From 096da19de900a115ee3610b666ecb7e55926623d Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@fedoraproject.org>

Date: Fri, 26 Oct 2012 12:36:24 -0400

Subject: [PATCH 6/9] KEYS: Add a system blacklist keyring

This adds an additional keyring that is used to store certificates that

are blacklisted.  This keyring is searched first when loading signed modules

and if the module's certificate is found, it will refuse to load.  This is

useful in cases where third party certificates are used for module signing.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>

---

 certs/system_keyring.c        | 22 ++++++++++++++++++++++

 include/keys/system_keyring.h |  4 ++++

 init/Kconfig                  |  9 +++++++++

 3 files changed, 35 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c

index 50979d6dcecd..787eeead2f57 100644

--- a/certs/system_keyring.c

+++ b/certs/system_keyring.c

@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;

 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

 static struct key *secondary_trusted_keys;

 #endif

+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING

+struct key *system_blacklist_keyring;

+#endif

 extern __initconst const u8 system_certificate_list[];

 extern __initconst const unsigned long system_certificate_list_size;

@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)

 	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)

 		panic("Can't link trusted keyrings\n");

 #endif

+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING

+	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",

+			KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

+			((KEY_POS_ALL & ~KEY_POS_SETATTR) |

+			 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),

+			KEY_ALLOC_NOT_IN_QUOTA,

+			NULL, NULL);

+	if (IS_ERR(system_blacklist_keyring))

+		panic("Can't allocate system blacklist keyring\n");

+#endif

 	return 0;

 }

@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,

 		trusted_keys = builtin_trusted_keys;

 #endif

 	}

+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING

+	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);

+	if (!ret) {

+		/* module is signed with a cert in the blacklist.  reject */

+		pr_err("Module key is in the blacklist\n");

+		ret = -EKEYREJECTED;

+		goto error;

+	}

+#endif

 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);

 	if (ret < 0) {

 		if (ret == -ENOKEY)

diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h

index fbd4647767e9..5bc291a3d261 100644

--- a/include/keys/system_keyring.h

+++ b/include/keys/system_keyring.h

@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(

 #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted

 #endif

+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING

+extern struct key *system_blacklist_keyring;

+#endif

+

 #ifdef CONFIG_IMA_BLACKLIST_KEYRING

 extern struct key *ima_blacklist_keyring;

diff --git a/init/Kconfig b/init/Kconfig

index a9c4aefd5436..e5449d5aeff9 100644

--- a/init/Kconfig

+++ b/init/Kconfig

@@ -1829,6 +1829,15 @@ config SYSTEM_DATA_VERIFICATION

 	  module verification, kexec image verification and firmware blob

 	  verification.

+config SYSTEM_BLACKLIST_KEYRING

+	bool "Provide system-wide ring of blacklisted keys"

+	depends on KEYS

+	help

+	  Provide a system keyring to which blacklisted keys can be added.

+	  Keys in the keyring are considered entirely untrusted.  Keys in this

+	  keyring are used by the module signature checking to reject loading

+	  of modules signed with a blacklisted key.

+

 config PROFILING

 	bool "Profiling support"

 	help

-- 

2.5.5