| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Jul 2021 22:43:53 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
zohar@...ux.ibm.com, dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
jarkko@...nel.org, jmorris@...ei.org, serge@...lyn.com
Cc: eric.snowberg@...cle.com, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com, pjones@...hat.com,
glin@...e.com, konrad.wilk@...cle.com
Subject: [PATCH RFC 02/12] KEYS: Allow unrestricted keys to be moved to the secondary keyring
Allow keys to be moved into the secondary keyring without checking its
trust chain. This is available only during kernel initialization.
This will allow keys in the MOK list to be added during boot.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
certs/system_keyring.c | 25 +++++++++++++++++++++++++
include/keys/system_keyring.h | 7 +++++++
2 files changed, 32 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 692365dee2bd..f02bc5832684 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -90,6 +90,31 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
return restriction;
}
+
+/**
+ * move_to_trusted_secondary_keyring - Move to the secondary trusted
+ * keyring with no validation.
+ * @key: The key to add to the secondary trusted keyring
+ * @from_keyring: The keyring containing the key to move from
+ *
+ * Move key to the secondary keyring without checking its trust chain. This
+ * is available only during kernel initialization.
+ */
+__init int move_to_trusted_secondary_keyring(struct key *key, struct key *from_keyring)
+{
+ int ret;
+
+ ret = key_move(key, from_keyring, secondary_trusted_keys,
+ KEY_ALLOC_BYPASS_RESTRICTION);
+
+ if (ret)
+ pr_err("Problem loading X.509 certificate %d\n", ret);
+ else
+ pr_notice("Loaded X.509 cert '%s' linked to secondary sys keyring\n",
+ key->description);
+
+ return ret;
+}
#endif
/*
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 6acd3cf13a18..f40837026d6d 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,8 +34,15 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
const struct key_type *type,
const union key_payload *payload,
struct key *restriction_key);
+extern __init int move_to_trusted_secondary_keyring(struct key *key,
+ struct key *from_keyring);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+static inline __init int move_to_trusted_secondary_keyring(struct key *key,
+ struct key *from_keyring)
+{
+ return -EKEYREVOKED;
+}
#endif
extern struct pkcs7_message *pkcs7;
--
2.18.4
Powered by blists - more mailing lists