UBUNTU: SAUCE: UEFI: KEYS: Add a system blacklist keyring

This adds an additional keyring that is used to store certificates that
are blacklisted.  This keyring is searched first when loading signed modules
and if the module's certificate is found, it will refuse to load.  This is
useful in cases where third party certificates are used for module signing.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index e1b81d47fa737b46b2bf4e5d2859eb4e41f8b752..29c5b02dfac120545bff1a9c105315e9c454a4d2 100644 (file)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 static struct key *secondary_trusted_keys;
 #endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+struct key *system_blacklist_keyring;
+#endif
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
@@ -112,6 +115,16 @@ static __init int system_trusted_keyring_init(void)
        if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
                panic("Can't link trusted keyrings\n");
 #endif
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+       system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
+                       KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
+                       ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                        KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
+                       KEY_ALLOC_NOT_IN_QUOTA,
+                       NULL, NULL);
+       if (IS_ERR(system_blacklist_keyring))
+               panic("Can't allocate system blacklist keyring\n");
+#endif
 
        return 0;
 }
@@ -228,6 +241,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
                trusted_keys = builtin_trusted_keys;
 #endif
        }
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+       ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
+       if (!ret) {
+               /* module is signed with a cert in the blacklist.  reject */
+               pr_err("Module key is in the blacklist\n");
+               ret = -EKEYREJECTED;
+               goto error;
+       }
+#endif
        ret = pkcs7_validate_trust(pkcs7, trusted_keys);
        if (ret < 0) {
                if (ret == -ENOKEY)

diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 4009f3c018b5f6f85518202c0db72ee2eeaf400f..9ae02f037b0a7720318e6262f66baecef9780996 100644 (file)
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,6 +34,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 #endif
 extern struct key *get_system_keyring(void);
 
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern struct key *system_blacklist_keyring;
+#endif
+
 #ifdef CONFIG_IMA_BLACKLIST_KEYRING
 extern struct key *ima_blacklist_keyring;
 

diff --git a/init/Kconfig b/init/Kconfig
index 0f257260fcc1ad8c1f28f2f54de4d2ded3de1ba0..2c2c128ccc3cbfbe20b0289126a7f8d34916de4d 100644 (file)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1902,6 +1902,15 @@ config SYSTEM_DATA_VERIFICATION
          module verification, kexec image verification and firmware blob
          verification.
 
+config SYSTEM_BLACKLIST_KEYRING
+       bool "Provide system-wide ring of blacklisted keys"
+       depends on KEYS
+       help
+         Provide a system keyring to which blacklisted keys can be added.
+         Keys in the keyring are considered entirely untrusted.  Keys in this
+         keyring are used by the module signature checking to reject loading
+         of modules signed with a blacklisted key.
+
 config PROFILING
        bool "Profiling support"
        help