Re: [PATCH v5 5/6] KEYS: CA link restriction
From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2023-03-29 21:58:36
Also in:
keyrings, linux-crypto, linux-integrity, lkml
On Mon, Mar 20, 2023 at 04:35:33PM -0400, Mimi Zohar wrote:
On Mon, 2023-03-20 at 20:28 +0200, Jarkko Sakkinen wrote:quoted
On Mon, Mar 20, 2023 at 05:35:05PM +0000, Eric Snowberg wrote:quoted
quoted
On Mar 11, 2023, at 3:10 PM, Jarkko Sakkinen [off-list ref] wrote: On Thu, Mar 02, 2023 at 11:46:51AM -0500, Eric Snowberg wrote:quoted
Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> --- crypto/asymmetric_keys/restrict.c | 38 +++++++++++++++++++++++++++++++ include/crypto/public_key.h | 15 ++++++++++++ 2 files changed, 53 insertions(+)diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 6b1ac5f5896a..48457c6f33f9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c@@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring,return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) + return -ENOKEY; + if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) + return -ENOKEY; + if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) + return -ENOKEY;nit: would be more readable, if conditions were separated by empty lines.Ok, I will make this change in the next round. Thanks.Cool! Mimi have you tested these patches with IMA applied?Yes, it's working as expected.
OK, I will pick these. BR, Jarkko