mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

certs: Only allow certs signed by keys on the builtin keyring 

Originally the secondary trusted keyring provided a keyring to which extra
keys may be added, provided those keys were not blacklisted and were
vouched for by a key built into the kernel or already in the secondary
trusted keyring.

On systems with the machine keyring configured, additional keys may also
be vouched for by a key on the machine keyring.

Prevent loading additional certificates directly onto the secondary
keyring, vouched for by keys on the machine keyring, yet allow these
certificates to be loaded onto other trusted keyrings.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar 2023-10-15 20:18:03 -04:00
parent 7b5c3086d1
commit b46503068c
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
certs/Kconfig
View File

@ -88,7 +88,21 @@ config SECONDARY_TRUSTED_KEYRING
help
If set, provide a keyring to which extra keys may be added, provided
those keys are not blacklisted and are vouched for by a key built
into the kernel or already in the secondary trusted keyring.
into the kernel, machine keyring (if configured), or already in the
secondary trusted keyring.
config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
bool "Only allow additional certs signed by keys on the builtin trusted keyring"
depends on SECONDARY_TRUSTED_KEYRING
help
If set, only certificates signed by keys on the builtin trusted
keyring may be loaded onto the secondary trusted keyring.
Note: The machine keyring, if configured, will be linked to the
secondary keyring. When enabling this option, it is recommended
to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
linking code signing keys with imputed trust to the secondary
trusted keyring.
config SYSTEM_BLACKLIST_KEYRING
bool "Provide system-wide ring of blacklisted keys"

4
crypto/asymmetric_keys/restrict.c
View File

@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring,
if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
ret = -ENOKEY;
else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&
!strcmp(dest_keyring->description, ".secondary_trusted_keys") &&
!test_bit(KEY_FLAG_BUILTIN, &key->flags))
ret = -ENOKEY;
else
ret = verify_signature(key, sig);
key_put(key);