2019-05-21 01:08:01 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
2013-08-30 23:07:30 +08:00
|
|
|
/* System keyring containing trusted public keys.
|
|
|
|
*
|
|
|
|
* Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _KEYS_SYSTEM_KEYRING_H
|
|
|
|
#define _KEYS_SYSTEM_KEYRING_H
|
|
|
|
|
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
2016-04-06 23:14:26 +08:00
|
|
|
#include <linux/key.h>
|
|
|
|
|
2013-08-30 23:07:30 +08:00
|
|
|
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
|
|
|
|
|
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
2016-04-06 23:14:26 +08:00
|
|
|
extern int restrict_link_by_builtin_trusted(struct key *keyring,
|
|
|
|
const struct key_type *type,
|
2016-08-31 02:33:13 +08:00
|
|
|
const union key_payload *payload,
|
|
|
|
struct key *restriction_key);
|
2013-08-30 23:07:30 +08:00
|
|
|
|
2013-08-21 02:36:27 +08:00
|
|
|
#else
|
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
2016-04-06 23:14:26 +08:00
|
|
|
#define restrict_link_by_builtin_trusted restrict_link_reject
|
2013-08-30 23:07:30 +08:00
|
|
|
#endif
|
|
|
|
|
2016-04-06 23:14:27 +08:00
|
|
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
|
|
|
extern int restrict_link_by_builtin_and_secondary_trusted(
|
|
|
|
struct key *keyring,
|
|
|
|
const struct key_type *type,
|
2016-08-31 02:33:13 +08:00
|
|
|
const union key_payload *payload,
|
|
|
|
struct key *restriction_key);
|
2016-04-06 23:14:27 +08:00
|
|
|
#else
|
|
|
|
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
|
|
|
#endif
|
|
|
|
|
2017-04-03 23:07:24 +08:00
|
|
|
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
|
extern int mark_hash_blacklisted(const char *hash);
|
|
|
|
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
|
|
const char *type);
|
2019-10-31 11:31:31 +08:00
|
|
|
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
|
2017-04-03 23:07:24 +08:00
|
|
|
#else
|
|
|
|
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
|
|
const char *type)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2019-10-31 11:31:31 +08:00
|
|
|
|
|
|
|
static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2017-04-03 23:07:24 +08:00
|
|
|
#endif
|
|
|
|
|
2016-04-07 16:45:23 +08:00
|
|
|
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
2015-12-02 23:47:55 +08:00
|
|
|
extern struct key *ima_blacklist_keyring;
|
|
|
|
|
|
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
|
|
{
|
|
|
|
return ima_blacklist_keyring;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
2016-04-07 16:45:23 +08:00
|
|
|
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
|
2015-12-02 23:47:55 +08:00
|
|
|
|
2019-01-21 17:59:28 +08:00
|
|
|
#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
|
|
|
|
defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
|
|
|
|
extern void __init set_platform_trusted_keys(struct key *keyring);
|
|
|
|
#else
|
|
|
|
static inline void set_platform_trusted_keys(struct key *keyring)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
#endif
|
2015-12-02 23:47:55 +08:00
|
|
|
|
2013-08-30 23:07:30 +08:00
|
|
|
#endif /* _KEYS_SYSTEM_KEYRING_H */
|