Commit 90f6f691 authored by Eric Snowberg's avatar Eric Snowberg Committed by Jarkko Sakkinen
Browse files

integrity: Enforce digitalSignature usage in the ima and evm keyrings 

After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.

Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.com


Suggested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
Acked-and-tested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent 4cfb9080

security/integrity/digsig.c

+2 −2
Original line number Diff line number Diff line
@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { 
};



#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted

#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary

#else

#define restrict_link_to_ima restrict_link_by_builtin_trusted

#define restrict_link_to_ima restrict_link_by_digsig_builtin

#endif



static struct key *integrity_keyring_from_id(const unsigned int id)

security/integrity/evm/Kconfig

+2 −1
Original line number Diff line number Diff line
@@ -64,7 +64,8 @@ config EVM_LOAD_X509 


	   This option enables X509 certificate loading from the kernel

	   onto the '.evm' trusted keyring.  A public key can be used to

	   verify EVM integrity starting from the 'init' process.

	   verify EVM integrity starting from the 'init' process. The

	   key must have digitalSignature usage set.



config EVM_X509_PATH

	string "EVM X509 certificate path"

security/integrity/ima/Kconfig

+2 −1
Original line number Diff line number Diff line
@@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 
	help

	  Keys may be added to the IMA or IMA blacklist keyrings, if the

	  key is validly signed by a CA cert in the system built-in or

	  secondary trusted keyrings.

	  secondary trusted keyrings. The key must also have the

	  digitalSignature usage set.



	  Intermediate keys between those the kernel has compiled in and the

	  IMA keys to be added may be added to the system secondary keyring,