Commit 32c4741c authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

KEYS: validate certificate trust only with builtin keys

Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed only by
builtin keys on the system keyring.

This patch defines a new option 'builtin' for the kernel parameter
'keys_ownerid' to allow trust validation using builtin keys.

Simplified Mimi's "KEYS: define an owner trusted keyring" patch

Changelog v7:
- rename builtin_keys to use_builtin_keys
Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent ffb70f61
...@@ -569,7 +569,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. ...@@ -569,7 +569,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
ca_keys= [KEYS] This parameter identifies a specific key(s) on ca_keys= [KEYS] This parameter identifies a specific key(s) on
the system trusted keyring to be used for certificate the system trusted keyring to be used for certificate
trust validation. trust validation.
format: id:<keyid> format: { id:<keyid> | builtin }
ccw_timeout_log [S390] ccw_timeout_log [S390]
See Documentation/s390/CommonIO for details. See Documentation/s390/CommonIO for details.
......
...@@ -24,6 +24,7 @@ ...@@ -24,6 +24,7 @@
#include "public_key.h" #include "public_key.h"
#include "x509_parser.h" #include "x509_parser.h"
static bool use_builtin_keys;
static char *ca_keyid; static char *ca_keyid;
#ifndef MODULE #ifndef MODULE
...@@ -34,6 +35,8 @@ static int __init ca_keys_setup(char *str) ...@@ -34,6 +35,8 @@ static int __init ca_keys_setup(char *str)
if (strncmp(str, "id:", 3) == 0) if (strncmp(str, "id:", 3) == 0)
ca_keyid = str; /* owner key 'id:xxxxxx' */ ca_keyid = str; /* owner key 'id:xxxxxx' */
else if (strcmp(str, "builtin") == 0)
use_builtin_keys = true;
return 1; return 1;
} }
...@@ -180,7 +183,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature); ...@@ -180,7 +183,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
static int x509_validate_trust(struct x509_certificate *cert, static int x509_validate_trust(struct x509_certificate *cert,
struct key *trust_keyring) struct key *trust_keyring)
{ {
const struct public_key *pk;
struct key *key; struct key *key;
int ret = 1; int ret = 1;
...@@ -195,8 +197,9 @@ static int x509_validate_trust(struct x509_certificate *cert, ...@@ -195,8 +197,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
cert->authority, cert->authority,
strlen(cert->authority)); strlen(cert->authority));
if (!IS_ERR(key)) { if (!IS_ERR(key)) {
pk = key->payload.data; if (!use_builtin_keys
ret = x509_check_signature(pk, cert); || test_bit(KEY_FLAG_BUILTIN, &key->flags))
ret = x509_check_signature(key->payload.data, cert);
key_put(key); key_put(key);
} }
return ret; return ret;
......
...@@ -170,6 +170,7 @@ struct key { ...@@ -170,6 +170,7 @@ struct key {
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ #define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */ #define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */ #define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to trusted keys */
#define KEY_FLAG_BUILTIN 10 /* set if key is builtin */
/* the key type and key description string /* the key type and key description string
* - the desc is used to match a key against search criteria * - the desc is used to match a key against search criteria
......
...@@ -89,6 +89,7 @@ static __init int load_system_certificate_list(void) ...@@ -89,6 +89,7 @@ static __init int load_system_certificate_list(void)
pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
PTR_ERR(key)); PTR_ERR(key));
} else { } else {
set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
pr_notice("Loaded X.509 cert '%s'\n", pr_notice("Loaded X.509 cert '%s'\n",
key_ref_to_ptr(key)->description); key_ref_to_ptr(key)->description);
key_ref_put(key); key_ref_put(key);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment