are referenced, if a matching key is found, the key will be rejected.
Signed-off-by: Eric Snowberg
---
v2:
Fixed build issue reported by kernel test robot
Commit message update (suggested by Jarkko Sakkinen)
---
certs/blacklist.c | 36 +++
certs
> On Sep 9, 2020, at 11:40 AM, Randy Dunlap wrote:
>
> On 9/9/20 10:27 AM, Eric Snowberg wrote:
>> diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
>> index 38ec7f5f9041..d8f2e0fdfbf4 100644
>> --- a/include/crypto/pkcs7.h
>> +++ b/include/c
are referenced, if a matching key is found, the key will be rejected.
Signed-off-by: Eric Snowberg
---
v4:
Remove unneeded symbol export found by Jarkko Sakkinen
v3:
Fixed an issue when CONFIG_PKCS7_MESSAGE_PARSER is not builtin and defined
as a module instead, pointed out by Randy Dunlap
v2
> On Dec 10, 2020, at 2:49 AM, David Howells wrote:
>
> Eric Snowberg wrote:
>
>> Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
>> is found, it is added as an asymmetrical key to the .blacklist keyring.
>> Anytime the .platform ke
d appreciate any feedback on that series as well.
Thanks
> David
> ---
> commit 8913866babb96fcfe452aac6042ca8862d4c0b53
> Author: Eric Snowberg
> Date: Tue Sep 15 20:49:27 2020 -0400
>
>certs: Add EFI_CERT_X509_GUID support for dbx entries
>
>The Secure Boo
> On Jan 13, 2021, at 1:41 PM, Jarkko Sakkinen
> wrote:
>
> On Tue, Jan 12, 2021 at 02:57:39PM +, David Howells wrote:
>> Eric Snowberg wrote:
>>
>>>> On Dec 10, 2020, at 2:49 AM, David Howells wrote:
>>>>
>>>> Eric Snowber
> On Jan 15, 2021, at 2:15 AM, Jarkko Sakkinen wrote:
>
> On Wed, Jan 13, 2021 at 05:11:10PM -0700, Eric Snowberg wrote:
>>
>>> On Jan 13, 2021, at 1:41 PM, Jarkko Sakkinen
>>> wrote:
>>>
>>> On Tue, Jan 12, 2021 at 02:57:39PM +0
> On Jan 15, 2021, at 10:21 AM, James Bottomley
> wrote:
>
> On Tue, 2020-09-15 at 20:49 -0400, Eric Snowberg wrote:
>> The Secure Boot Forbidden Signature Database, dbx, contains a list of
>> now revoked signatures and keys previously approved to boot with UEFI
>
> On Jan 20, 2021, at 4:26 AM, Jarkko Sakkinen wrote:
>
> On Fri, Jan 15, 2021 at 09:49:02AM -0700, Eric Snowberg wrote:
>>
>>> On Jan 15, 2021, at 2:15 AM, Jarkko Sakkinen wrote:
>>>
>>> On Wed, Jan 13, 2021 at 05:11:10PM -0700, Eric Snowberg wrot
> On Jan 27, 2021, at 7:03 AM, Mimi Zohar wrote:
>
> [Cc'ing linux-integrity]
>
> On Wed, 2021-01-27 at 11:46 +, David Howells wrote:
>> Jarkko Sakkinen wrote:
>>
I suppose a user space tool could be created. But wouldn’t what is
currently done in the kernel in this area need t
> On Feb 21, 2021, at 4:17 AM, Mickaël Salaün wrote:
>
> David, Eric, what is the status of this patch series?
All the previous issues I had identified have been resolved, so LGTM.
> On 10/02/2021 13:04, Mickaël Salaün wrote:
>> This new patch series is a rebase on David Howells's keys-misc b
ely create such hash.
>
> Cc: David Howells
> Cc: David Woodhouse
> Cc: Eric Snowberg
> Signed-off-by: Mickaël Salaün
> Reviewed-by: Jarkko Sakkinen
> Link: https://lore.kernel.org/r/20210312171232.2681989-2-...@digikod.net
Tested-by: Eric Snowberg
> ---
>
> C
which
> make sense because the descriptions are already viewable;
> * forbids key update (blacklist and asymmetric ones);
> * restricts kernel rights on the blacklist keyring to align with the
> root user rights.
