[RFC PATCH 00/15] KEYS: Restrict additions to 'trusted' keyrings

From: David Howells
Date: Fri Jan 08 2016 - 13:33:29 EST

Next message: David Howells: "[RFC PATCH 01/15] X.509: Partially revert patch to add validation against IMA MOK keyring"
Previous message: H. Nikolaus Schaller: "Re: [PATCH 1/3] ARM: dts: omap5-board-common: enable rtc and charging of backup battery"
Next in thread: David Howells: "[RFC PATCH 01/15] X.509: Partially revert patch to add validation against IMA MOK keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here's a set of patches that changes how keys are determined to be trusted
- currently, that's a case of whether a key has KEY_FLAG_TRUSTED set upon
it. A keyring can then have a flag set (KEY_FLAG_TRUSTED ONLY) that
indicates that only keys with this flag set may be added to that keyring.

Further, any time an X.509 certificate is instantiated without this flag
set, the certificate is judged against the contents of the system trusted
keyring to determine whether KEY_FLAG_TRUSTED should be set upon it.

With these patches, KEY_FLAG_TRUSTED and KEY_FLAG_TRUSTED_ONLY are removed.

The kernel may add implicitly trusted keys to a trusted-only keyring by
asserting KEY_ALLOC_BYPASS_RESTRICTION when the key is created, but
otherwise the key will only be allowed to be added to the keyring if it can
be verified. The system trusted keyring is not then special in this sense
and other trusted keyrings can be set up that are wholly independent of it.

Each keyring can be given a vetting function that allows it to reject
attempts to add keys to that keyring based on the type and payload of the
new key. This can be set separately for each keyring.

To make this work, we have to retain sufficient data from the X.509
certificate that we can then verify the signature at need.

The patches can be found here also:

http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-trust

and are tagged with:

keys-trust-20160108

David
---
David Howells (15):
X.509: Partially revert patch to add validation against IMA MOK keyring
X.509: Don't treat self-signed keys specially
KEYS: Generalise system_verify_data() to provide access to internal content
PKCS#7: Make trust determination dependent on contents of trust keyring
KEYS: Add an alloc flag to convey the builtinness of a key
KEYS: Add a facility to restrict new links into a keyring
KEYS: Allow authentication data to be stored in an asymmetric key
KEYS: Add identifier pointers to public_key_signature struct
X.509: Retain the key verification data
X.509: Extract signature digest and make self-signed cert checks earlier
PKCS#7: Make the signature a pointer rather than embedding it
X.509: Move the trust validation code out to its own file
KEYS: Generalise x509_request_asymmetric_key()
KEYS: Move the point of trust determination to __key_link()
KEYS: Remove KEY_FLAG_TRUSTED

Documentation/security/keys.txt | 14 +
arch/x86/kernel/kexec-bzimage64.c | 18 --
certs/system_keyring.c | 72 +++++--
crypto/asymmetric_keys/Kconfig | 1
crypto/asymmetric_keys/Makefile | 2
crypto/asymmetric_keys/asymmetric_keys.h | 2
crypto/asymmetric_keys/asymmetric_type.c | 7 -
crypto/asymmetric_keys/mscode_parser.c | 21 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 64 +++---
crypto/asymmetric_keys/pkcs7_parser.c | 59 +++---
crypto/asymmetric_keys/pkcs7_parser.h | 11 -
crypto/asymmetric_keys/pkcs7_trust.c | 44 ++--
crypto/asymmetric_keys/pkcs7_verify.c | 109 ++++------
crypto/asymmetric_keys/public_key.c | 24 ++
crypto/asymmetric_keys/public_key.h | 6 +
crypto/asymmetric_keys/public_key_trust.c | 206 ++++++++++++++++++++
crypto/asymmetric_keys/verify_pefile.c | 40 +---
crypto/asymmetric_keys/verify_pefile.h | 5
crypto/asymmetric_keys/x509_cert_parser.c | 51 +++--
crypto/asymmetric_keys/x509_parser.h | 12 -
crypto/asymmetric_keys/x509_public_key.c | 304 ++++++++---------------------
fs/cifs/cifsacl.c | 2
fs/nfs/nfs4idmap.c | 2
include/crypto/pkcs7.h | 6 -
include/crypto/public_key.h | 35 +--
include/keys/asymmetric-subtype.h | 2
include/keys/asymmetric-type.h | 8 -
include/keys/system_keyring.h | 20 --
include/linux/key.h | 40 +++-
include/linux/verification.h | 49 +++++
include/linux/verify_pefile.h | 22 --
kernel/module_signing.c | 7 -
net/dns_resolver/dns_key.c | 2
net/rxrpc/ar-key.c | 4
security/integrity/digsig.c | 34 +++
security/integrity/digsig_asymmetric.c | 5
security/integrity/ima/ima_mok.c | 9 -
security/keys/key.c | 43 +++-
security/keys/keyring.c | 26 ++
security/keys/persistent.c | 4
security/keys/process_keys.c | 16 +-
security/keys/request_key.c | 4
security/keys/request_key_auth.c | 2
43 files changed, 804 insertions(+), 610 deletions(-)
create mode 100644 crypto/asymmetric_keys/public_key_trust.c
create mode 100644 include/linux/verification.h
delete mode 100644 include/linux/verify_pefile.h

Next message: David Howells: "[RFC PATCH 01/15] X.509: Partially revert patch to add validation against IMA MOK keyring"
Previous message: H. Nikolaus Schaller: "Re: [PATCH 1/3] ARM: dts: omap5-board-common: enable rtc and charging of backup battery"
Next in thread: David Howells: "[RFC PATCH 01/15] X.509: Partially revert patch to add validation against IMA MOK keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]