certs: Add a secondary system keyring that can be added to dynamically
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from the new keyring (called .secondary_trusted_keys). The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING. If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
parent
77f68bac94
commit
d3bfe84129
3 changed files with 88 additions and 16 deletions
|
@ -56,4 +56,12 @@ config SYSTEM_EXTRA_CERTIFICATE_SIZE
|
||||||
This is the number of bytes reserved in the kernel image for a
|
This is the number of bytes reserved in the kernel image for a
|
||||||
certificate to be inserted.
|
certificate to be inserted.
|
||||||
|
|
||||||
|
config SECONDARY_TRUSTED_KEYRING
|
||||||
|
bool "Provide a keyring to which extra trustable keys may be added"
|
||||||
|
depends on SYSTEM_TRUSTED_KEYRING
|
||||||
|
help
|
||||||
|
If set, provide a keyring to which extra keys may be added, provided
|
||||||
|
those keys are not blacklisted and are vouched for by a key built
|
||||||
|
into the kernel or already in the secondary trusted keyring.
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|
|
@ -18,41 +18,88 @@
|
||||||
#include <keys/system_keyring.h>
|
#include <keys/system_keyring.h>
|
||||||
#include <crypto/pkcs7.h>
|
#include <crypto/pkcs7.h>
|
||||||
|
|
||||||
static struct key *system_trusted_keyring;
|
static struct key *builtin_trusted_keys;
|
||||||
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
static struct key *secondary_trusted_keys;
|
||||||
|
#endif
|
||||||
|
|
||||||
extern __initconst const u8 system_certificate_list[];
|
extern __initconst const u8 system_certificate_list[];
|
||||||
extern __initconst const unsigned long system_certificate_list_size;
|
extern __initconst const unsigned long system_certificate_list_size;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* restrict_link_by_builtin_trusted - Restrict keyring addition by system CA
|
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
|
||||||
*
|
*
|
||||||
* Restrict the addition of keys into a keyring based on the key-to-be-added
|
* Restrict the addition of keys into a keyring based on the key-to-be-added
|
||||||
* being vouched for by a key in the system keyring.
|
* being vouched for by a key in the built in system keyring.
|
||||||
*/
|
*/
|
||||||
int restrict_link_by_builtin_trusted(struct key *keyring,
|
int restrict_link_by_builtin_trusted(struct key *keyring,
|
||||||
const struct key_type *type,
|
const struct key_type *type,
|
||||||
const union key_payload *payload)
|
const union key_payload *payload)
|
||||||
{
|
{
|
||||||
return restrict_link_by_signature(system_trusted_keyring,
|
return restrict_link_by_signature(builtin_trusted_keys, type, payload);
|
||||||
type, payload);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
/**
|
||||||
|
* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
|
||||||
|
* addition by both builtin and secondary keyrings
|
||||||
|
*
|
||||||
|
* Restrict the addition of keys into a keyring based on the key-to-be-added
|
||||||
|
* being vouched for by a key in either the built-in or the secondary system
|
||||||
|
* keyrings.
|
||||||
|
*/
|
||||||
|
int restrict_link_by_builtin_and_secondary_trusted(
|
||||||
|
struct key *keyring,
|
||||||
|
const struct key_type *type,
|
||||||
|
const union key_payload *payload)
|
||||||
|
{
|
||||||
|
/* If we have a secondary trusted keyring, then that contains a link
|
||||||
|
* through to the builtin keyring and the search will follow that link.
