Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp3872190pxu; Tue, 20 Oct 2020 02:44:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy74wSDXROfCjqLbS9KrbD+lh3b8e9iRvYeFy+Ltv5LoZYn86fLW1vTyTL8C06+WYx2fTsT X-Received: by 2002:a17:906:660f:: with SMTP id b15mr2354789ejp.333.1603187056131; Tue, 20 Oct 2020 02:44:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603187056; cv=none; d=google.com; s=arc-20160816; b=kWRUhE8KYVDPV2I1EfslNTmTt3bTjqO73uzB+okHbq6BfYAH5YHNYuYEohcf3SFA01 HIIfFdFXJ57Ap0pemVs3FVGaGpw7X2i+tF+u0EAxUnQZv7a1FCYrcDjPMxDvu85TtYUn oNtFyakgD4Byb9Qi8ZTJ9t7E4dSjsS6WoUcln/HZ3ca/RQqE7tGQrJrnr6mABVwbLr+W dAsCHVhtaX3M4rBt9p3WHC53QnnrEnbhCoQiM5G8DgUvQDJYIbclM1Uk++lecT0IUaO4 /qnr7K9JRwenufrjH0NDRApzHqMoJZT1p5B+dVGZOk/v/+cTZft5WgfPZqx0InNAcwPy dKlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:subject:cc:to:from :dkim-signature; bh=dtVgW0MuBIZrvU3cBaxqWU1OtsP/NTcxRkKmiAbK34s=; b=yAfyWpKBo83seV/mEsd09Q1XsjCHV0r9XiFIoDY/txxdNc0V5Ay6O82CwLmq+jdbP9 fBxVAaGgaHWQsHeOw6oh0xlwsZn5Fury4i82OhoThHhiqu2LvUoP8wc3dK/YA0iYsiS1 iPmX6bQhGTu/S+q02It7yQ7K/rRnLYFYE3VFxS5fKiT4gDi/kx78/yyZVJ2FvZoRwlfE B3zlMEu2MTsIZ73AOq90HPumAvq21m0PcjLNw19GT7UgLeVeDhUJCCNnUrCDMTYShm8y agDM0Kd/Y33YL1UjNbYfzCW43e/Zz2c/QjXMbzGQ9NyJW6WJFWB9wYKpeTXTWed4XttB pagA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IJQS2USh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id mj7si890480ejb.531.2020.10.20.02.43.53; Tue, 20 Oct 2020 02:44:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IJQS2USh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404575AbgJTGuf (ORCPT + 99 others); Tue, 20 Oct 2020 02:50:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53566 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404564AbgJTGue (ORCPT ); Tue, 20 Oct 2020 02:50:34 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CED81C061755; Mon, 19 Oct 2020 23:50:32 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id a200so614921pfa.10; Mon, 19 Oct 2020 23:50:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=dtVgW0MuBIZrvU3cBaxqWU1OtsP/NTcxRkKmiAbK34s=; b=IJQS2UShe77q/rYfjrodvDxpsKSpdQUAdHGuCSBePhhEP6ysQUN2hvOOOInBDamZ3w 1/TsE9hlnW/GOzT7E7ta+DJvNA4p6u4x2yqkdKdXR5L0dnUkdJzK4xLtDNrFZgvVfIti 7v4W4MxixMTlpzIUHR3nt4jT9F7sHEqYnKNPOhdb1OY974X+uYyZI96J0xhSfihq/0I9 b0XRcHNkGkCAmwFhhwCpzF1unlknBXW3qARul235Tu03Y8fGtNAUir+kUxiqaP8bS9r5 3EDvNKhyk7dMlrZVJZLfD/06Uh4QJLmGyqLyFsYcRsGKjyshnyKM+wvrDLlSG4uwcPJD RyNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=dtVgW0MuBIZrvU3cBaxqWU1OtsP/NTcxRkKmiAbK34s=; b=POsx+t7RIjrUdMOSU58uKdknxvn8SaNxI3Jc2ZrzFgFIQI6g21cP7GvhE3kgTfhk/x UxBlfzm86zuzTCGaaThjtEmx8FCRAshnRHKIlYPjKvklZ/K7rtYyZYGKPaDgrJ2FWKVy FT+2XSBLysmuy0p7RlKINd/hbpWTzbIpDVDzFGzNW2y2cGEx/DTgIb67IHWVDL5w2M9W iFsM4+YPnYJ3jgBTB0H7Jg5IM4CKlS27+3nj7BTeyW2R68JOJr9cZiaLHPeX3QAX4ARV Gs7gIDafH9snmmwwBIDxYp9qfaUgIKvtjnNaHCiOGkuDrV5ciWObkMHFiI20/GPfk2cm NS1Q== X-Gm-Message-State: AOAM531gYxnOKvpgPf6YIGzdlevwqujdSY+917L4AjLxSJHW8w/vPZom XKwTcO9AhkN67lWSuKvF12ej1Px8g/9dYA== X-Received: by 2002:a63:2547:: with SMTP id l68mr1446907pgl.241.1603176632318; Mon, 19 Oct 2020 23:50:32 -0700 (PDT) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id c203sm1026346pfb.96.2020.10.19.23.50.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Oct 2020 23:50:27 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: Herbert Xu , "David S . Miller" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [RFC PATCH 0/2] Check codeSigning extended key usage extension Date: Tue, 20 Oct 2020 14:49:59 +0800 Message-Id: <20201020065001.13836-1-jlee@suse.com> X-Mailer: git-send-email 2.12.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org NIAP PP_OS certification requests that the OS shall validate the CodeSigning extended key usage extension field for integrity verifiction of exectable code: https://www.niap-ccevs.org/MMO/PP/-442-/ FIA_X509_EXT.1.1 This patchset adds the logic for parsing the codeSigning EKU extension field in X.509. And checking the CodeSigning EKU when verifying signature of kernel module or kexec PE binary in PKCS#7. Lee, Chun-Yi (2): X.509: Add CodeSigning extended key usage parsing PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 10 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 37 ++++++++++++++++++++++++++++--- crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++++ include/crypto/pkcs7.h | 3 ++- include/crypto/public_key.h | 1 + include/linux/oid_registry.h | 5 +++++ 7 files changed, 77 insertions(+), 5 deletions(-) -- 2.16.4