[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140612160346.GG9578@redhat.com>
Date: Thu, 12 Jun 2014 12:03:46 -0400
From: Vivek Goyal <vgoyal@...hat.com>
To: Dmitry Kasatkin <d.kasatkin@...sung.com>
Cc: zohar@...ux.vnet.ibm.com, dhowells@...hat.com, jwboyer@...hat.com,
keyrings@...ux-nfs.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, dmitry.kasatkin@...il.com,
mjg59@...f.ucam.org
Subject: Re: [PATCH 3/4] KEYS: validate key trust only with selected owner key
On Tue, Jun 10, 2014 at 11:48:17AM +0300, Dmitry Kasatkin wrote:
> This patch provides kernel parameter to specify owner's key id which
> must be used for trust validate of keys. Keys signed with other keys
> are not trusted.
>
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
Hi,
I am continuing to work on verifying kernel signature for kexec/kdump. I
am planning to take david howell's patches for pkcs7 signature
verification and verify bzImage signature.
Part of that process will boil down to verifying a certificate in
pkcs7 x509 cert chain using a key in system_trusted_keyring.
I think the OS vendor key which signs the kernel signing key propagates to
system_trusted_keyring. (shim has that and I am not sure how shim makes
it propogate all they way to system_trusted_keyring).
So I was planning to use same functionality where I look for any key
which can verify the signing cert of kernel. As OS vendor key will be
in system_trusted_keyring, it should work.
Now with this change where you will trust only one selected owner key.
That means you will not even trust the OS vendor key which signs kernel
signing key. I think this will stop working with keys_ownerid=<....>
As I am doing that work in parallel and I saw these patches, I thought
I will bring it up.
Thanks
Vivek
> ---
> crypto/asymmetric_keys/x509_public_key.c | 27 ++++++++--
> include/keys/owner_keyring.h | 27 ----------
> init/Kconfig | 10 ----
> kernel/Makefile | 1 -
> kernel/owner_keyring.c | 85 --------------------------------
> 5 files changed, 24 insertions(+), 126 deletions(-)
> delete mode 100644 include/keys/owner_keyring.h
> delete mode 100644 kernel/owner_keyring.c
>
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index 962f9b9..d46b790 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -19,12 +19,24 @@
> #include <keys/asymmetric-subtype.h>
> #include <keys/asymmetric-parser.h>
> #include <keys/system_keyring.h>
> -#include <keys/owner_keyring.h>
> #include <crypto/hash.h>
> #include "asymmetric_keys.h"
> #include "public_key.h"
> #include "x509_parser.h"
>
> +static char *owner_keyid;
> +static int __init default_owner_keyid_set(char *str)
> +{
> + if (!str) /* default system keyring */
> + return 1;
> +
> + if (strncmp(str, "id:", 3) == 0)
> + owner_keyid = str; /* owner local key 'id:xxxxxx' */
> +
> + return 1;
> +}
> +__setup("keys_ownerid=", default_owner_keyid_set);
> +
> /*
> * Find a key in the given keyring by issuer and authority.
> */
> @@ -170,6 +182,16 @@ static int x509_validate_trust(struct x509_certificate *cert,
> if (!trust_keyring)
> return -EOPNOTSUPP;
>
> + if (owner_keyid) {
> + /* validate trust only with the owner_keyid if specified */
> + /* partial match of keyid according to the asymmetric_type.c */
> + int idlen = strlen(owner_keyid) - 3; /* - id: */
> + int authlen = strlen(cert->authority);
> + char *auth = cert->authority + authlen - idlen;
> + if (idlen > authlen || strcasecmp(owner_keyid + 3, auth))
> + return -EPERM;
> + }
> +
> key = x509_request_asymmetric_key(trust_keyring,
> cert->issuer, strlen(cert->issuer),
> cert->authority,
> @@ -239,8 +261,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
> if (ret < 0)
> goto error_free_cert;
> } else if (!prep->trusted) {
> - ret = x509_validate_trust(cert,
> - get_system_or_owner_trusted_keyring());
> + ret = x509_validate_trust(cert, get_system_trusted_keyring());
> if (!ret)
> prep->trusted = 1;
> }
> diff --git a/include/keys/owner_keyring.h b/include/keys/owner_keyring.h
> deleted file mode 100644
> index 78dd09d..0000000
> --- a/include/keys/owner_keyring.h
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -/*
> - * Copyright (C) 2014 IBM Corporation
> - * Author: Mimi Zohar <zohar@...ibm.com>
> - *
> - * This program is free software; you can redistribute it and/or modify
> - * it under the terms of the GNU General Public License as published by
> - * the Free Software Foundation, version 2 of the License.
