Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin,... | linux-crypto

[PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 03/12] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 05/12] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 10/12] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
[PATCH v5 11/12] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 06/12] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 02/12] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 02/12] integrity: Do not allow machine keyring updates following init · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
[PATCH v5 09/12] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-08

Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-09-09 18:04:45
Also in: keyrings, linux-integrity, linux-security-module, lkml

On Sep 9, 2021, at 11:26 AM, Mimi Zohar [off-list ref] wrote:

Hi Eric,

The subject line above is too long.   According to
Documentation/process/submitting-patches.rst the "the ``summary`` must
be no more than 70-75 characters".

On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:

quoted

Introduce a new link restriction that includes the trusted builtin,
secondary and machine keys. The restriction is based on the key to be added
being vouched for by a key in any of these three keyrings.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v3: Initial version
v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING
v5: Rename to machine keyring
---
certs/system_keyring.c        | 23 +++++++++++++++++++++++
include/keys/system_keyring.h |  6 ++++++
2 files changed, 29 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 08ea542c8096..955bd57815f4 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c

@@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring)

{
	machine_trusted_keys = keyring;
}
+
+/**
+ * restrict_link_by_builtin_secondary_and_ca_trusted

Sorry for the patch churn.  With the keyring name change to ".machine",
the restriction name should also reflect this change.

Yes, I can change that. Should it be renamed to 
restrict_link_by_builtin_secondary_and_machine_trusted? That seems a little
long though.  Thanks.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help