Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1543260rda; Mon, 23 Oct 2023 16:29:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH0ppeCt8X3UWAUoz7noRCPR6TX8rhUry3SDly1XyhdlyxLbriSSqw6/LsPDDzLKagbvgWN X-Received: by 2002:a05:6359:6d03:b0:168:e917:e075 with SMTP id te3-20020a0563596d0300b00168e917e075mr2178647rwb.1.1698103748747; Mon, 23 Oct 2023 16:29:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698103748; cv=none; d=google.com; s=arc-20160816; b=ToVaA6ReXZubIzy/yerc2CdDtmxeE/7JuYjgVqlHeWgspFwj2Ap7HLjl5WWczdbnCe ppxvgIiG+w/crOyvpTICEc09sG8OJv03+ogJU08oPg7P1ztldICNpZ8lt83DWO6iHC+c FERiFagI0DsWVBKckOZyBTk4xjFrpg5F2oU/7Yxnnh8ib6XLh3d/Nmo50uy64ZgoQowM FSXH1PLqCZOB0NU0V5U1fOGd8J/eTISNjWrXrwxoZxln0Umg6ALyHou7McQ+yaAD6MwO v+yVw4ZttBoRf98GXzCGroPE/H7njrwbBbrAS05yxdmefU6GsaEBN7BouL5uU+GXQ8SQ NdXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:from:subject:cc:to :message-id:date:content-transfer-encoding:mime-version :dkim-signature; bh=HQZh3274LPUQVTvjIhlftlC1vYF/7H/SHgO9LOv/Tj4=; fh=kfBuK9A5Ac03YE7XCOq8+fOCv2OMI/eQmXUKaxBYJks=; b=Ll/Q9eNajgRmI2WiCkE82gO9wD6Oklqs0S2Xneu16BLDpxSTVuHz1VdllNrt9VncAG QQomXaJ+OCilQi2X12X9fthskDPlG6Q/yP3HKhdR7LpaRuytpacMucGCQ7j/KrVYHJ85 bes60QX7IthGVl6qtejSuB3t8SIESBQ4cRzP0O2jgP4jh4t8T3SOE4Skyos/DIAMCZAS G2iiKXk/XhoKnaMAqE1npKvgMigUls2upWFW/OiEAaRytDe/SK7yhMcr1nGPj0itwVjf YW85aK2SoLkK9KomYih6JiERyS8rkLny+OfXl+KngxbjtEZqKbJA2JmrjzHz/FThRXv6 zA0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jzlnMJsB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id t189-20020a6381c6000000b00577fc59373fsi7088915pgd.296.2023.10.23.16.29.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Oct 2023 16:29:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=jzlnMJsB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 55F2C80310D1; Mon, 23 Oct 2023 16:29:06 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229498AbjJWX3A (ORCPT + 99 others); Mon, 23 Oct 2023 19:29:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229482AbjJWX27 (ORCPT ); Mon, 23 Oct 2023 19:28:59 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 107DDF9; Mon, 23 Oct 2023 16:28:53 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0AEADC433C8; Mon, 23 Oct 2023 23:28:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1698103732; bh=l4PmTWh/7uS7y7pxN04O+QuVx9DNVa5EkN2BgsFOHms=; h=Date:To:Cc:Subject:From:References:In-Reply-To:From; b=jzlnMJsBx/cdIlC9ABnZFTPsKalzaEyol1HC7ZI0G0x+IbSUSbwpR8WD1F65PfpBC Vw/Nfkl0u2xY7JiBmVyWr2IrY6Nx28xoYSMKOivoU29FYypARaWaEl/KH6ZBvbsUGo Dbx420uGCwiDdXACYQT6kc/1NAP+SGjZ1QdqyrgOBAflwM2M2mvrmhzb6bUiI3YoVK IPmlBRzaM73kozg+DFyLE7/Vcwq7bY22TPE3gKvYHSrgGre8ZAolNEoKFLToVWvBbk mbBfFHDsatxbb3pcAVFA/pfMop1rStlT2owvq7NW/P6RMvM/rmqCQhhXpHhWFSwLHf YkJP7q4YrfLgA== Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Tue, 24 Oct 2023 02:28:48 +0300 Message-Id: To: "Mimi Zohar" , "Denis Glazkov" Cc: "David Howells" , "David Woodhouse" , "David S . Miller" , , , Subject: Re: [RFC PATCH] certs: Only allow certs signed by keys on the builtin keyring From: "Jarkko Sakkinen" X-Mailer: aerc 0.15.2 References: <20231017122507.185896-1-zohar@linux.ibm.com> In-Reply-To: <20231017122507.185896-1-zohar@linux.ibm.com> X-Spam-Status: No, score=-1.2 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 23 Oct 2023 16:29:06 -0700 (PDT) On Tue Oct 17, 2023 at 3:25 PM EEST, Mimi Zohar wrote: > Originally the secondary trusted keyring provided a keyring to which extr= a > keys may be added, provided those keys were not blacklisted and were > vouched for by a key built into the kernel or already in the secondary > trusted keyring. > > On systems with the machine keyring configured, additional keys may also > be vouched for by a key on the machine keyring. > > Prevent loading additional certificates directly onto the secondary > keyring, vouched for by keys on the machine keyring, yet allow these > certificates to be loaded onto other trusted keyrings. > > Signed-off-by: Mimi Zohar > --- > certs/Kconfig | 16 +++++++++++++++- > crypto/asymmetric_keys/restrict.c | 4 ++++ > 2 files changed, 19 insertions(+), 1 deletion(-) > > diff --git a/certs/Kconfig b/certs/Kconfig > index 4a4dc8aab892..2e621963d260 100644 > --- a/certs/Kconfig > +++ b/certs/Kconfig > @@ -88,7 +88,21 @@ config SECONDARY_TRUSTED_KEYRING > help > If set, provide a keyring to which extra keys may be added, provided > those keys are not blacklisted and are vouched for by a key built > - into the kernel or already in the secondary trusted keyring. > + into the kernel, machine keyring (if configured), or already in the > + secondary trusted keyring. > + > +config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN > + bool "Only allow additional certs signed by keys on the builtin trusted= keyring" > + depends on SECONDARY_TRUSTED_KEYRING > + help > + If set, only certificates signed by keys on the builtin trusted > + keyring may be loaded onto the secondary trusted keyring. > + > + Note: The machine keyring, if configured, will be linked to the > + secondary keyring. When enabling this option, it is recommended > + to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent > + linking code signing keys with imputed trust to the secondary > + trusted keyring. > =20 > config SECONDARY_TRUSTED_KEYRING_FOR_CA_CERTIFICATES_ONLY > bool "Allow only CA certificates to be added to the secondary trusted k= eyring" > diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/r= estrict.c > index 6b69ea40da23..afcd4d101ac5 100644 > --- a/crypto/asymmetric_keys/restrict.c > +++ b/crypto/asymmetric_keys/restrict.c > @@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyr= ing, > =20 > if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) > ret =3D -ENOKEY; > + else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN)= && > + !strcmp(dest_keyring->description, ".secondary_trusted_keys") && > + !test_bit(KEY_FLAG_BUILTIN, &key->flags)) > + ret =3D -ENOKEY; > else > ret =3D verify_signature(key, sig); > key_put(key); Plese pick this to your tree. Reviewed-by: Jarkko Sakkinen BR, Jarkko