diff options
| author | Mickaël Salaün <mic@linux.microsoft.com> | 2021-07-12 19:03:13 +0200 |
|---|---|---|
| committer | Jarkko Sakkinen <jarkko@kernel.org> | 2022-05-23 18:47:49 +0300 |
| commit | 6364d106e0417e00eb5f223d8a90287d1c421ce0 (patch) | |
| tree | ade08dc561fca195218debe714f105792308247a /certs/Kconfig | |
| parent | addf466389d9d78f255e8b15ac44ab4791029852 (diff) | |
| download | linux-6364d106e0417e00eb5f223d8a90287d1c421ce0.tar.gz linux-6364d106e0417e00eb5f223d8a90287d1c421ce0.tar.bz2 linux-6364d106e0417e00eb5f223d8a90287d1c421ce0.zip | |
certs: Allow root user to append signed hashes to the blacklist keyring
Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
to dynamically add new keys to the blacklist keyring. This enables to
invalidate new certificates, either from being loaded in a keyring, or
from being trusted in a PKCS#7 certificate chain. This also enables to
add new file hashes to be denied by the integrity infrastructure.
Being able to untrust a certificate which could have normaly been
trusted is a sensitive operation. This is why adding new hashes to the
blacklist keyring is only allowed when these hashes are signed and
vouched by the builtin trusted keyring. A blacklist hash is stored as a
key description. The PKCS#7 signature of this description must be
provided as the key payload.
Marking a certificate as untrusted should be enforced while the system
is running. It is then forbiden to remove such blacklist keys.
Update blacklist keyring, blacklist key and revoked certificate access
rights:
* allows the root user to search for a specific blacklisted hash, which
make sense because the descriptions are already viewable;
* forbids key update (blacklist and asymmetric ones);
* restricts kernel rights on the blacklist keyring to align with the
root user rights.
See help in tools/certs/print-cert-tbs-hash.sh .
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-6-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'certs/Kconfig')
| -rw-r--r-- | certs/Kconfig | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index 4bd385b25084..476755703cf8 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -127,4 +127,14 @@ config SYSTEM_REVOCATION_KEYS containing X.509 certificates to be included in the default blacklist keyring. +config SYSTEM_BLACKLIST_AUTH_UPDATE + bool "Allow root to add signed blacklist keys" + depends on SYSTEM_BLACKLIST_KEYRING + depends on SYSTEM_DATA_VERIFICATION + help + If set, provide the ability to load new blacklist keys at run time if + they are signed and vouched by a certificate from the builtin trusted + keyring. The PKCS#7 signature of the description is set in the key + payload. Blacklist keys cannot be removed. + endmenu |