lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220406015337.4000739-8-eric.snowberg@oracle.com>
Date:   Tue,  5 Apr 2022 21:53:37 -0400
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     dhowells@...hat.com, dwmw2@...radead.org, jarkko@...nel.org,
        zohar@...ux.ibm.com, linux-integrity@...r.kernel.org
Cc:     herbert@...dor.apana.org.au, davem@...emloft.net,
        dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
        roberto.sassu@...wei.com, nramas@...ux.microsoft.com,
        eric.snowberg@...cle.com, pvorel@...e.cz, tiwai@...e.de,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-crypto@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [PATCH 7/7] integrity: Use root of trust signature restriction

Keys added to the IMA keyring must be vouched for by keys contained
within the builtin or secondary keyrings.  These keys must also be self
signed, have the CA bit set and have the kernCertSign KeyUsage bit set.
Or they could be validated by a properly formed intermediate CA.
Currently these restrictions are not enforced. Use the new
restrict_link_by_rot_builtin_and_secondary_trusted and
restrict_link_by_rot_builtin_trusted to enforce the missing
CA restrictions when adding keys to the IMA keyring. With the
CA restrictions enforced, allow the machine keyring to be
enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
 security/integrity/Kconfig  | 1 -
 security/integrity/digsig.c | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 599429f99f99..14cc3c767270 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -68,7 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
 	depends on INTEGRITY_ASYMMETRIC_KEYS
 	depends on SYSTEM_BLACKLIST_KEYRING
 	depends on LOAD_UEFI_KEYS
-	depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 	help
 	 If set, provide a keyring to which Machine Owner Keys (MOK) may
 	 be added. This keyring shall contain just MOK keys.  Unlike keys
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index c8c8a4a4e7a0..cfde2ea9c55b 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
 };
 
 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
-#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
+#define restrict_link_to_ima restrict_link_by_rot_builtin_and_secondary_trusted
 #else
-#define restrict_link_to_ima restrict_link_by_builtin_trusted
+#define restrict_link_to_ima restrict_link_by_rot_builtin_trusted
 #endif
 
 static struct key *integrity_keyring_from_id(const unsigned int id)
-- 
2.27.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