[PATCH v6 02/13] integrity: Do not allow machine keyring updates following init

[PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 01/13] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 07/13] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 03/13] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 03/13] KEYS: CA link restriction · Nayna <hidden> · 2021-09-16
[PATCH v6 02/13] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 06/13] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 08/13] KEYS: Introduce link restriction for machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 05/13] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 04/13] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Peter Jones <pjones@redhat.com> · 2021-09-16
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Peter Jones <pjones@redhat.com> · 2021-09-17
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
[PATCH v6 13/13] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 10/13] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 11/13] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 09/13] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-15
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-15
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Peter Jones <pjones@redhat.com> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-21
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Nayna <hidden> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-17

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-09-14 21:16:24
Also in: keyrings, linux-integrity, linux-security-module, lkml
Subsystem: extended verification module (evm), integrity measurement architecture (ima), security subsystem, the rest · Maintainers: Mimi Zohar, Roberto Sassu, Dmitry Kasatkin, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds

The machine keyring is setup during init.  No additional keys should be
allowed to be added afterwards.  Leave the permission as read only.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v2: Initial version
v4: Unmodified from v2
v5: Rename to machine keyring
v6: Add additional comment (suggested by Jarkko)
---
 security/integrity/digsig.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 8c315be8ad99..910fe29a5037 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c

@@ -140,7 +140,13 @@ int __init integrity_init_keyring(const unsigned int id)
 		return -ENOMEM;
 
 	restriction->check = restrict_link_to_ima;
-	perm |= KEY_USR_WRITE;
+
+	/*
+	 * No additional keys shall be allowed to load into the machine
+	 * keyring following init
+	 */
+	if (id != INTEGRITY_KEYRING_MACHINE)
+		perm |= KEY_USR_WRITE;
 
 out:
 	return __integrity_init_keyring(id, perm, restriction);

-- 
2.18.4

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help