>
> See help in tools/certs/print-cert-tbs-hash.sh .
>
> On Mar 15, 2021, at 12:01 PM, Mickaël Salaün wrote:
>
>
> On 15/03/2021 17:59, Eric Snowberg wrote:
>>
>>> On Mar 12, 2021, at 10:12 AM, Mickaël Salaün wrote:
>>>
>>> From: Mickaël Salaün
>>>
>>> Add a kernel opt
changed via kexec. If a different
clavis boot param is used, the one stored in the RT variable will be used
instead. Enforcement of which boot param to use will be done in a follow
on patch.
Signed-off-by: Eric Snowberg
---
drivers/firmware/efi/Kconfig | 12 +++
drivers/firmware
asymmetric key id matches a key within one of these
system keyrings, the matching key is linked into the passed in
keyring.
Signed-off-by: Eric Snowberg
---
certs/system_keyring.c| 29 +
include/keys/system_keyring.h | 7 ++-
2 files changed, 35 insertions
within the new "clavis=" boot param. If a matching key is found in
one of the system keyrings, a link shall be created. This keyring will be
used in the future by the new Clavis LSM.
Signed-off-by: Eric Snowberg
---
include/linux/security.h | 4 ++
security/Kconfig
Use the new Clavis EFI RT variable to validate the clavis boot param didn't
change during a reboot. If the boot param is different or missing, use the
one stored in EFI instead. This will prevent a pivot in the root of trust
for the upcoming Clavis LSM.
Signed-off-by: Eric Snowberg
---
sec
Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new
usage will be used for validating keys added to the new clavis lsm keyring.
This will be introduced in a follow-on patch.
Signed-off-by: Eric Snowberg
---
crypto/asymmetric_keys/asymmetric_type.c | 1 +
crypto
using this LSM. This would be useful
for a user that controls their entire UEFI SB DB key chain and
doesn't want to use MOK keys.
I would appreciate any feedback on this approach. Thanks.
This series is based off lsm/dev commit commit edc6670233a3 ("cred: Use
KMEM_CACHE() instead of
other to see if it verifies against the supplied keyring. The flag
is used to determine which stage the verification is in.
Signed-off-by: Eric Snowberg
---
certs/blacklist.c | 3 +++
crypto/asymmetric_keys/pkcs7_trust.c | 20
crypto/asymmetric_keys
.pkcs7
Afterwards the new clavis_key_acl can be seen in the .clavis keyring:
keyctl show %:.clavis
Keyring
keyring: .clavis
\_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8
\_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d
Signed-off-by: Eric Snowberg
---
securi
could be maintained across kexec.
Signed-off-by: Eric Snowberg
---
Documentation/admin-guide/LSM/clavis.rst | 190 +++
MAINTAINERS | 7 +
crypto/asymmetric_keys/signature.c | 4 +
include/linux/lsm_hook_defs.h| 2 +
include
> On Mar 11, 2024, at 1:16 PM, Jarkko Sakkinen wrote:
>
> On Mon Mar 11, 2024 at 6:11 PM EET, Eric Snowberg wrote:
>> Introduce a new function to allow a keyring to link to a key contained
>> within one of the system keyrings (builtin, secondary, or platform).
>> Dep
> On Mar 11, 2024, at 1:18 PM, Jarkko Sakkinen wrote:
>
> On Mon Mar 11, 2024 at 6:11 PM EET, Eric Snowberg wrote:
>> + return -1;
>
> Missed this one: why a magic number?
Good point, I'll change this to return -ENOKEY. Thanks.
> On Mar 11, 2024, at 8:45 PM, Randy Dunlap wrote:
>
> On 3/11/24 09:11, Eric Snowberg wrote:
>> In the future it is envisioned this LSM could be enhanced to provide
>> access control for UEFI Secure Boot Advanced Targeting (SBAT). Using
>> the same clavis=
> On Apr 4, 2024, at 4:40 PM, Mimi Zohar wrote:
>
> Hi Eric,
>
>> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
>> index 9de610bf1f4b..b647be49f6e0 100644
>> --- a/certs/system_keyring.c
>> +++ b/certs/system_keyring.c
>> @@ -426,3 +426,32 @@ void __init set_platform_trusted_key
Use the new Clavis EFI RT variable to validate the clavis boot param didn't
change during a reboot. If the boot param is different or missing, use the
one stored in EFI instead. This will prevent a pivot in the root of trust
for the upcoming Clavis LSM.
