certs: Add a secondary system keyring that can be added to dynamically

Add a secondary system keyring that can be added to by root whilst the
system is running - provided the key being added is vouched for by a key
built into the kernel or already added to the secondary keyring.

Rename .system_keyring to .builtin_trusted_keys to distinguish it more
obviously from the new keyring (called .secondary_trusted_keys).

The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING.

If the secondary keyring is enabled, a link is created from that to
.builtin_trusted_keys so that the the latter will automatically be searched
too if the secondary keyring is searched.

Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
David Howells 2016-04-06 16:14:27 +01:00
parent 77f68bac94
commit d3bfe84129
3 changed files with 88 additions and 16 deletions

View File

@ -56,4 +56,12 @@ config SYSTEM_EXTRA_CERTIFICATE_SIZE
This is the number of bytes reserved in the kernel image for a This is the number of bytes reserved in the kernel image for a
certificate to be inserted. certificate to be inserted.
config SECONDARY_TRUSTED_KEYRING
bool "Provide a keyring to which extra trustable keys may be added"
depends on SYSTEM_TRUSTED_KEYRING
help
If set, provide a keyring to which extra keys may be added, provided
those keys are not blacklisted and are vouched for by a key built
into the kernel or already in the secondary trusted keyring.
endmenu endmenu

View File

@ -18,41 +18,88 @@
#include <keys/system_keyring.h> #include <keys/system_keyring.h>
#include <crypto/pkcs7.h> #include <crypto/pkcs7.h>
static struct key *system_trusted_keyring; static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
static struct key *secondary_trusted_keys;
#endif
extern __initconst const u8 system_certificate_list[]; extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long system_certificate_list_size;
/** /**
* restrict_link_by_builtin_trusted - Restrict keyring addition by system CA * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
* *
* Restrict the addition of keys into a keyring based on the key-to-be-added * Restrict the addition of keys into a keyring based on the key-to-be-added
* being vouched for by a key in the system keyring. * being vouched for by a key in the built in system keyring.
*/ */
int restrict_link_by_builtin_trusted(struct key *keyring, int restrict_link_by_builtin_trusted(struct key *keyring,
const struct key_type *type, const struct key_type *type,
const union key_payload *payload) const union key_payload *payload)
{ {
return restrict_link_by_signature(system_trusted_keyring, return restrict_link_by_signature(builtin_trusted_keys, type, payload);
type, payload);
} }
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
/**
* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
* addition by both builtin and secondary keyrings
*
* Restrict the addition of keys into a keyring based on the key-to-be-added
* being vouched for by a key in either the built-in or the secondary system
* keyrings.
*/
int restrict_link_by_builtin_and_secondary_trusted(
struct key *keyring,
const struct key_type *type,
const union key_payload *payload)
{
/* If we have a secondary trusted keyring, then that contains a link
* through to the builtin keyring and the search will follow that link.
*/
if (type == &key_type_keyring &&
keyring == secondary_trusted_keys &&
payload == &builtin_trusted_keys->payload)
/* Allow the builtin keyring to be added to the secondary */
return 0;
return restrict_link_by_signature(secondary_trusted_keys, type, payload);
}
#endif
/* /*
* Load the compiled-in keys * Create the trusted keyrings
*/ */
static __init int system_trusted_keyring_init(void) static __init int system_trusted_keyring_init(void)
{ {
pr_notice("Initialise system trusted keyring\n"); pr_notice("Initialise system trusted keyrings\n");
system_trusted_keyring = builtin_trusted_keys =
keyring_alloc(".system_keyring", keyring_alloc(".builtin_trusted_keys",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
((KEY_POS_ALL & ~KEY_POS_SETATTR) | ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
KEY_ALLOC_NOT_IN_QUOTA, KEY_ALLOC_NOT_IN_QUOTA,
restrict_link_by_builtin_trusted, NULL); NULL, NULL);
if (IS_ERR(system_trusted_keyring)) if (IS_ERR(builtin_trusted_keys))
panic("Can't allocate system trusted keyring\n"); panic("Can't allocate builtin trusted keyring\n");
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
secondary_trusted_keys =
keyring_alloc(".secondary_trusted_keys",
KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
KEY_USR_WRITE),
KEY_ALLOC_NOT_IN_QUOTA,
restrict_link_by_builtin_and_secondary_trusted,
NULL);
if (IS_ERR(secondary_trusted_keys))
panic("Can't allocate secondary trusted keyring\n");
if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
panic("Can't link trusted keyrings\n");
#endif
return 0; return 0;
} }
@ -88,7 +135,7 @@ static __init int load_system_certificate_list(void)
if (plen > end - p) if (plen > end - p)
goto dodgy_cert; goto dodgy_cert;
key = key_create_or_update(make_key_ref(system_trusted_keyring, 1), key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
"asymmetric", "asymmetric",
NULL, NULL,
p, p,
@ -125,7 +172,8 @@ late_initcall(load_system_certificate_list);
* @len: Size of @data. * @len: Size of @data.
* @raw_pkcs7: The PKCS#7 message that is the signature. * @raw_pkcs7: The PKCS#7 message that is the signature.
* @pkcs7_len: The size of @raw_pkcs7. * @pkcs7_len: The size of @raw_pkcs7.
* @trusted_keys: Trusted keys to use (NULL for system_trusted_keyring). * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
* (void *)1UL for all trusted keys).
* @usage: The use to which the key is being put. * @usage: The use to which the key is being put.
* @view_content: Callback to gain access to content. * @view_content: Callback to gain access to content.
* @ctx: Context for callback. * @ctx: Context for callback.
@ -157,8 +205,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
if (ret < 0) if (ret < 0)
goto error; goto error;
if (!trusted_keys) if (!trusted_keys) {
trusted_keys = system_trusted_keyring; trusted_keys = builtin_trusted_keys;
} else if (trusted_keys == (void *)1UL) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
trusted_keys = secondary_trusted_keys;
#else
trusted_keys = builtin_trusted_keys;
#endif
}
ret = pkcs7_validate_trust(pkcs7, trusted_keys); ret = pkcs7_validate_trust(pkcs7, trusted_keys);
if (ret < 0) { if (ret < 0) {
if (ret == -ENOKEY) if (ret == -ENOKEY)

View File

@ -24,6 +24,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring,
#define restrict_link_by_builtin_trusted restrict_link_reject #define restrict_link_by_builtin_trusted restrict_link_reject
#endif #endif
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
extern int restrict_link_by_builtin_and_secondary_trusted(
struct key *keyring,
const struct key_type *type,
const union key_payload *payload);
#else
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif
#ifdef CONFIG_IMA_MOK_KEYRING #ifdef CONFIG_IMA_MOK_KEYRING
extern struct key *ima_mok_keyring; extern struct key *ima_mok_keyring;
extern struct key *ima_blacklist_keyring; extern struct key *ima_blacklist_keyring;