| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 Apr 2022 21:53:30 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: dhowells@...hat.com, dwmw2@...radead.org, jarkko@...nel.org,
zohar@...ux.ibm.com, linux-integrity@...r.kernel.org
Cc: herbert@...dor.apana.org.au, davem@...emloft.net,
dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
roberto.sassu@...wei.com, nramas@...ux.microsoft.com,
eric.snowberg@...cle.com, pvorel@...e.cz, tiwai@...e.de,
keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: [PATCH 0/7] Add CA enforcement keyring restrictions
A key added to the ima keyring must be signed by a key contained within
either the builtin trusted or secondary trusted keyrings. Currently, there are
CA restrictions described in IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,
but these restrictions are not enforced within code. Therefore, keys within
either the builtin or secondary may not be a CA and could be used to
vouch for an ima key.
The machine keyring can not be used as another trust anchor for adding keys
to the ima keyring, since CA enforcement does not currently exist [1]. This
would expand the current integrity gap.
Introduce a new root of trust key flag to close this integrity gap for
all keyrings. The first key type to use this is X.509. When a X.509
certificate is self signed, contains kernCertSign Key Usage and contains
the CA bit, the new flag is set. Introduce new keyring restrictions
that not only validates a key is signed by a key contained within the
keyring, but also validates the key has the new root of trust key flag
set. Use this new restriction for keys added to the ima keyring. Now
that we have CA enforcement, allow the machine keyring to be used as another
trust anchor for the ima keyring.
To recap, all keys that previously loaded into the builtin, secondary or
machine keyring will still load after applying this series. Keys
contained within these keyrings may carry the root of trust flag. The
ima keyring will use the new root of trust restriction to validate
CA enforcement. Other keyrings that require a root of trust could also
use this in the future.
[1] https://lore.kernel.org/lkml/2d681148b6ea57241f6a7c518dd331068a5f47b0.camel@linux.ibm.com/
Eric Snowberg (7):
KEYS: Create static version of public_key_verify_signature
KEYS: X.509: Parse Basic Constraints for CA
KEYS: X.509: Parse Key Usage
KEYS: Introduce a builtin root of trust key flag
KEYS: Introduce sig restriction that validates root of trust
KEYS: X.509: Flag Intermediate CA certs as built in
integrity: Use root of trust signature restriction
certs/system_keyring.c | 18 ++++++++++
crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++
crypto/asymmetric_keys/x509_cert_parser.c | 29 ++++++++++++++++
crypto/asymmetric_keys/x509_parser.h | 2 ++
crypto/asymmetric_keys/x509_public_key.c | 12 +++++++
include/crypto/public_key.h | 9 +++++
include/keys/system_keyring.h | 17 ++++++++-
include/linux/ima.h | 16 +++++++++
include/linux/key-type.h | 3 ++
include/linux/key.h | 2 ++
security/integrity/Kconfig | 1 -
security/integrity/digsig.c | 4 +--
security/keys/key.c | 13 +++++++
13 files changed, 164 insertions(+), 4 deletions(-)
base-commit: 3123109284176b1532874591f7c81f3837bbdc17
--
2.27.0
Powered by blists - more mailing lists