[RFC PATCH] certs: Only allow certs signed by keys on the builtin keyring

Keyrings Archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.ibm.com>
To: Jarkko Sakkinen <jarkko@kernel.org>, Denis Glazkov <d.glazkov@omp.ru>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
	David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	"David S . Miller" <davem@davemloft.net>,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-integrity@vger.kernel.org
Subject: [RFC PATCH] certs: Only allow certs signed by keys on the builtin keyring
Date: Tue, 17 Oct 2023 08:25:07 -0400	[thread overview]
Message-ID: <20231017122507.185896-1-zohar@linux.ibm.com> (raw)

Originally the secondary trusted keyring provided a keyring to which extra
keys may be added, provided those keys were not blacklisted and were
vouched for by a key built into the kernel or already in the secondary
trusted keyring.

On systems with the machine keyring configured, additional keys may also
be vouched for by a key on the machine keyring.

Prevent loading additional certificates directly onto the secondary
keyring, vouched for by keys on the machine keyring, yet allow these
certificates to be loaded onto other trusted keyrings.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 certs/Kconfig                     | 16 +++++++++++++++-
 crypto/asymmetric_keys/restrict.c |  4 ++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/certs/Kconfig b/certs/Kconfig
index 4a4dc8aab892..2e621963d260 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -88,7 +88,21 @@ config SECONDARY_TRUSTED_KEYRING
 	help
 	  If set, provide a keyring to which extra keys may be added, provided
 	  those keys are not blacklisted and are vouched for by a key built
-	  into the kernel or already in the secondary trusted keyring.
+	  into the kernel, machine keyring (if configured), or already in the
+	  secondary trusted keyring.
+
+config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
+	bool "Only allow additional certs signed by keys on the builtin trusted keyring"
+	depends on SECONDARY_TRUSTED_KEYRING
+	help
+	  If set, only certificates signed by keys on the builtin trusted
+	  keyring may be loaded onto the secondary trusted keyring.
+
+	  Note: The machine keyring, if configured, will be linked to the
+	  secondary keyring.  When enabling this option, it is recommended
+	  to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
+	  linking code signing keys with imputed trust to the secondary
+	  trusted keyring.
 
 config SECONDARY_TRUSTED_KEYRING_FOR_CA_CERTIFICATES_ONLY
 	bool "Allow only CA certificates to be added to the secondary trusted keyring"
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b69ea40da23..afcd4d101ac5 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring,
 
 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
 		ret = -ENOKEY;
+	else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&
+		 !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&
+		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+		ret = -ENOKEY;
 	else
 		ret = verify_signature(key, sig);
 	key_put(key);
-- 
2.39.3

next             reply	other threads:[~2023-10-17 12:26 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-17 12:25 Mimi Zohar [this message]
2023-10-23 23:28 ` [RFC PATCH] certs: Only allow certs signed by keys on the builtin keyring Jarkko Sakkinen
2023-10-25 12:48   ` Mimi Zohar

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:4a4dc8aab89 dfblob:6b69ea40da2 dfblob:2e621963d26
dfblob:afcd4d101ac
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231017122507.185896-1-zohar@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=d.glazkov@omp.ru \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).