summaryrefslogtreecommitdiffstats
path: root/certs/Kconfig
diff options
context:
space:
mode:
authorMickaël Salaün <mic@linux.microsoft.com>2021-07-12 19:03:13 +0200
committerJarkko Sakkinen <jarkko@kernel.org>2022-05-23 17:47:49 +0200
commit6364d106e0417e00eb5f223d8a90287d1c421ce0 (patch)
treeade08dc561fca195218debe714f105792308247a /certs/Kconfig
parentcerts: Check that builtin blacklist hashes are valid (diff)
downloadlinux-6364d106e0417e00eb5f223d8a90287d1c421ce0.tar.xz
linux-6364d106e0417e00eb5f223d8a90287d1c421ce0.zip
certs: Allow root user to append signed hashes to the blacklist keyring
Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user to dynamically add new keys to the blacklist keyring. This enables to invalidate new certificates, either from being loaded in a keyring, or from being trusted in a PKCS#7 certificate chain. This also enables to add new file hashes to be denied by the integrity infrastructure. Being able to untrust a certificate which could have normaly been trusted is a sensitive operation. This is why adding new hashes to the blacklist keyring is only allowed when these hashes are signed and vouched by the builtin trusted keyring. A blacklist hash is stored as a key description. The PKCS#7 signature of this description must be provided as the key payload. Marking a certificate as untrusted should be enforced while the system is running. It is then forbiden to remove such blacklist keys. Update blacklist keyring, blacklist key and revoked certificate access rights: * allows the root user to search for a specific blacklisted hash, which make sense because the descriptions are already viewable; * forbids key update (blacklist and asymmetric ones); * restricts kernel rights on the blacklist keyring to align with the root user rights. See help in tools/certs/print-cert-tbs-hash.sh . Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-6-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r--certs/Kconfig10
1 files changed, 10 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index 4bd385b25084..476755703cf8 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -127,4 +127,14 @@ config SYSTEM_REVOCATION_KEYS
containing X.509 certificates to be included in the default blacklist
keyring.
+config SYSTEM_BLACKLIST_AUTH_UPDATE
+ bool "Allow root to add signed blacklist keys"
+ depends on SYSTEM_BLACKLIST_KEYRING
+ depends on SYSTEM_DATA_VERIFICATION
+ help
+ If set, provide the ability to load new blacklist keys at run time if
+ they are signed and vouched by a certificate from the builtin trusted
+ keyring. The PKCS#7 signature of the description is set in the key
+ payload. Blacklist keys cannot be removed.
+
endmenu