certs: Only allow certs signed by keys on the builtin keyring

Originally the secondary trusted keyring provided a keyring to which extra keys may be added, provided those keys were not blacklisted and were vouched for by a key built into the kernel or already in the secondary trusted keyring. On systems with the machine keyring configured, additional keys may also be vouched for by a key on the machine keyring. Prevent loading additional certificates directly onto the secondary keyring, vouched for by keys on the machine keyring, yet allow these certificates to be loaded onto other trusted keyrings. Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Mimi Zohar <zohar@linux.ibm.com> 2023-10-15 20:18:03 -0400
committer: Mimi Zohar <zohar@linux.ibm.com> 2023-10-31 08:22:36 -0400
commit: b46503068cb9ed63ff1d8250f143354ead0b16eb (patch)
tree: 491f8c3159c1aadd509183ef37c572704ecbdd5c /crypto/asymmetric_keys
parent: 7b5c3086d1f85448a2a81947b685119c6c9894c8 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b69ea40da23..afcd4d101ac5 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring,
 
 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
 		ret = -ENOKEY;
+	else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&
+		 !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&
+		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+		ret = -ENOKEY;
 	else
 		ret = verify_signature(key, sig);
 	key_put(key);
author	Mimi Zohar <zohar@linux.ibm.com>	2023-10-15 20:18:03 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2023-10-31 08:22:36 -0400
commit	b46503068cb9ed63ff1d8250f143354ead0b16eb (patch)
tree	491f8c3159c1aadd509183ef37c572704ecbdd5c /crypto/asymmetric_keys
parent	7b5c3086d1f85448a2a81947b685119c6c9894c8 (diff)