[PATCH v2 06/10] KEYS: Introduce keyring restriction that validates ca trust
From: Eric Snowberg
Date: Wed Dec 07 2022 - 12:13:45 EST
The current keyring restrictions validate if a key can be vouched for by
another key already contained in a keyring. Add a new restriction called
restrict_link_by_ca_and_signature that both vouches for the new key and
validates the vouching key is an endorsed certificate authority.
Two new system keyring restrictions are added to use
restrict_link_by_ca_and_signature. The first restriction called
restrict_link_by_ca_builtin_trusted uses the builtin_trusted_keys as
the restricted keyring. The second system keyring restriction called
restrict_link_by_ca_builtin_and_secondary_trusted uses the
secondary_trusted_keys as the restricted keyring. Should the machine
keyring be defined, it shall be validated too, since it is linked to
the secondary_trusted_keys keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
---
certs/system_keyring.c | 18 ++++++++++++++
crypto/asymmetric_keys/restrict.c | 41 +++++++++++++++++++++++++++++++
include/crypto/public_key.h | 5 ++++
include/keys/system_keyring.h | 12 ++++++++-
4 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 250148298690..af5094ce9bcb 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -51,6 +51,14 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
builtin_trusted_keys);
}
+int restrict_link_by_ca_builtin_trusted(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused)
+{
+ return restrict_link_by_ca_and_signature(dest_keyring, type, payload,
+ builtin_trusted_keys);
+}
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
/**
* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
@@ -83,6 +91,16 @@ int restrict_link_by_builtin_and_secondary_trusted(
secondary_trusted_keys);
}
+int restrict_link_by_ca_builtin_and_secondary_trusted(
+ struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused)
+{
+ return restrict_link_by_ca_and_signature(dest_keyring, type, payload,
+ secondary_trusted_keys);
+}
+
/*
* Allocate a struct key_restriction for the "builtin and secondary trust"
* keyring. Only for use in system_trusted_keyring_init().
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b1ac5f5896a..005cb28969e4 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -108,6 +108,47 @@ int restrict_link_by_signature(struct key *dest_keyring,
return ret;
}
+int restrict_link_by_ca_and_signature(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trust_keyring)
+{
+ const struct public_key_signature *sig;
+ struct key *key;
+ int ret;
+
+ if (!trust_keyring)
+ return -ENOKEY;
+
+ if (type != &key_type_asymmetric)
+ return -EOPNOTSUPP;
+
+ sig = payload->data[asym_auth];
+ if (!sig)
+ return -ENOPKG;
+ if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
+ return -ENOKEY;
+
+ if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
+ return -EPERM;
+
+ /* See if we have a key that signed this one. */
+ key = find_asymmetric_key(trust_keyring,
+ sig->auth_ids[0], sig->auth_ids[1],
+ sig->auth_ids[2], false);
+ if (IS_ERR(key))
+ return -ENOKEY;
+
+ if (!test_bit(KEY_FLAG_ECA, &key->flags))
+ ret = -ENOKEY;
+ else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+ ret = -ENOKEY;
+ else
+ ret = verify_signature(key, sig);
+ key_put(key);
+ return ret;
+}
+
static bool match_either_id(const struct asymmetric_key_id **pair,
const struct asymmetric_key_id *single)
{
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 6d61695e1cde..e51bbc5ffe17 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -71,6 +71,11 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
const union key_payload *payload,
struct key *trusted);
+extern int restrict_link_by_ca_and_signature(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused);
+
extern int query_asymmetric_key(const struct kernel_pkey_params *,
struct kernel_pkey_query *);
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 91e080efb918..4e94bf72b998 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -24,9 +24,13 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
const union key_payload *payload,
struct key *restriction_key);
extern __init int load_module_cert(struct key *keyring);
-
+extern int restrict_link_by_ca_builtin_trusted(struct key *keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *unused);
#else
#define restrict_link_by_builtin_trusted restrict_link_reject
+#define restrict_link_by_ca_builtin_trusted restrict_link_reject
static inline __init int load_module_cert(struct key *keyring)
{
@@ -41,8 +45,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+extern int restrict_link_by_ca_builtin_and_secondary_trusted(
+ struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *restrict_key);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+#define restrict_link_by_ca_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
--
2.27.0