[PATCH v3 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca

From: Eric Snowberg
Date: Tue Dec 13 2022 - 19:35:18 EST

Next message: Eric Snowberg: "[PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust"
Previous message: Eric Snowberg: "[PATCH v3 09/10] KEYS: CA link restriction"
In reply to: Eric Snowberg: "[PATCH v3 09/10] KEYS: CA link restriction"
Next in thread: Eric Snowberg: "[PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to
restrict_link_by_ca. This will only allow CA keys into the machine
keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
---
security/integrity/Kconfig | 10 ++++++++++
security/integrity/digsig.c | 8 ++++++--
2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 14cc3c767270..3357883fa5a8 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING
in the platform keyring, keys contained in the .machine keyring will
be trusted within the kernel.

+config INTEGRITY_CA_MACHINE_KEYRING
+ bool "Only allow CA keys into the Machine Keyring"
+ depends on INTEGRITY_MACHINE_KEYRING
+ help
+ If set, only Machine Owner Keys (MOK) that are Certificate
+ Authority (CA) keys will be added to the .machine keyring. All
+ other MOK keys will be added to the .platform keyring. After
+ booting, any other key signed by the CA key can be added to the
+ secondary_trusted_keys keyring.
+
config LOAD_UEFI_KEYS
depends on INTEGRITY_PLATFORM_KEYRING
depends on EFI
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 1fe8d1ed6e0b..b0ec615745e3 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id)
| KEY_USR_READ | KEY_USR_SEARCH;

if (id == INTEGRITY_KEYRING_PLATFORM ||
- id == INTEGRITY_KEYRING_MACHINE) {
+ (id == INTEGRITY_KEYRING_MACHINE &&
+ !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) {
restriction = NULL;
goto out;
}
@@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id)
if (!restriction)
return -ENOMEM;

- restriction->check = restrict_link_to_ima;
+ if (id == INTEGRITY_KEYRING_MACHINE)
+ restriction->check = restrict_link_by_ca;
+ else
+ restriction->check = restrict_link_to_ima;

/*
* MOK keys can only be added through a read-only runtime services
--
2.27.0

Next message: Eric Snowberg: "[PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust"
Previous message: Eric Snowberg: "[PATCH v3 09/10] KEYS: CA link restriction"
In reply to: Eric Snowberg: "[PATCH v3 09/10] KEYS: CA link restriction"
Next in thread: Eric Snowberg: "[PATCH v3 06/10] KEYS: Introduce keyring restriction that validates ca trust"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]