summaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorEric Snowberg <eric.snowberg@oracle.com>2023-03-02 17:46:52 +0100
committerJarkko Sakkinen <jarkko@kernel.org>2023-04-24 15:15:53 +0200
commit099f26f22f5834ad744aee093ed4d11de13cac15 (patch)
tree78982465b1d36b2d58b97e03b4888a3d84d22032 /crypto
parentKEYS: CA link restriction (diff)
downloadlinux-099f26f22f5834ad744aee093ed4d11de13cac15.tar.xz
linux-099f26f22f5834ad744aee093ed4d11de13cac15.zip
integrity: machine keyring CA configuration
Add machine keyring CA restriction options to control the type of keys that may be added to it. The motivation is separation of certificate signing from code signing keys. Subsquent work will limit certificates being loaded into the IMA keyring to code signing keys used for signature verification. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Acked-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'crypto')
-rw-r--r--crypto/asymmetric_keys/restrict.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 48457c6f33f9..276bdb627498 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -140,6 +140,8 @@ int restrict_link_by_ca(struct key *dest_keyring,
return -ENOKEY;
if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
return -ENOKEY;
+ if (!IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX))
+ return 0;
if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
return -ENOKEY;