A key added to the ima keyring must be signed by a key contained within either the builtin trusted or secondary trusted keyrings. Currently, there are CA restrictions described in IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY, but these restrictions are not enforced within code. Therefore, keys within either the builtin or secondary may not be a CA and could be used to vouch for an ima key. The machine keyring can not be used as another trust anchor for adding keys to the ima keyring, since CA enforcement does not currently exist [1]. This would expand the current integrity gap. Introduce a new root of trust key flag to close this integrity gap for all keyrings. The first key type to use this is X.509. When a X.509 certificate is self signed, contains kernCertSign Key Usage and contains the CA bit, the new flag is set. Introduce new keyring restrictions that not only validates a key is signed by a key contained within the keyring, but also validates the key has the new root of trust key flag set. Use this new restriction for keys added to the ima keyring. Now that we have CA enforcement, allow the machine keyring to be used as another trust anchor for the ima keyring. To recap, all keys that previously loaded into the builtin, secondary or machine keyring will still load after applying this series. Keys contained within these keyrings may carry the root of trust flag. The ima keyring will use the new root of trust restriction to validate CA enforcement. Other keyrings that require a root of trust could also use this in the future. [1] https://lore.kernel.org/lkml/2d681148b6ea57241f6a7c518dd331068a5f47b0.camel@xxxxxxxxxxxxx/ Eric Snowberg (7): KEYS: Create static version of public_key_verify_signature KEYS: X.509: Parse Basic Constraints for CA KEYS: X.509: Parse Key Usage KEYS: Introduce a builtin root of trust key flag KEYS: Introduce sig restriction that validates root of trust KEYS: X.509: Flag Intermediate CA certs as built in integrity: Use root of trust signature restriction certs/system_keyring.c | 18 ++++++++++ crypto/asymmetric_keys/restrict.c | 42 +++++++++++++++++++++++ crypto/asymmetric_keys/x509_cert_parser.c | 29 ++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 2 ++ crypto/asymmetric_keys/x509_public_key.c | 12 +++++++ include/crypto/public_key.h | 9 +++++ include/keys/system_keyring.h | 17 ++++++++- include/linux/ima.h | 16 +++++++++ include/linux/key-type.h | 3 ++ include/linux/key.h | 2 ++ security/integrity/Kconfig | 1 - security/integrity/digsig.c | 4 +-- security/keys/key.c | 13 +++++++ 13 files changed, 164 insertions(+), 4 deletions(-) base-commit: 3123109284176b1532874591f7c81f3837bbdc17 -- 2.27.0