions(-)
base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1
--
2.27.0