Signed-off-by: Eric Snowberg
---
sec
asymmetric key id matches a key within one of these
system keyrings, the matching key is linked into the passed in
keyring.
Signed-off-by: Eric Snowberg
---
certs/system_keyring.c| 31 +++
include/keys/system_keyring.h | 7 ++-
2 files changed, 37 insertions
within the new "clavis=" boot param. If a matching key is found in
one of the system keyrings, a link shall be created. This keyring will be
used in the future by the new Clavis LSM.
Signed-off-by: Eric Snowberg
---
.../admin-guide/kernel-parameters.txt | 6 ++
include/linux/i
Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new
usage will be used for validating keys added to the new clavis lsm keyring.
This will be introduced in a follow-on patch.
Signed-off-by: Eric Snowberg
---
crypto/asymmetric_keys/asymmetric_type.c | 1 +
crypto
changed via kexec. If a different
clavis boot param is used, the one stored in the RT variable will be used
instead. Enforcement of which boot param to use will be done in a follow
on patch.
Signed-off-by: Eric Snowberg
---
drivers/firmware/efi/Kconfig | 12 +++
drivers/firmware
other to see if it verifies against the supplied keyring. The flag
is used to determine which stage the verification is in.
Signed-off-by: Eric Snowberg
---
certs/blacklist.c | 3 +++
crypto/asymmetric_keys/pkcs7_trust.c | 20
crypto/asymmetric_keys
s recommended by Randy
Fixed lint warnings
Other cleanup
Eric Snowberg (8):
certs: Introduce ability to link to a system key
clavis: Introduce a new system keyring called clavis
efi: Make clavis boot param persist across kexec
clavis: Prevent clavis boot param from changing during kexe
.pkcs7
Afterwards the new clavis_key_acl can be seen in the .clavis keyring:
keyctl show %:.clavis
Keyring
keyring: .clavis
\_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8
\_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d
Signed-off-by: Eric Snowberg
-
, SBAT restrictions could be maintained
across kexec.
Signed-off-by: Eric Snowberg
---
Documentation/admin-guide/LSM/clavis.rst | 198 +++
MAINTAINERS | 7 +
crypto/asymmetric_keys/signature.c | 4 +
include/linux/lsm_hook_defs.h
> On Jun 4, 2024, at 12:08 PM, Jarkko Sakkinen wrote:
>
> On Fri May 31, 2024 at 3:39 AM EEST, Eric Snowberg wrote:
>> Introduce a new function to allow a keyring to link to a key contained
>> within one of the system keyrings (builtin, secondary, or platform).
>
>
> On Jun 4, 2024, at 11:59 AM, Jarkko Sakkinen wrote:
>
> On Fri May 31, 2024 at 3:39 AM EEST, Eric Snowberg wrote:
>> Introduce a new LSM called Clavis (Latin word meaning key). The motivation
>> behind this LSM is to provide access control for system keys. Before
>
> On Jun 10, 2024, at 8:33 PM, Randy Dunlap wrote:
>
> Hi Eric,
>
> On 5/30/24 5:39 PM, Eric Snowberg wrote:
>>
>> Signed-off-by: Eric Snowberg
>> ---
>> Documentation/admin-guide/LSM/clavis.rst | 198 +++
>> MAINTAINERS
> On Jun 19, 2024, at 9:22 AM, Mimi Zohar wrote:
>
> On Thu, 2024-05-30 at 18:39 -0600, Eric Snowberg wrote:
>> Introduce a new LSM called Clavis (Latin word meaning key). The motivation
>> behind this LSM is to provide access control for system keys. Before
>> sp
> On Oct 17, 2024, at 11:21 PM, Ben Boeckel wrote:
>
> On Thu, Oct 17, 2024 at 09:55:08 -0600, Eric Snowberg wrote:
>> Introduce a new key type for keyring access control. The new key type
>> is called clavis_key_acl. The clavis_key_acl contains the subject key
>>
> On Oct 18, 2024, at 10:55 AM, Ben Boeckel wrote:
>
> On Fri, Oct 18, 2024 at 15:42:15 +0000, Eric Snowberg wrote:
>>
>> This was done incase the end-user has a trailing carriage return at the
>> end of their ACL. I have updated the comment as follows:
>>
>
> On Oct 17, 2024, at 10:50 AM, Jarkko Sakkinen wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> +static struct asymmetric_key_id *clavis_parse_boot_param(char *kid,
>> struct asymmetric_key_id *akid,
>> + int
>> akid_max_len)
>> +
> On Oct 17, 2024, at 1:20 PM, Jarkko Sakkinen wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This
>> new
>> usage will be used for validating keys added to the new clavis LSM
> On Oct 22, 2024, at 8:25 PM, ser...@kernel.org wrote:
>
> On Thu, Oct 17, 2024 at 09:55:11AM -0600, Eric Snowberg wrote:
>>
>> +The Clavis LSM contains a system keyring call .clavis. It contains a single
>
> s/call/called/
I will change that, thanks.
