linux-next/certs
Mickaël Salaün 6364d106e0 certs: Allow root user to append signed hashes to the blacklist keyring
Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
to dynamically add new keys to the blacklist keyring.  This enables to
invalidate new certificates, either from being loaded in a keyring, or
from being trusted in a PKCS#7 certificate chain.  This also enables to
add new file hashes to be denied by the integrity infrastructure.

Being able to untrust a certificate which could have normaly been
trusted is a sensitive operation.  This is why adding new hashes to the
blacklist keyring is only allowed when these hashes are signed and
vouched by the builtin trusted keyring.  A blacklist hash is stored as a
key description.  The PKCS#7 signature of this description must be
provided as the key payload.

Marking a certificate as untrusted should be enforced while the system
is running.  It is then forbiden to remove such blacklist keys.

Update blacklist keyring, blacklist key and revoked certificate access
rights:
* allows the root user to search for a specific blacklisted hash, which
  make sense because the descriptions are already viewable;
* forbids key update (blacklist and asymmetric ones);
* restricts kernel rights on the blacklist keyring to align with the
  root user rights.

See help in tools/certs/print-cert-tbs-hash.sh .

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-6-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23 18:47:49 +03:00
..
.gitignore certs: Check that builtin blacklist hashes are valid 2022-05-23 18:47:49 +03:00
blacklist_hashes.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
blacklist_nohashes.c certs/blacklist_nohashes.c: fix const confusion in certs blacklist 2018-02-21 15:35:43 -08:00
blacklist.c certs: Allow root user to append signed hashes to the blacklist keyring 2022-05-23 18:47:49 +03:00
blacklist.h certs: Add EFI_CERT_X509_GUID support for dbx entries 2021-03-11 16:31:28 +00:00
common.c certs: Move load_system_certificate_list to a common function 2021-03-11 16:32:38 +00:00
common.h certs: Move load_system_certificate_list to a common function 2021-03-11 16:32:38 +00:00
default_x509.genkey certs: check-in the default x509 config file 2021-12-11 22:09:14 +09:00
extract-cert.c certs: move scripts/extract-cert to certs/ 2022-01-08 18:28:21 +09:00
Kconfig certs: Allow root user to append signed hashes to the blacklist keyring 2022-05-23 18:47:49 +03:00
Makefile certs: Check that builtin blacklist hashes are valid 2022-05-23 18:47:49 +03:00
revocation_certificates.S certs: Add ability to preload revocation certs 2021-03-11 16:33:49 +00:00
system_certificates.S certs: include certs/signing_key.x509 unconditionally 2022-03-03 08:16:19 +09:00
system_keyring.c KEYS: Introduce link restriction for machine keys 2022-03-08 13:55:52 +02:00