Some subsystems are interested in knowing if keys within a keyring could be used as a foundation of a root of trust. Introduce a new builtin root of trust key flag. The first type of key to use this is X.509. When a X.509 certificate is self signed, has the kernCertSign Key Usage set and contains the CA bit set this new flag is set. Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> --- crypto/asymmetric_keys/x509_public_key.c | 2 ++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 14 insertions(+) diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 91a4ad50dea2..7290e765f46b 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -215,6 +215,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) prep->payload.data[asym_auth] = cert->sig; prep->description = desc; prep->quotalen = 100; + if (cert->is_kcs_set && cert->self_signed && cert->is_root_ca) + prep->payload_flags |= KEY_ALLOC_ROT; /* We've finished with the certificate */ cert->pub = NULL; diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 7d985a1dfe4a..ed0aaad3849b 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -36,6 +36,8 @@ struct key_preparsed_payload { size_t datalen; /* Raw datalen */ size_t quotalen; /* Quota length for proposed payload */ time64_t expiry; /* Expiry time of key */ + unsigned int payload_flags; /* Proposed payload flags */ +#define KEY_ALLOC_ROT 0x0001 /* Proposed Root of Trust (ROT) key */ } __randomize_layout; typedef int (*request_key_actor_t)(struct key *auth_key, void *aux); diff --git a/include/linux/key.h b/include/linux/key.h index 7febc4881363..97f6a1f86a27 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -230,6 +230,7 @@ struct key { #define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ #define KEY_FLAG_KEEP 8 /* set if key should not be removed */ #define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ +#define KEY_FLAG_BUILTIN_ROT 10 /* set if key is a builtin Root of Trust key */ /* the key type and key description string * - the desc is used to match a key against search criteria @@ -290,6 +291,7 @@ extern struct key *key_alloc(struct key_type *type, #define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */ #define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */ #define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */ +#define KEY_ALLOC_BUILT_IN_ROT 0x0040 /* Add builtin root of trust key */ extern void key_revoke(struct key *key); extern void key_invalidate(struct key *key); diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..732bb837fc51 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->flags |= 1 << KEY_FLAG_UID_KEYRING; if (flags & KEY_ALLOC_SET_KEEP) key->flags |= 1 << KEY_FLAG_KEEP; + if (flags & KEY_ALLOC_BUILT_IN_ROT) + key->flags |= 1 << KEY_FLAG_BUILTIN_ROT; #ifdef KEY_DEBUGGING key->magic = KEY_DEBUG_MAGIC; @@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, perm |= KEY_POS_WRITE; } + /* Only allow KEY_ALLOC_BUILT_IN_ROT flag to be set by preparser contents */ + if (prep.payload_flags & KEY_ALLOC_ROT) + flags |= KEY_ALLOC_BUILT_IN_ROT; + else + flags &= ~KEY_ALLOC_BUILT_IN_ROT; + /* allocate a new key */ key = key_alloc(index_key.type, index_key.description, cred->fsuid, cred->fsgid, cred, perm, flags, NULL); -- 2.27.0