>>
> On Oct 17, 2024, at 10:16 AM, Jarkko Sakkinen wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Introduce system_key_link(), a new function to allow a keyring to
>> link
>> to a key contained within one of the system keyrings (builtin,
&
> On Oct 17, 2024, at 10:13 AM, Jarkko Sakkinen wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
>> pattern does not need to be repeated with new code.
>>
>> Signed-off-by
If the kernel is built with CONFIG_MODULE_SIG_KEY, get the subject
key identifier and add an ACL for it within the .clavis keyring.
Signed-off-by: Eric Snowberg
---
certs/.gitignore | 1 +
certs/Makefile | 20
certs/clavis_module_acl.c
.pkcs7
Afterwards the new clavis_key_acl can be seen in the .clavis keyring:
keyctl show %:.clavis
Keyring
keyring: .clavis
\_ asymmetric: Clavis LSM key: 4a00ab9f35c9dc3aed7c225d22bafcbd9285e1e8
\_ clavis_key_acl: 02:b360d113c848ace3f1e6a80060b43d1206f0487d
Signed-off-by: Eric Snowberg
---
s not enabled, the Clavis EFI RT variable will never be set and
therefore not used.
Signed-off-by: Eric Snowberg
---
security/clavis/Makefile | 4 +++
security/clavis/clavis.h | 9 ++
security/clavis/clavis_efi.c | 50
security/c
keyring. If the asymmetric key id matches a key within one
of these system keyrings, the matching key is linked into the passed in
keyring.
Signed-off-by: Eric Snowberg
---
certs/system_keyring.c| 30 ++
include/keys/system_keyring.h | 7 ++-
2 files
ability to enforce this usage based on the system owners
configuration.
Each system key may have one or more uses defined within the ACL list.
Until an entry is added to the .clavis keyring, no other system key may
be used for any other purpose.
Signed-off-by: Eric Snowberg
---
Documentation/admin
asymmetric key id within the new "clavis=" boot param. If a matching key
is found in one of the system keyrings, a link shall be created. This
keyring will be used in the future by the new Clavis LSM.
Signed-off-by: Eric Snowberg
---
.../admin-guide/kernel-parameters.txt | 6 +
inc
changed via kexec. If a different
clavis boot param is used, the one stored in the RT variable will be used
instead. Enforcement of which boot param to use will be done in a follow
on patch.
Signed-off-by: Eric Snowberg
---
drivers/firmware/efi/Kconfig | 12 +++
drivers/firmware
ommended by Randy
Fixed lint warnings
Other cleanup
Eric Snowberg (13):
certs: Remove CONFIG_INTEGRITY_PLATFORM_KEYRING check
certs: Introduce ability to link to a system key
clavis: Introduce a new system keyring called clavis
keys: Add new verification type (VERIFYING_CLAVIS_SIGNATURE)
In preparation for Kunit support within Clavis, add function redirection
for some of the static functions. Also Add KUNIT_STATIC_STUB_REDIRECT
to a few functions that will be redirected in the future. This should
have no functional change.
