Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp177351pxu;
        Tue, 24 Nov 2020 23:27:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJw9hzmURwn7e+DN1hFuHB+1LeSD2GeqgvhYeVkynjSOCN9q6UWSoDMD6Z1bVQ+JvRWeURJp
X-Received: by 2002:a05:6402:2208:: with SMTP id cq8mr2200555edb.182.1606289262894;
        Tue, 24 Nov 2020 23:27:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1606289262; cv=none;
        d=google.com; s=arc-20160816;
        b=ZfZ2lKwqR82hBkLyOYnZsNHt2fsrwvEc9P1kqj4wYwrwO5D7Kl6brW+lKbAiscLYqs
         vTcBL4DBwRMDQh09VQvKyGN8/SFjcF1pw9fLbzHP10A/p8zu3g+qh0EL8GFXNnZhF9x4
         5dPd+Yj7bQ5enPDvp2T7V/Jmw64BjUiT2pL7gnrsqrE9eVJ+DJ8gQG6Ovpg9qqimXCE2
         YPurLb42BIHbE/0DWbWlyLBPRQoofLoAvMEurwH6sL8ZOSbJSoY9cn2BB8mOar3b+oq0
         imZWiyRZVPBl1XVLZVO9kHqSENV8tP6B/kXIdd63FbnsEOuOgctuGIQCfPY3jrHzHOuR
         3Elw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=dE8a5WlGPDxWc2nopfLth4ca5yh3gzs/QZ1YaMzoCcg=;
        b=okd8AUwCRKyFltbhWNaN7wZgtxJTSwjZG+vayK+iIq8fCH4QsbK8L4SxxMaSxe8R3s
         vmgRFypT3kv1LRsohTEI4ljtpEX9jUUizgQmsyNfqkp6Qb7FdDvJ0EERLNfTe5dLE6J9
         U4+/Zbmo4FlA2UuBPzG+iSeM4xkTJIfNHSlNgpQdxyANpYL8OfwCMXNSsEdqNDI3rm2d
         cHMtk/9zYSTZjvgsdaI9AnHBRhUHPQEDVqd2suOQSlgemXhKz8wnHvBFuF6c3unsmZvS
         9Ojg6gRHgvAFH5rAKzGGCY3f5Pzyu41L2GEtHNYyr+hJelldDLtsnFYZpRbgPbc9Y7T8
         8Etg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=JVTjCVNK;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a4si736267ejf.460.2020.11.24.23.27.18;
        Tue, 24 Nov 2020 23:27:42 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=JVTjCVNK;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725815AbgKYH1J (ORCPT <rfc822;rusydi.hasan@gmail.com>
        + 99 others); Wed, 25 Nov 2020 02:27:09 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59088 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725308AbgKYH1I (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 25 Nov 2020 02:27:08 -0500
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C16FEC0613D4;
        Tue, 24 Nov 2020 23:27:08 -0800 (PST)
Received: by mail-pl1-x630.google.com with SMTP id bj5so684355plb.4;
        Tue, 24 Nov 2020 23:27:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=dE8a5WlGPDxWc2nopfLth4ca5yh3gzs/QZ1YaMzoCcg=;
        b=JVTjCVNKIef82UXKWf0/tQJeETUdDE0HDCq4b2tt1MBvndGO8HI54SCQUN+hES57k7
         Xp+bJUqF5W0s8QjVBiDKEFU8YPJ9aJHbmk3lnBGfM4iffNuIEvqwj30E8M8cil89PmTN
         lYSuL2gyuFytg5uM5jgY3llpWirvDAOvzDQuEnFNH8Yr3eH76Sxn1oOqDjlM2/LzBKFk
         Nw4B6AoMXScf6B+CYCkqvPo88hkJmnPZPkw3KMtCs6aRerN6pCpl7+Lna6ECzSjUA2aa
         CpWcn981ACJPTQFGQbtxG8HWepHw/T+89YhkFbVjlKgwhyYb+JnK38pFB9+SonQ+cyU4
         qdAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=dE8a5WlGPDxWc2nopfLth4ca5yh3gzs/QZ1YaMzoCcg=;
        b=kErpUoyhy4eJonrJl4KCWBMcXUmuleXb0gRlqVDrTq0BajM5ZzSCiC7wBOIkLCHlyQ
         wGVY/D9//Q2xNpivJN5NK9taWwPoerM8koLf5wunWonEzj2RG1e6EpZDelLcZEU1JqU0
         LrVy2V6VFANYTC6QR7+FeJZaxjuLiuLnUpWaTpmkLI232ewrC9s+Mu0hiA0zuAq9r7g+
         cQdG8ICcnDOjU6ybwDMobQL87zYbU7I9s5QXf7UVKf3BQvsgk+hQsUteNRtHYSmbfcHp
         s5towGBIMBkjK4RrE+jjHV9wqZVz2zAZmChdBRgOdagaYceq/P0GxQgdT4QYEOY5Ar/1
         Bj8A==
X-Gm-Message-State: AOAM5312PEr21od7pNNO82ve0iZy3rH8ygDMlga06jF1/TedjXF8p+ee
        zorM7Pjb9HVWuYv1O8Oh+4I=
X-Received: by 2002:a17:902:bf0b:b029:d8:f677:30f2 with SMTP id bi11-20020a170902bf0bb02900d8f67730f2mr1424461plb.25.1606289228251;
        Tue, 24 Nov 2020 23:27:08 -0800 (PST)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id q7sm1006055pfh.91.2020.11.24.23.27.02
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Nov 2020 23:27:07 -0800 (PST)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH 0/4] Check codeSigning extended key usage extension
Date:   Wed, 25 Nov 2020 15:26:49 +0800
Message-Id: <20201125072653.15657-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:

    https://www.niap-ccevs.org/MMO/PP/-442-/
        FIA_X509_EXT.1.1

This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying
signature of kernel module or kexec PE binary in PKCS#7.

v3:
- Add codeSigning EKU to x509.genkey key generation config.
- Add openssl command option example for generating CodeSign EKU to
  module-signing.rst document. 

v2:
Changed the help wording in the Kconfig.

Lee, Chun-Yi (4):
  X.509: Add CodeSigning extended key usage parsing
  PKCS#7: Check codeSigning EKU for kernel module and kexec pe
    verification
  modsign: Add codeSigning EKU when generating X.509 key generation
    config
  Documentation/admin-guide/module-signing.rst: add openssl command
    option example for CodeSign EKU

 Documentation/admin-guide/module-signing.rst |  6 +++++
 certs/Makefile                               |  1 +
 certs/system_keyring.c                       |  2 +-
 crypto/asymmetric_keys/Kconfig               |  9 +++++++
 crypto/asymmetric_keys/pkcs7_trust.c         | 37 +++++++++++++++++++++++++---
 crypto/asymmetric_keys/x509_cert_parser.c    | 24 ++++++++++++++++++
 include/crypto/pkcs7.h                       |  3 ++-
 include/crypto/public_key.h                  |  1 +
 include/linux/oid_registry.h                 |  5 ++++
 9 files changed, 83 insertions(+), 5 deletions(-)

-- 
2.16.4