Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3939155pxf;
        Mon, 22 Mar 2021 20:57:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJySR39NjDHLsCl4S3HAPcXEzcroU4/n+AWcHrz3xWdidqKeA03yxn6XKhvhTJb89A8CjnMP
X-Received: by 2002:a17:906:2a16:: with SMTP id j22mr2863545eje.247.1616471829965;
        Mon, 22 Mar 2021 20:57:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616471829; cv=none;
        d=google.com; s=arc-20160816;
        b=njt5hg7f2AGSz2an+n6xdTKTX/MHSU9OXLQ+J8XsQuWsGHXu6Rj0XeEQQuVgN6+KFF
         j4P0lc0C+BsQAZd1mwgXhS6MV+T3xzOPxXtVdKcdk+lSNMglDT2XappEE5LulLlZ0K3d
         +zgioX6M5U8W4+ku+nJhRKLb58u5aEr4VKpig3d+WSCPIyY4mHfmY6OQU7AKC8xFRi8W
         38leBsPIj0pR6HHtCh0P2V7FjyKwAagrpN/BHTcZGpfwt54GkR/Oj2E8hzkiFIsaGacC
         Wbg8697PJZrKE6eCvp0TD/gyogac/DPdqv/y/1TpBtZQbKvgrgxWns/HUEy6fvcvuFov
         0ylQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=/CvRWYjORCw8flby47H5HqIvyfw8yrJSz4E5Q321rKY=;
        b=QffjAAKtZy+n/CDhu3X0GegR97TJouay91Op2xmTbFk+20ob15ENQailiomTtAsBiR
         zs8W7+xPTj/yuLueyM+YGpitw93Fg3gjpTszA+GJFlpqDbPffcXMqivmSmgPHfYhEOc0
         e7Kt9oXiZBdGjJs+Nx8dEkxcuXYqvu38df0/Z0AfCIIRw1xfgEJqLnlK+rigsnyG3mpi
         QBm+MicXUtlk4rEc5t+kNtBNYj2oIcaHaFTd4JIqdXAHgP06E7dCAlRtVJPAwc/j2+D7
         VJ31bpvh0sqFx4WOK2O6fMKMIF3nysNZ6577J1plLnbVxwdg5yP03WGabJxCveckEsSK
         Nnkw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=oP3QugZs;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id cd26si13052314ejb.473.2021.03.22.20.56.33;
        Mon, 22 Mar 2021 20:57:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=oP3QugZs;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229692AbhCWDz7 (ORCPT <rfc822;toshivichauhan@gmail.com>
        + 99 others); Mon, 22 Mar 2021 23:55:59 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53614 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229494AbhCWDzw (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 22 Mar 2021 23:55:52 -0400
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F121C061574;
        Mon, 22 Mar 2021 20:55:52 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id n11so10376870pgm.12;
        Mon, 22 Mar 2021 20:55:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=/CvRWYjORCw8flby47H5HqIvyfw8yrJSz4E5Q321rKY=;
        b=oP3QugZsARHuicP9Bg26t1dfWHywhPXHaALJqOojkEwJ/iujxOVkMqRGhGiXUaOMRG
         OrUj++v6Sd52IkNczr9Kes+cRJTkle//IaYp3lL/EFwyXlEXOyVl19RoHGOO7eXkgoG+
         Znb7BhgoAYEbk7csOp3ixyYN3GSjzbRlVRmu4Q0y/WFmt3EAuZiq7fGbWm5lfbaVWWGc
         cSc5oAtc2K+wM70oemLc/RMcfhYQJ2TFh3WpBYoMcu47VtDGoamiaMuPoSdwnRGfn8JG
         Y/YRgDag+cU8c39F6kPQ58PGzEsyhRq7q3xWUSMmCqtRJhvUK2mF0QFExtS4pf3jI12X
         ytkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=/CvRWYjORCw8flby47H5HqIvyfw8yrJSz4E5Q321rKY=;
        b=D+DJ8JikcetvDsOWfghhoF7Qqr0SjJjEl2XKmkNi5cMbjOv+xKhbsIEn5ixOBYmgY/
         QSTtoUo9vHPd21zCLIM0P+9RCHBpu4Q9wiiqVsTekk9NWURaUVQfGADE64Du9A+U/fTC
         p4Z5nQJyRDR23YPqOiU+NjGm5j8Z1svff0f2wO9/j6oeWTHNFdru3ptyUtZM68aDXhlw
         yIRzVO31Wp97dEo3ABK7IoYExyYwv9I/nszMLRZhFJG7JjmtOQYmm9Wn8xVu5Qs8z88B
         meZvb41wjVqJXaHBf1nppRBhS7XDszFN6p6P/YNRZC2GOwjsFYetQVa2ZOTvqCy6Jm81
         TxcQ==
X-Gm-Message-State: AOAM531Ujc0piEexTpHB4egSnIXsPNlLx+UZRv2TfQwNCvS/YxXp1J1V
        fc0Pa0MgeAsTStHb0uwpec0wmrypMWo=
X-Received: by 2002:a65:5cc2:: with SMTP id b2mr2272973pgt.280.1616471751866;
        Mon, 22 Mar 2021 20:55:51 -0700 (PDT)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id z22sm14415630pfa.41.2021.03.22.20.55.48
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 22 Mar 2021 20:55:51 -0700 (PDT)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v5 0/4] Check codeSigning extended key usage extension
Date:   Tue, 23 Mar 2021 11:55:17 +0800
Message-Id: <20210323035521.5843-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:

    https://www.niap-ccevs.org/MMO/PP/-442-/
        FIA_X509_EXT.1.1

This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying
signature of kernel module or kexec PE binary in PKCS#7.

v5:
Fixed the wording in module-signing.rst.

v4:
Fixed the wording in patch description.

v3:
- Add codeSigning EKU to x509.genkey key generation config.
- Add openssl command option example for generating CodeSign EKU to
  module-signing.rst document. 

v2:
Changed the help wording in the Kconfig.

Lee, Chun-Yi (4):
  X.509: Add CodeSigning extended key usage parsing
  PKCS#7: Check codeSigning EKU for kernel module and kexec pe
    verification
  modsign: Add codeSigning EKU when generating X.509 key generation
    config
  Documentation/admin-guide/module-signing.rst: add openssl command
    option example for CodeSign EKU

 Documentation/admin-guide/module-signing.rst |  6 +++++
 certs/Makefile                               |  1 +
 certs/system_keyring.c                       |  2 +-
 crypto/asymmetric_keys/Kconfig               |  9 +++++++
 crypto/asymmetric_keys/pkcs7_trust.c         | 37 +++++++++++++++++++++++++---
 crypto/asymmetric_keys/x509_cert_parser.c    | 24 ++++++++++++++++++
 include/crypto/pkcs7.h                       |  3 ++-
 include/crypto/public_key.h                  |  1 +
 include/linux/oid_registry.h                 |  5 ++++
 9 files changed, 83 insertions(+), 5 deletions(-)

-- 
2.16.4