|
||||||
|
*/
|
||||||
|
if (type == &key_type_keyring &&
|
||||||
|
keyring == secondary_trusted_keys &&
|
||||||
|
payload == &builtin_trusted_keys->payload)
|
||||||
|
/* Allow the builtin keyring to be added to the secondary */
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
return restrict_link_by_signature(secondary_trusted_keys, type, payload);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Load the compiled-in keys
|
* Create the trusted keyrings
|
||||||
*/
|
*/
|
||||||
static __init int system_trusted_keyring_init(void)
|
static __init int system_trusted_keyring_init(void)
|
||||||
{
|
{
|
||||||
pr_notice("Initialise system trusted keyring\n");
|
pr_notice("Initialise system trusted keyrings\n");
|
||||||
|
|
||||||
system_trusted_keyring =
|
builtin_trusted_keys =
|
||||||
keyring_alloc(".system_keyring",
|
keyring_alloc(".builtin_trusted_keys",
|
||||||
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
||||||
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||||
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
|
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
|
||||||
KEY_ALLOC_NOT_IN_QUOTA,
|
KEY_ALLOC_NOT_IN_QUOTA,
|
||||||
restrict_link_by_builtin_trusted, NULL);
|
NULL, NULL);
|
||||||
if (IS_ERR(system_trusted_keyring))
|
if (IS_ERR(builtin_trusted_keys))
|
||||||
panic("Can't allocate system trusted keyring\n");
|
panic("Can't allocate builtin trusted keyring\n");
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
secondary_trusted_keys =
|
||||||
|
keyring_alloc(".secondary_trusted_keys",
|
||||||
|
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
||||||
|
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||||
|
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
|
||||||
|
KEY_USR_WRITE),
|
||||||
|
KEY_ALLOC_NOT_IN_QUOTA,
|
||||||
|
restrict_link_by_builtin_and_secondary_trusted,
|
||||||
|
NULL);
|
||||||
|
if (IS_ERR(secondary_trusted_keys))
|
||||||
|
panic("Can't allocate secondary trusted keyring\n");
|
||||||
|
|
||||||
|
if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
|
||||||
|
panic("Can't link trusted keyrings\n");
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -88,7 +135,7 @@ static __init int load_system_certificate_list(void)
|
||||||
if (plen > end - p)
|
if (plen > end - p)
|
||||||
goto dodgy_cert;
|
goto dodgy_cert;
|
||||||
|
|
||||||
key = key_create_or_update(make_key_ref(system_trusted_keyring, 1),
|
key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
|
||||||
"asymmetric",
|
"asymmetric",
|
||||||
NULL,
|
NULL,
|
||||||
p,
|
p,
|
||||||
|
@ -125,7 +172,8 @@ late_initcall(load_system_certificate_list);
|
||||||
* @len: Size of @data.
|
* @len: Size of @data.
|
||||||
* @raw_pkcs7: The PKCS#7 message that is the signature.
|
* @raw_pkcs7: The PKCS#7 message that is the signature.
|
||||||
* @pkcs7_len: The size of @raw_pkcs7.
|
* @pkcs7_len: The size of @raw_pkcs7.
|
||||||
* @trusted_keys: Trusted keys to use (NULL for system_trusted_keyring).
|
* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
|
||||||
|
* (void *)1UL for all trusted keys).
|
||||||
* @usage: The use to which the key is being put.
|
* @usage: The use to which the key is being put.
|
||||||
* @view_content: Callback to gain access to content.
|
* @view_content: Callback to gain access to content.
|
||||||
* @ctx: Context for callback.
|
* @ctx: Context for callback.
|
||||||
|
@ -157,8 +205,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
if (!trusted_keys)
|
if (!trusted_keys) {
|
||||||
trusted_keys = system_trusted_keyring;
|
trusted_keys = builtin_trusted_keys;
|
||||||
|
} else if (trusted_keys == (void *)1UL) {
|
||||||
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
trusted_keys = secondary_trusted_keys;
|
||||||
|
#else
|
||||||
|
trusted_keys = builtin_trusted_keys;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
|
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
if (ret == -ENOKEY)
|
if (ret == -ENOKEY)
|
||||||
|
|
|
@ -24,6 +24,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
|
||||||
#define restrict_link_by_builtin_trusted restrict_link_reject
|
#define restrict_link_by_builtin_trusted restrict_link_reject
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
extern int restrict_link_by_builtin_and_secondary_trusted(
|
||||||
|
struct key *keyring,
|
||||||
|
const struct key_type *type,
|
||||||
|
const union key_payload *payload);
|
||||||
|
#else
|
||||||
|
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_IMA_MOK_KEYRING
|
#ifdef CONFIG_IMA_MOK_KEYRING
|
||||||
extern struct key *ima_mok_keyring;
|
extern struct key *ima_mok_keyring;
|
||||||
extern struct key *ima_blacklist_keyring;
|
extern struct key *ima_blacklist_keyring;
|
||||||
|
|
Loading…
Reference in a new issue