Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp312629pxb; Wed, 24 Feb 2021 02:55:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJxoz2I4Oi+9/bQh1AV0Ci/MG+Cqc2Ha9ww4K2DlW6p5zwlFEOkV0H0xktWlbmaX0Jgz2y3Y X-Received: by 2002:a05:6402:946:: with SMTP id h6mr19990998edz.188.1614164110635; Wed, 24 Feb 2021 02:55:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614164110; cv=none; d=google.com; s=arc-20160816; b=MIEno136y62x1NyAE0yK+oaqHNr91P3+44fsgjbC0cF6uUorN3PlDh8hgHb9qBZ84K Vwre8ZgLB0Beo1ptoUf3CCFG4/4OohpZ4Fglu1kqOGYrzdeZ5D95LFZFAcvK22HrESpr lqTVqRwZUv/bRS0gUuLQ92WwrpaAd6jDBKoWZb+hW+i/ifrGpDFQZpQUsIhBp2vLgVPw a+l7GBuwLKVwP71BXYR6vXl25yk07HWDRXuDjtdx81ZI9oaYFjy0nZaGQ9rau68FDeJM hIYlcvQvZTP8Ih/fvSynRZ/YVpNUfKo40vU0arpyfM0WYefC46/Knrr+roaPAHY5LyTe PtJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:dkim-signature; bh=GH11eDVLhD/SidI1qdEzLb3AWqWR9ut66Endvy0g5sg=; b=bd82DGA5sebx360/vb+3+C1kozjLeWJop4r3R6TEVMjRpEprd+PPZeFD4rNZDrvkX6 FHU5Zxqq2PoC5RuWGf0YZyCVpXYf3C4WyRlV+a+K2qiN88nrriCWjXA7MjEB5PvIPvS3 1Ls0B+FLT//0O/d6884zOkySCEACFFMKgoUsNlg4BSccu+4z9+6nxLolZPYsj52D/Rp9 PhrruFDvDS8LvbpV+4UsSyqmiTbhK80smqYxnfIQKRG79+pvYSYZgbmuLH0/u+Op7SWm 22hJiBJar/YDkCWfUy6uEmr9u0ESKYr9ZEkMRuFanIBco2lXlQAWiwt3aqQgla+df6mZ tk8A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a4e5jg8i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q16si1068845ejd.199.2021.02.24.02.54.45; Wed, 24 Feb 2021 02:55:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=a4e5jg8i; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234938AbhBXKx6 (ORCPT + 99 others); Wed, 24 Feb 2021 05:53:58 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:57344 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234891AbhBXKxq (ORCPT ); Wed, 24 Feb 2021 05:53:46 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614163932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GH11eDVLhD/SidI1qdEzLb3AWqWR9ut66Endvy0g5sg=; b=a4e5jg8ioUV6fCB3Y1Qu6ySo6k8A+We6Vcb8GiePmGBKF3TU2ix6paYT24qEdvPBEYslc5 yUrfcVQwrd5sKcYe0+gI45I46JOnPOVK0/ie41YUsvkvdO62x8FxrNheUVC1l+Sg62oOYX pQsl9HTmk7L9m0vCBhVPpvR0uu/0LlM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-402-5MJlS2NeP7-XzypAY4PELg-1; Wed, 24 Feb 2021 05:52:00 -0500 X-MC-Unique: 5MJlS2NeP7-XzypAY4PELg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 771A18018AB; Wed, 24 Feb 2021 10:51:59 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-119-68.rdu2.redhat.com [10.10.119.68]) by smtp.corp.redhat.com (Postfix) with ESMTP id 980EA2D035; Wed, 24 Feb 2021 10:51:57 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <20210217165058.1336155-1-eric.snowberg@oracle.com> <3524595.1614124044@warthog.procyon.org.uk> To: Eric Snowberg Cc: dhowells@redhat.com, Jarkko Sakkinen , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , David Woodhouse , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3731127.1614163916.1@warthog.procyon.org.uk> Content-Transfer-Encoding: quoted-printable Date: Wed, 24 Feb 2021 10:51:56 +0000 Message-ID: <3731128.1614163916@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org How about these changes? I've added an extra config option to turn on SYSTEM_REVOCATION_LIST suppor= t. I've also added kerneldoc comments and moved the functions so that they're= not in the middle of the blacklist-specific stuff. I'm not sure uefi_revocation_list_x509() needs conditionalising as the optimiser should just inline it if SYSTEM_REVOCATION_LIST=3Dn (assuming __= init doesn't disable inlining). David --- diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..76e469b56a77 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each should be a string of hex digits. = +config SYSTEM_REVOCATION_LIST + bool "Provide system-wide ring of revocation certificates" + depends on SYSTEM_BLACKLIST_KEYRING + depends on PKCS7_MESSAGE_PARSER=3Dy + help + If set, this allows revocation certificates to be stored in the + blacklist keyring and implements a hook whereby a PKCS#7 message can + be checked to see if it matches such a certificate. + endmenu diff --git a/certs/blacklist.c b/certs/blacklist.c index e9f5fc632f0d..2b8644123d5f 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash) return 0; } = -int add_key_to_revocation_list(const char *data, size_t size) -{ - key_ref_t key; - - key =3D key_create_or_update(make_key_ref(blacklist_keyring, true), - "asymmetric", - NULL, - data, - size, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); - - if (IS_ERR(key)) { - pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); - return PTR_ERR(key); - } - - return 0; -} - -int is_key_on_revocation_list(struct pkcs7_message *pkcs7) -{ - int ret; - - ret =3D validate_trust(pkcs7, blacklist_keyring); - - if (ret =3D=3D 0) - return -EKEYREJECTED; - - return -ENOKEY; -} - /** * is_hash_blacklisted - Determine if a hash is blacklisted * @hash: The hash to be checked as a binary blob @@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash= _len) } EXPORT_SYMBOL_GPL(is_binary_blacklisted); = +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/** + * add_key_to_revocation_list - Add a revocation certificate to the black= list + * @data: The data blob containing the certificate + * @size: The size of data blob + */ +int add_key_to_revocation_list(const char *data, size_t size) +{ + key_ref_t key; + + key =3D key_create_or_update(make_key_ref(blacklist_keyring, true), + "asymmetric", + NULL, + data, + size, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) { + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + + return 0; +} + +/** + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message = is revoked + * @pkcs7: The PKCS#7 message to check + */ +int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + int ret; + + ret =3D pkcs7_validate_trust(pkcs7, blacklist_keyring); + + if (ret =3D=3D 0) + return -EKEYREJECTED; + + return -ENOKEY; +} +#endif + /* * Initialise the blacklist */ diff --git a/certs/blacklist.h b/certs/blacklist.h index 420bb7c86e07..51b320cf8574 100644 --- a/certs/blacklist.h +++ b/certs/blacklist.h @@ -3,13 +3,3 @@ #include = extern const char __initconst *const blacklist_hashes[]; - -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING -#define validate_trust pkcs7_validate_trust -#else -static inline int validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) -{ - return -ENOKEY; -} -#endif diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 61f98739e8b1..875e002a4180 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trust= ed( extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); -extern int add_key_to_revocation_list(const char *data, size_t size); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type); extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) @@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash,= size_t hash_len) { return 0; } +#endif + +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern int add_key_to_revocation_list(const char *data, size_t size); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +#else static inline int add_key_to_revocation_list(const char *data, size_t siz= e) { return 0;