[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221214003401.4086781-11-eric.snowberg@oracle.com>
Date: Tue, 13 Dec 2022 19:34:01 -0500
From: Eric Snowberg <eric.snowberg@...cle.com>
To: jarkko@...nel.org, zohar@...ux.ibm.com
Cc: dhowells@...hat.com, dwmw2@...radead.org,
herbert@...dor.apana.org.au, davem@...emloft.net,
dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com, pvorel@...e.cz, noodles@...com, tiwai@...e.de,
eric.snowberg@...cle.com, kanth.ghatraju@...cle.com,
konrad.wilk@...cle.com, erpalmer@...ux.vnet.ibm.com,
coxu@...hat.com, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [PATCH v3 10/10] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca
Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to
restrict_link_by_ca. This will only allow CA keys into the machine
keyring.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
security/integrity/Kconfig | 10 ++++++++++
security/integrity/digsig.c | 8 ++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 14cc3c767270..3357883fa5a8 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -74,6 +74,16 @@ config INTEGRITY_MACHINE_KEYRING
in the platform keyring, keys contained in the .machine keyring will
be trusted within the kernel.
+config INTEGRITY_CA_MACHINE_KEYRING
+ bool "Only allow CA keys into the Machine Keyring"
+ depends on INTEGRITY_MACHINE_KEYRING
+ help
+ If set, only Machine Owner Keys (MOK) that are Certificate
+ Authority (CA) keys will be added to the .machine keyring. All
+ other MOK keys will be added to the .platform keyring. After
+ booting, any other key signed by the CA key can be added to the
+ secondary_trusted_keys keyring.
+
config LOAD_UEFI_KEYS
depends on INTEGRITY_PLATFORM_KEYRING
depends on EFI
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 1fe8d1ed6e0b..b0ec615745e3 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -131,7 +131,8 @@ int __init integrity_init_keyring(const unsigned int id)
| KEY_USR_READ | KEY_USR_SEARCH;
if (id == INTEGRITY_KEYRING_PLATFORM ||
- id == INTEGRITY_KEYRING_MACHINE) {
+ (id == INTEGRITY_KEYRING_MACHINE &&
+ !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) {
restriction = NULL;
goto out;
}
@@ -143,7 +144,10 @@ int __init integrity_init_keyring(const unsigned int id)
if (!restriction)
return -ENOMEM;
- restriction->check = restrict_link_to_ima;
+ if (id == INTEGRITY_KEYRING_MACHINE)
+ restriction->check = restrict_link_by_ca;
+ else
+ restriction->check = restrict_link_to_ima;
/*
* MOK keys can only be added through a read-only runtime services
--
2.27.0
Powered by blists - more mailing lists