Prior to the introduction of the machine keyring, most distros simply allowed all keys contained within the platform keyring to be used for both kernel and module verification. This was done by an out of tree patch. Some distros took it even further and loaded all these keys into the secondary trusted keyring. This also allowed the system owner to add their own key for IMA usage. Each distro contains similar documentation on how to sign kernel modules and enroll the key into the MOK. The process is fairly straightforward. With the introduction of the machine keyring, the process remains basically the same, without the need for any out of tree patches. The machine keyring allowed distros to eliminate the out of tree patches for kernel module signing. However, it falls short in allowing the end user to add their own keys for IMA. Currently, the machine keyring can not be used as another trust anchor for adding keys to the ima keyring, since CA enforcement does not currently exist. This would expand the current integrity gap. The IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY Kconfig states that keys may be added to the ima keyrings if the key is validly signed by a CA cert in the system built-in or secondary trusted keyring. Currently, there is not code that enforces the contents of a CA cert. This series introduces a way to do CA enforement with the machine keyring. It introduces three different ways to configure the machine keyring. A new menu option is added to control the type of keys that may be added to it. The options include none, min, and max restrictions. The default is CONFIG_INTEGRITY_CA_MACHINE_KEYRING_NONE. This allows all MOK keys into the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MIN is selected, the X.509 CA bit must be true. Also, the key usage must contain keyCertSign, any other usage field may also be set. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the X.509 CA bit must be true. Also, the key usage must contain keyCertSign and the digitialSignature usage may not be set. If a key doesn't pass the CA restriction check, instead of going into the machine keyring, it is added to the platform keyring. With the ability to configure the machine keyring with CA restrictions, code that prevented the machine keyring from being enabled with IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY has been removed. Changelog: v4: - Removed all code that validated the certificate chain back to the root CA. Now the only restriction is what is initially placed in the machine keyring. - Check and store if the X.509 usage contains digitalSignature - New Kconfig menu item with none, min and max CA restriction on the machine keyring v3: - Allow Intermediate CA certs to be enrolled through the MOK. The Intermediate CA cert must contain keyCertSign key usage and have the CA bit set to true. This was done by removing the self signed requirement. Eric Snowberg (6): KEYS: Create static version of public_key_verify_signature KEYS: Add missing function documentation KEYS: X.509: Parse Basic Constraints for CA KEYS: X.509: Parse Key Usage KEYS: CA link restriction integrity: machine keyring CA configuration certs/system_keyring.c | 14 +++++-- crypto/asymmetric_keys/restrict.c | 40 ++++++++++++++++++ crypto/asymmetric_keys/x509_cert_parser.c | 50 +++++++++++++++++++++++ include/crypto/public_key.h | 28 +++++++++++++ security/integrity/Kconfig | 39 +++++++++++++++++- security/integrity/digsig.c | 8 +++- 6 files changed, 173 insertions(+), 6 deletions(-) base-commit: 4ec5183ec48656cec489c49f989c508b68b518e3 -- 2.27.0
