diff options
author | David Howells <dhowells@redhat.com> | 2016-05-04 17:20:20 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2016-05-04 17:20:20 +0100 |
commit | d55201ce08bfae40ae0062be126f49471a55bcad (patch) | |
tree | 116d80a6715c64b3d5e0dcb0f11ddb2db3e07f0e /Documentation/security | |
parent | b6e17c1be75c796b37d01d058ae17387f043e495 (diff) | |
parent | 56104cf2b8d20eed32c14eac8ac574c35377ab38 (diff) |
Merge branch 'keys-trust' into keys-next
Here's a set of patches that changes how certificates/keys are determined
to be trusted. That's currently a two-step process:
(1) Up until recently, when an X.509 certificate was parsed - no matter
the source - it was judged against the keys in .system_keyring,
assuming those keys to be trusted if they have KEY_FLAG_TRUSTED set
upon them.
This has just been changed such that any key in the .ima_mok keyring,
if configured, may also be used to judge the trustworthiness of a new
certificate, whether or not the .ima_mok keyring is meant to be
consulted for whatever process is being undertaken.
If a certificate is determined to be trustworthy, KEY_FLAG_TRUSTED
will be set upon a key it is loaded into (if it is loaded into one),
no matter what the key is going to be loaded for.
(2) If an X.509 certificate is loaded into a key, then that key - if
KEY_FLAG_TRUSTED gets set upon it - can be linked into any keyring
with KEY_FLAG_TRUSTED_ONLY set upon it. This was meant to be the
system keyring only, but has been extended to various IMA keyrings.
A user can at will link any key marked KEY_FLAG_TRUSTED into any
keyring marked KEY_FLAG_TRUSTED_ONLY if the relevant permissions masks
permit it.
These patches change that:
(1) Trust becomes a matter of consulting the ring of trusted keys supplied
when the trust is evaluated only.
(2) Every keyring can be supplied with its own manager function to
restrict what may be added to that keyring. This is called whenever a
key is to be linked into the keyring to guard against a key being
created in one keyring and then linked across.
This function is supplied with the keyring and the key type and
payload[*] of the key being linked in for use in its evaluation. It
is permitted to use other data also, such as the contents of other
keyrings such as the system keyrings.
[*] The type and payload are supplied instead of a key because as an
optimisation this function may be called whilst creating a key and
so may reject the proposed key between preparse and allocation.
(3) A default manager function is provided that permits keys to be
restricted to only asymmetric keys that are vouched for by the
contents of the system keyring.
A second manager function is provided that just rejects with EPERM.
(4) A key allocation flag, KEY_ALLOC_BYPASS_RESTRICTION, is made available
so that the kernel can initialise keyrings with keys that form the
root of the trust relationship.
(5) KEY_FLAG_TRUSTED and KEY_FLAG_TRUSTED_ONLY are removed, along with
key_preparsed_payload::trusted.
This change also makes it possible in future for userspace to create a private
set of trusted keys and then to have it sealed by setting a manager function
where the private set is wholly independent of the kernel's trust
relationships.
Further changes in the set involve extracting certain IMA special keyrings
and making them generally global:
(*) .system_keyring is renamed to .builtin_trusted_keys and remains read
only. It carries only keys built in to the kernel. It may be where
UEFI keys should be loaded - though that could better be the new
secondary keyring (see below) or a separate UEFI keyring.
(*) An optional secondary system keyring (called .secondary_trusted_keys)
is added to replace the IMA MOK keyring.
(*) Keys can be added to the secondary keyring by root if the keys can
be vouched for by either ring of system keys.
(*) Module signing and kexec only use .builtin_trusted_keys and do not use
the new secondary keyring.
(*) Config option SYSTEM_TRUSTED_KEYS now depends on ASYMMETRIC_KEY_TYPE as
that's the only type currently permitted on the system keyrings.
(*) A new config option, IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY,
is provided to allow keys to be added to IMA keyrings, subject to the
restriction that such keys are validly signed by a key already in the
system keyrings.
If this option is enabled, but secondary keyrings aren't, additions to
the IMA keyrings will be restricted to signatures verifiable by keys in
the builtin system keyring only.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'Documentation/security')
-rw-r--r-- | Documentation/security/keys.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index a2f70cf6763a..20d05719bceb 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -1029,6 +1029,10 @@ payload contents" for more information. struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid, const struct cred *cred, key_perm_t perm, + int (*restrict_link)(struct key *, + const struct key_type *, + unsigned long, + const union key_payload *), unsigned long flags, struct key *dest); @@ -1040,6 +1044,24 @@ payload contents" for more information. KEY_ALLOC_NOT_IN_QUOTA in flags if the keyring shouldn't be accounted towards the user's quota). Error ENOMEM can also be returned. + If restrict_link not NULL, it should point to a function that will be + called each time an attempt is made to link a key into the new keyring. + This function is called to check whether a key may be added into the keying + or not. Callers of key_create_or_update() within the kernel can pass + KEY_ALLOC_BYPASS_RESTRICTION to suppress the check. An example of using + this is to manage rings of cryptographic keys that are set up when the + kernel boots where userspace is also permitted to add keys - provided they + can be verified by a key the kernel already has. + + When called, the restriction function will be passed the keyring being + added to, the key flags value and the type and payload of the key being + added. Note that when a new key is being created, this is called between + payload preparsing and actual key creation. The function should return 0 + to allow the link or an error to reject it. + + A convenience function, restrict_link_reject, exists to always return + -EPERM to in this case. + (*) To check the validity of a key, this function can be called: |