From 4cfb908054456ad8b6b8cd5108bbdf80faade8cd Mon Sep 17 00:00:00 2001 From: Eric Snowberg Date: Mon, 22 May 2023 19:09:42 -0400 Subject: KEYS: DigitalSignature link restriction Add a new link restriction. Restrict the addition of keys in a keyring based on the key having digitalSignature usage set. Additionally, verify the new certificate against the ones in the system keyrings. Add two additional functions to use the new restriction within either the builtin or secondary keyrings. [jarkko@kernel.org: Fix checkpatch.pl --strict issues] Signed-off-by: Eric Snowberg Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- include/crypto/public_key.h | 12 ++++++++++++ include/keys/system_keyring.h | 10 ++++++++++ 2 files changed, 22 insertions(+) (limited to 'include') diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 8fadd561c50e..462f8a34cdf8 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -78,6 +78,10 @@ extern int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *trust_keyring); +int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); #else static inline int restrict_link_by_ca(struct key *dest_keyring, const struct key_type *type, @@ -86,6 +90,14 @@ static inline int restrict_link_by_ca(struct key *dest_keyring, { return 0; } + +static inline int restrict_link_by_digsig(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} #endif extern int query_asymmetric_key(const struct kernel_pkey_params *, diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 91e080efb918..7e2583208820 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -23,10 +23,15 @@ extern int restrict_link_by_builtin_trusted(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +int restrict_link_by_digsig_builtin(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); extern __init int load_module_cert(struct key *keyring); #else #define restrict_link_by_builtin_trusted restrict_link_reject +#define restrict_link_by_digsig_builtin restrict_link_reject static inline __init int load_module_cert(struct key *keyring) { @@ -41,8 +46,13 @@ extern int restrict_link_by_builtin_and_secondary_trusted( const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *restriction_key); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted +#define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING -- cgit v1.2.3