| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210812193245.yev4gyeuxrfwqfty@kernel.org>
Date: Thu, 12 Aug 2021 22:32:45 +0300
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Eric Snowberg <eric.snowberg@...cle.com>
Cc: keyrings@...r.kernel.org, linux-integrity@...r.kernel.org,
zohar@...ux.ibm.com, dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
jmorris@...ei.org, serge@...lyn.com, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senpartnership.com, pjones@...hat.com,
glin@...e.com, konrad.wilk@...cle.com
Subject: Re: [PATCH v3 04/14] integrity: add add_to_mok_keyring
On Wed, Aug 11, 2021 at 10:18:45PM -0400, Eric Snowberg wrote:
> Add the ability to load Machine Owner Key (MOK) keys to the mok keyring.
> If the permissions do not allow the key to be added to the mok keyring
> this is not an error, add it to the platform keyring instead.
Should state why it isn't an error for clarity.
/Jarkko
>
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> ---
> v1: Initial version
> v3: Unmodified from v1
> ---
> security/integrity/integrity.h | 4 ++++
> .../integrity/platform_certs/mok_keyring.c | 21 +++++++++++++++++++
> 2 files changed, 25 insertions(+)
>
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e0e17ccba2e6..60d5c7ba05b2 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -278,9 +278,13 @@ integrity_audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type)
> #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> void __init add_to_platform_keyring(const char *source, const void *data,
> size_t len);
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len);
> #else
> static inline void __init add_to_platform_keyring(const char *source,
> const void *data, size_t len)
> {
> }
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> +}
> #endif
> diff --git a/security/integrity/platform_certs/mok_keyring.c b/security/integrity/platform_certs/mok_keyring.c
> index fe4f2d336260..f260edac0863 100644
> --- a/security/integrity/platform_certs/mok_keyring.c
> +++ b/security/integrity/platform_certs/mok_keyring.c
> @@ -21,6 +21,27 @@ static __init int mok_keyring_init(void)
> }
> device_initcall(mok_keyring_init);
>
> +void __init add_to_mok_keyring(const char *source, const void *data, size_t len)
> +{
> + key_perm_t perm;
> + int rc;
> +
> + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
> + rc = integrity_load_cert(INTEGRITY_KEYRING_MOK, source, data, len, perm);
> +
> + /*
> + * If the mok keyring restrictions prevented the cert from loading,
> + * this is not an error. Just load it into the platform keyring
> + * instead.
> + */
> + if (rc)
> + rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source,
> + data, len, perm);
> +
> + if (rc)
> + pr_info("Error adding keys to mok keyring %s\n", source);
> +}
> +
> /*
> * Try to load the MokListTrustedRT UEFI variable to see if we should trust
> * the mok keys within the kernel. It is not an error if this variable
> --
> 2.18.4
>
>
Powered by blists - more mailing lists