Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1154448pxy;
        Thu, 29 Apr 2021 00:30:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwT60eFfh92mf11oZkFPiTOrWl4+YQrG0DfgEPDPxguVQy87mMApUtX0etol3ZDvzYKkSp8
X-Received: by 2002:aa7:93b1:0:b029:27f:6a80:6b73 with SMTP id x17-20020aa793b10000b029027f6a806b73mr2050577pff.56.1619681416775;
        Thu, 29 Apr 2021 00:30:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619681416; cv=none;
        d=google.com; s=arc-20160816;
        b=Zylfkr40ykijN/CJJ9fdXSWv5ZRXMya3Z2eqeGeRmoA5lGNHIVl3l9aPB8sdR/PlUC
         VnDsTxUKFo4SWFVyr3WHq1564Ox1LfedhhKh7r6qGAyAoGRYIWPLZ84ETRCmSybjfE2r
         FsKUsODVplDI3hy+dalcEgtCrIEQGwFSiHJLjkznYS+2Xhj/weqsdueUbOREkZMMFMEd
         R/JIvKPBpvKIEyFCatRDc/C3c6EdW2N9PgWFGH3nU/VxTzRyLDZGz+m3EQl4UyQABrDu
         rRcopByT82FooWFI0+vXGUYcJGDuWJ6aT6YBDWJ5GMn9g1VuXhAHE6Q1dG/4Rb1qTiSX
         vHcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=lZMvbMppjpPZmuxlkLQ5Yw5wPz86LXmS4L9P6/MEvlk=;
        b=xBZa0WUNbiGczWYrUOCl3LWaQ+Pu4vXZpICvoRJ+MGQP6LdU5fW75C0E5t/NKee5qz
         +gdXpXx/aFU5cAzLiDCaKLAcIkt0+rKXsdHW5DG7VVOudiywMGijs4Qd2k8SuwJcDxgE
         /KM7Q+g/YtDorxPpdf9OvxHAF0Su/xCfNO8E7ljgbqH5/9MA45TXNCMyLfHNJVr+j42N
         fiMlQRdCD9Q91ieuE7zjLs1G/0GC5m9N31CBYyJhQQaB/WAmf4Up2HrlJsBRpWtxx0Hr
         aRrjyKLqrIcqHE0VKlikY0Dvb0PvXlMVwsOInjaOI6IBUKzivyRA01Rw/LY3e3UYghqY
         vuQQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=hgcZnthu;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d20si2637645pgi.311.2021.04.29.00.29.59;
        Thu, 29 Apr 2021 00:30:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=hgcZnthu;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239638AbhD2Haf (ORCPT <rfc822;jere.viikari@gmail.com>
        + 99 others); Thu, 29 Apr 2021 03:30:35 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60248 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232082AbhD2Hac (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 29 Apr 2021 03:30:32 -0400
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E2C3EC06138B;
        Thu, 29 Apr 2021 00:29:08 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id m12so5781258pgr.9;
        Thu, 29 Apr 2021 00:29:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=lZMvbMppjpPZmuxlkLQ5Yw5wPz86LXmS4L9P6/MEvlk=;
        b=hgcZnthuzmqZq5NREAgPhsiKiJBmDRL2JkZKWCUOvKbqLBQWpCSYLhwja+iiHUgCU1
         J8nKfSqKjS0jmXBNMPpoeX0M4UoZLJkY97a7rqiZ+ASX6253sgD5dzfdkjSRPGPtVUDZ
         UtYW6CZSAKmpS6N2TDIbsoDMszZ8zrfIlXMRt3tbCA/WATM3sp4xSPI344xwxrq98/Xd
         eiRUkzaScYG+KomgAkweesU17OCMAXcfW6RNhCvJlh+YYvlLnBC7bwvjLjES5vPGVeiW
         BhR+Eh4M31hX7cf0s5sD586nhP/4twOMtJuoVV+xkWIg5kv7U6BAOzfdqbTZx6kJBmKF
         1a7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=lZMvbMppjpPZmuxlkLQ5Yw5wPz86LXmS4L9P6/MEvlk=;
        b=mknvJLcAJBmcTvm6ROCKp2NSh6gQ7/27fQqVrRbKB2psOAyuhpczAbwARiPOkft+PJ
         ynzn16TTYpL69FcLEOelkOCrmZCllPYfOoqegG7N1Y2MhUzUFmkJA/HNijb0HHnzlN2V
         9AVA21pSp1nm0owXipIe2tiHvlY3NJH7zYqU92hDjbMkSjJdHINHGJnFk2CzUUklrxY2
         oCsDGzjDHSOpUdrKvO1nZPyMSy5gQzznDq7kDEKpPueKHcO40A3pxJGW8Ek7ZYKFV0zC
         QukczsTqlYnF8Sv1ZB47ox+uEGcYCgCF9NC28QFiGYwHJJN2TZ0UopgqmfLixdOAYmHa
         EmVA==
X-Gm-Message-State: AOAM531vK0zT1Im2ZvxtGnRad4c8/1i0M5Vr2Bok+QLHXrNCuh6N2zmm
        bdbn8yyMY0He3R82w1MW/yA=
X-Received: by 2002:a63:31cb:: with SMTP id x194mr7306534pgx.290.1619681348525;
        Thu, 29 Apr 2021 00:29:08 -0700 (PDT)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id z29sm1632085pga.52.2021.04.29.00.29.05
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 29 Apr 2021 00:29:07 -0700 (PDT)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S . Miller" <davem@davemloft.net>,
        Ben Boeckel <me@benboeckel.net>,
        Randy Dunlap <rdunlap@infradead.org>,
        Malte Gell <malte.gell@gmx.de>,
        Varad Gautam <varad.gautam@suse.com>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
        "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH v6 0/4] Check codeSigning extended key usage extension
Date:   Thu, 29 Apr 2021 15:28:47 +0800
Message-Id: <20210429072851.24057-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:

    https://www.niap-ccevs.org/MMO/PP/-442-/
        FIA_X509_EXT.1.1

This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying
signature of kernel module or kexec PE binary in PKCS#7.

v6:
- Add more length checking when parsing extKeyUsage and EKU's OID blob.
- Add 'usage' parameter to the comment of pkcs7_validate_trust function.

v5:
Fixed the wording in module-signing.rst.

v4:
Fixed the wording in patch description.

v3:
- Add codeSigning EKU to x509.genkey key generation config.
- Add openssl command option example for generating CodeSign EKU to
  module-signing.rst document. 

v2:
Changed the help wording in the Kconfig.

Lee, Chun-Yi (4):
  X.509: Add CodeSigning extended key usage parsing
  PKCS#7: Check codeSigning EKU for kernel module and kexec pe
    verification
  modsign: Add codeSigning EKU when generating X.509 key generation
    config
  Documentation/admin-guide/module-signing.rst: add openssl command
    option example for CodeSign EKU

 Documentation/admin-guide/module-signing.rst |  6 +++++
 certs/Makefile                               |  1 +
 certs/system_keyring.c                       |  2 +-
 crypto/asymmetric_keys/Kconfig               |  9 +++++++
 crypto/asymmetric_keys/pkcs7_trust.c         | 37 +++++++++++++++++++++++++---
 crypto/asymmetric_keys/x509_cert_parser.c    | 24 ++++++++++++++++++
 include/crypto/pkcs7.h                       |  3 ++-
 include/crypto/public_key.h                  |  1 +
 include/linux/oid_registry.h                 |  5 ++++
 9 files changed, 83 insertions(+), 5 deletions(-)

-- 
2.16.4