Commit 90f6f691 authored by Eric Snowberg's avatar Eric Snowberg Committed by Jarkko Sakkinen

integrity: Enforce digitalSignature usage in the ima and evm keyrings

After being vouched for by a system keyring, only allow keys into the .ima
and .evm keyrings that have the digitalSignature usage field set.

Link: https://lore.kernel.org/all/41dffdaeb7eb7840f7e38bc691fbda836635c9f9.camel@linux.ibm.comSuggested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarEric Snowberg <eric.snowberg@oracle.com>
Acked-and-tested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent 4cfb9080
...@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { ...@@ -34,9 +34,9 @@ static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
}; };
#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted #define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary
#else #else
#define restrict_link_to_ima restrict_link_by_builtin_trusted #define restrict_link_to_ima restrict_link_by_digsig_builtin
#endif #endif
static struct key *integrity_keyring_from_id(const unsigned int id) static struct key *integrity_keyring_from_id(const unsigned int id)
......
...@@ -64,7 +64,8 @@ config EVM_LOAD_X509 ...@@ -64,7 +64,8 @@ config EVM_LOAD_X509
This option enables X509 certificate loading from the kernel This option enables X509 certificate loading from the kernel
onto the '.evm' trusted keyring. A public key can be used to onto the '.evm' trusted keyring. A public key can be used to
verify EVM integrity starting from the 'init' process. verify EVM integrity starting from the 'init' process. The
key must have digitalSignature usage set.
config EVM_X509_PATH config EVM_X509_PATH
string "EVM X509 certificate path" string "EVM X509 certificate path"
......
...@@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY ...@@ -270,7 +270,8 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
help help
Keys may be added to the IMA or IMA blacklist keyrings, if the Keys may be added to the IMA or IMA blacklist keyrings, if the
key is validly signed by a CA cert in the system built-in or key is validly signed by a CA cert in the system built-in or
secondary trusted keyrings. secondary trusted keyrings. The key must also have the
digitalSignature usage set.
Intermediate keys between those the kernel has compiled in and the Intermediate keys between those the kernel has compiled in and the
IMA keys to be added may be added to the system secondary keyring, IMA keys to be added may be added to the system secondary keyring,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment