KEYS: validate certificate trust only with builtin keys

Instead of allowing public keys, with certificates signed by any key on the system trusted keyring, to be added to a trusted keyring, this patch further restricts the certificates to those signed only by builtin keys on the system keyring. This patch defines a new option 'builtin' for the kernel parameter 'keys_ownerid' to allow trust validation using builtin keys. Simplified Mimi's "KEYS: define an owner trusted keyring" patch Changelog v7: - rename builtin_keys to use_builtin_keys Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

KEYS: validate certificate trust only with builtin keys
Instead of allowing public keys, with certificates signed by any key on the system trusted keyring, to be added to a trusted keyring, this patch further restricts the certificates to those signed only by builtin keys on the system keyring. This patch defines a new option 'builtin' for the kernel parameter 'keys_ownerid' to allow trust validation using builtin keys. Simplified Mimi's "KEYS: define an owner trusted keyring" patch Changelog v7: - rename builtin_keys to use_builtin_keys Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Dmitry Kasatkin · Mimi Zohar
1 parent ffb70f61ba
Showing 4 changed files with 9 additions and 4 deletions Side-by-side Diff
Documentation/kernel-parameters.txt
crypto/asymmetric_keys/x509_public_key.c
include/linux/key.h
kernel/system_keyring.c
@@ -569,7 +569,7 @@
 	ca_keys=	[KEYS] This parameter identifies a specific key(s) on
 			the system trusted keyring to be used for certificate
 			trust validation.
-			format: id:<keyid>
+			format: { id:<keyid> | builtin }
  
 	ccw_timeout_log [S390]
 			See Documentation/s390/CommonIO for details.
@@ -24,6 +24,7 @@
 #include "public_key.h"
 #include "x509_parser.h"
  
+static bool use_builtin_keys;
 static char *ca_keyid;
  
 #ifndef MODULE
@@ -34,6 +35,8 @@
  
 	if (strncmp(str, "id:", 3) == 0)
 		ca_keyid = str;	/* owner key 'id:xxxxxx' */
+	else if (strcmp(str, "builtin") == 0)
+		use_builtin_keys = true;
  
 	return 1;
 }
@@ -180,7 +183,6 @@
 static int x509_validate_trust(struct x509_certificate *cert,
 			       struct key *trust_keyring)
 {
-	const struct public_key *pk;
 	struct key *key;
 	int ret = 1;
  
@@ -195,8 +197,9 @@
 					  cert->authority,
 					  strlen(cert->authority));
 	if (!IS_ERR(key))  {
-		pk = key->payload.data;
-		ret = x509_check_signature(pk, cert);
+		if (!use_builtin_keys
+		    || test_bit(KEY_FLAG_BUILTIN, &key->flags))
+			ret = x509_check_signature(key->payload.data, cert);
 		key_put(key);
 	}
 	return ret;
@@ -170,6 +170,7 @@
 #define KEY_FLAG_INVALIDATED	7	/* set if key has been invalidated */
 #define KEY_FLAG_TRUSTED	8	/* set if key is trusted */
 #define KEY_FLAG_TRUSTED_ONLY	9	/* set if keyring only accepts links to trusted keys */
+#define KEY_FLAG_BUILTIN	10	/* set if key is builtin */
  
 	/* the key type and key description string
 	 * - the desc is used to match a key against search criteria
@@ -89,6 +89,7 @@
 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 			       PTR_ERR(key));
 		} else {
+			set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
 			pr_notice("Loaded X.509 cert '%s'\n",
 				  key_ref_to_ptr(key)->description);
 			key_ref_put(key);
...	...	@@ -569,7 +569,7 @@
569	569	ca_keys= [KEYS] This parameter identifies a specific key(s) on
570	570	the system trusted keyring to be used for certificate
571	571	trust validation.
572		- format: id:<keyid>
	572	+ format: { id:<keyid> \| builtin }
573	573
574	574	ccw_timeout_log [S390]
575	575	See Documentation/s390/CommonIO for details.
...	...	@@ -24,6 +24,7 @@
24	24	#include "public_key.h"
25	25	#include "x509_parser.h"
26	26
	27	+static bool use_builtin_keys;
27	28	static char *ca_keyid;
28	29
29	30	#ifndef MODULE
...	...	@@ -34,6 +35,8 @@
34	35
35	36	if (strncmp(str, "id:", 3) == 0)
36	37	ca_keyid = str; /* owner key 'id:xxxxxx' */
	38	+ else if (strcmp(str, "builtin") == 0)
	39	+ use_builtin_keys = true;
37	40
38	41	return 1;
39	42	}
...	...	@@ -180,7 +183,6 @@
180	183	static int x509_validate_trust(struct x509_certificate *cert,
181	184	struct key *trust_keyring)
182	185	{
183		- const struct public_key *pk;
184	186	struct key *key;
185	187	int ret = 1;
186	188
...	...	@@ -195,8 +197,9 @@
195	197	cert->authority,
196	198	strlen(cert->authority));
197	199	if (!IS_ERR(key)) {
198		- pk = key->payload.data;
199		- ret = x509_check_signature(pk, cert);
	200	+ if (!use_builtin_keys
	201	+ \|\| test_bit(KEY_FLAG_BUILTIN, &key->flags))
	202	+ ret = x509_check_signature(key->payload.data, cert);
200	203	key_put(key);
201	204	}
202	205	return ret;
...	...	@@ -170,6 +170,7 @@
170	170	#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
171	171	#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
172	172	#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
	173	+#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
173	174
174	175	/* the key type and key description string
175	176	* - the desc is used to match a key against search criteria
...	...	@@ -89,6 +89,7 @@
89	89	pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
90	90	PTR_ERR(key));
91	91	} else {
	92	+ set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
92	93	pr_notice("Loaded X.509 cert '%s'\n",
93	94	key_ref_to_ptr(key)->description);
94	95	key_ref_put(key);