Signed-off-by: Eric Snowberg
---
security/clavis
Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new
usage will be used for validating keys added to the new clavis LSM keyring.
This will be introduced in a follow-on patch.
Signed-off-by: Eric Snowberg
---
crypto/asymmetric_keys/asymmetric_type.c | 1 +
crypto
, add a carriage
return after each entry.
Signed-off-by: Eric Snowberg
---
security/clavis/.gitignore | 1 +
security/clavis/Kconfig | 10 ++
security/clavis/Makefile | 16
security/clavis/clavis.h | 2 ++
security/clavis
other to see if it verifies against the supplied keyring. The flag
is used to determine which stage the verification is in.
Signed-off-by: Eric Snowberg
---
certs/blacklist.c | 3 +++
crypto/asymmetric_keys/pkcs7_trust.c | 20
crypto/asymmetric_keys
Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
pattern does not need to be repeated with new code.
Signed-off-by: Eric Snowberg
---
certs/system_keyring.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index
_TEST.
Run all KUnit tests for Clavis with:
./tools/testing/kunit/kunit.py run --kunitconfig security/clavis
The only areas missing are stubbing out EFI and system_key_link.
Everything else should be covered with this patch.
Signed-off-by: Eric Snowberg
---
security/clavis/.giti
Hi Mimi,
> On Dec 23, 2024, at 5:09 AM, Mimi Zohar wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Motivation:
>>
>> Each end-user has their own security threat model. What is important to one
>> end-user may not be important to anoth
> On Dec 23, 2024, at 6:21 AM, Mimi Zohar wrote:
>
> Hi Eric,
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
>> pattern does not need to be repeated with new code.
>>
>>
> On Dec 23, 2024, at 5:17 PM, Mimi Zohar wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Add a new verification type called VERIFYING_CLAVIS_SIGNATURE. This new
>> usage will be used for validating keys added to the new clavis LSM keyring.
>>
> On Dec 24, 2024, at 10:43 AM, Mimi Zohar wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Introduce a new LSM called clavis. The motivation behind this LSM is to
>> provide access control for system keys. The access control list is
>> cont
> On Dec 23, 2024, at 5:01 PM, Mimi Zohar wrote:
>
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Introduce a new system keyring called clavis. This keyring shall contain
>> a single asymmetric key. This key may be a linked to a key already
>> con
> On Feb 6, 2025, at 1:13 PM, Jarkko Sakkinen
> wrote:
>
> On Thu, Oct 17, 2024 at 09:55:10AM -0600, Eric Snowberg wrote:
>> Add two new fields in public_key_signature to track the intended usage of
>> the signature. Also add a flag for the revocation pass. During
> On Feb 28, 2025, at 9:14 AM, Paul Moore wrote:
>
> On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote:
>> On Thu, 2025-02-27 at 17:22 -0500, Paul Moore wrote:
>>>
>>> I'd still also like to see some discussion about moving towards the
>>> addition of keyrings oriented towards usage instead of
> On Mar 4, 2025, at 5:23 PM, Paul Moore wrote:
>
> On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg wrote:
>>> On Mar 3, 2025, at 3:40 PM, Paul Moore wrote:
>>> On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg
>>> wrote:
>>>>> On Feb 28, 2025,
> On Mar 3, 2025, at 3:40 PM, Paul Moore wrote:
>
> On Fri, Feb 28, 2025 at 12:52 PM Eric Snowberg
> wrote:
>>> On Feb 28, 2025, at 9:14 AM, Paul Moore wrote:
>>> On Fri, Feb 28, 2025 at 9:09 AM Mimi Zohar wrote:
>>>> On Thu, 2025-02-27 at 17:22
> On Mar 5, 2025, at 6:12 PM, Paul Moore wrote:
>
> On Wed, Mar 5, 2025 at 4:30 PM Eric Snowberg wrote:
>>> On Mar 4, 2025, at 5:23 PM, Paul Moore wrote:
>>> On Tue, Mar 4, 2025 at 9:47 AM Eric Snowberg
>>> wrote:
>>>>> On Mar 3, 2025,
71 matches
Mail list logo