> - */
> -
> -#ifndef _KEYS_OWNER_KEYRING_H
> -#define _KEYS_OWNER_KEYRING_H
> -
> -#ifdef CONFIG_OWNER_TRUSTED_KEYRING
> -
> -#include <linux/key.h>
> -
> -extern struct key *owner_trusted_keyring;
> -extern struct key *get_system_or_owner_trusted_keyring(void);
> -
> -#else
> -static inline struct key *get_system_or_owner_trusted_keyring(void)
> -{
> - return get_system_trusted_keyring();
> -}
> -
> -#endif
> -#endif /* _KEYS_OWNER_KEYRING_H */
> diff --git a/init/Kconfig b/init/Kconfig
> index 7876787..009a797 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1661,16 +1661,6 @@ config SYSTEM_TRUSTED_KEYRING
>
> Keys in this keyring are used by module signature checking.
>
> -config OWNER_TRUSTED_KEYRING
> - bool "Verify certificate signatures using a specific system key"
> - depends on SYSTEM_TRUSTED_KEYRING
> - help
> - Verify a certificate's signature, before adding the key to
> - a trusted keyring, using a specific key on the system trusted
> - keyring. The specific key on the system trusted keyring is
> - identified using the kernel boot command line option
> - "keys_ownerid" and is added to the owner_trusted_keyring.
> -
> menuconfig MODULES
> bool "Enable loadable module support"
> option modules
> diff --git a/kernel/Makefile b/kernel/Makefile
> index 7b44efd..bc010ee 100644
> --- a/kernel/Makefile
> +++ b/kernel/Makefile
> @@ -44,7 +44,6 @@ obj-$(CONFIG_UID16) += uid16.o
> obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
> obj-$(CONFIG_MODULES) += module.o
> obj-$(CONFIG_MODULE_SIG) += module_signing.o
> -obj-$(CONFIG_OWNER_TRUSTED_KEYRING) += owner_keyring.o
> obj-$(CONFIG_KALLSYMS) += kallsyms.o
> obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
> obj-$(CONFIG_KEXEC) += kexec.o
> diff --git a/kernel/owner_keyring.c b/kernel/owner_keyring.c
> deleted file mode 100644
> index a31b865..0000000
> --- a/kernel/owner_keyring.c
> +++ /dev/null
> @@ -1,85 +0,0 @@
> -/*
> - * Copyright (C) 2014 IBM Corporation
> - * Author: Mimi Zohar <zohar@...ibm.com>
> - *
> - * This program is free software; you can redistribute it and/or modify
> - * it under the terms of the GNU General Public License as published by
> - * the Free Software Foundation, version 2 of the License.
> - */
> -
> -#include <linux/export.h>
> -#include <linux/kernel.h>
> -#include <linux/sched.h>
> -#include <linux/cred.h>
> -#include <linux/err.h>
> -#include <keys/asymmetric-type.h>
> -#include <keys/system_keyring.h>
> -#include "module-internal.h"
> -
> -struct key *owner_trusted_keyring;
> -static int use_owner_trusted_keyring;
> -
> -static char *owner_keyid;
> -static int __init default_owner_keyid_set(char *str)
> -{
> - if (!str) /* default system keyring */
> - return 1;
> -
> - if (strncmp(str, "id:", 3) == 0)
> - owner_keyid = str; /* owner local key 'id:xxxxxx' */
> -
> - return 1;
> -}
> -
> -__setup("keys_ownerid=", default_owner_keyid_set);
> -
> -struct key *get_system_or_owner_trusted_keyring(void)
> -{
> - return use_owner_trusted_keyring ? owner_trusted_keyring :
> - get_system_trusted_keyring();
> -}
> -
> -static __init int owner_trusted_keyring_init(void)
> -{
> - pr_notice("Initialize the owner trusted keyring\n");
> -
> - owner_trusted_keyring =
> - keyring_alloc(".owner_keyring",
> - KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
> - ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> - KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
> - KEY_ALLOC_NOT_IN_QUOTA, NULL);
> - if (IS_ERR(owner_trusted_keyring))
> - panic("Can't allocate owner trusted keyring\n");
> -
> - set_bit(KEY_FLAG_TRUSTED_ONLY, &owner_trusted_keyring->flags);
> - return 0;
> -}
> -
> -device_initcall(owner_trusted_keyring_init);
> -
> -void load_owner_identified_key(void)
> -{
> - key_ref_t key_ref;
> - int ret;
> -
> - if (!owner_keyid)
> - return;
> -
> - key_ref = keyring_search(make_key_ref(system_trusted_keyring, 1),
> - &key_type_asymmetric, owner_keyid);
> - if (IS_ERR(key_ref)) {
> - pr_warn("Request for unknown %s key\n", owner_keyid);
> - goto out;
> - }
> - ret = key_link(owner_trusted_keyring, key_ref_to_ptr(key_ref));
> - pr_info("Loaded owner key %s %s\n", owner_keyid,
> - ret < 0 ? "failed" : "succeeded");
> - key_ref_put(key_ref);
> - if (!ret)
> - use_owner_trusted_keyring = 1;
> -out:
> - return;
> -}
> -
> -late_initcall(load_owner_identified_key);
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists