diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2023-04-24 11:40:26 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2023-04-24 11:40:26 -0700 |
| commit | 1a0beef98b582b69a2ba44e468f7dfecbcfab48e (patch) | |
| tree | 6a96784e5d3edd9859a1aaca1555da97fd8c5483 /security/integrity | |
| parent | dc7e22a368c2a217d2d3338b3bd984fdd0301173 (diff) | |
| parent | bd8621ca1510e6e802df9855bdc35a04a3cfa932 (diff) | |
Merge tag 'tpmdd-v6.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd
Pull tpm updates from Jarkko Sakkinen:
- The .machine keyring, used for Machine Owner Keys (MOK), acquired the
ability to store only CA enforced keys, and put rest to the .platform
keyring, thus separating the code signing keys from the keys that are
used to sign certificates.
This essentially unlocks the use of the .machine keyring as a trust
anchor for IMA. It is an opt-in feature, meaning that the additional
contraints won't brick anyone who does not care about them.
- Enable interrupt based transactions with discrete TPM chips (tpm_tis).
There was code for this existing but it never really worked so I
consider this a new feature rather than a bug fix. Before the driver
just fell back to the polling mode.
Link: https://lore.kernel.org/linux-integrity/a93b6222-edda-d43c-f010-a59701f2aeef@gmx.de/
Link: https://lore.kernel.org/linux-integrity/20230302164652.83571-1-eric.snowberg@oracle.com/
* tag 'tpmdd-v6.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: (29 commits)
tpm: Add !tpm_amd_is_rng_defective() to the hwrng_unregister() call site
tpm_tis: fix stall after iowrite*()s
tpm/tpm_tis_synquacer: Convert to platform remove callback returning void
tpm/tpm_tis: Convert to platform remove callback returning void
tpm/tpm_ftpm_tee: Convert to platform remove callback returning void
tpm: tpm_tis_spi: Mark ACPI and OF related data as maybe unused
tpm: st33zp24: Mark ACPI and OF related data as maybe unused
tpm, tpm_tis: Enable interrupt test
tpm, tpm_tis: startup chip before testing for interrupts
tpm, tpm_tis: Claim locality when interrupts are reenabled on resume
tpm, tpm_tis: Claim locality in interrupt handler
tpm, tpm_tis: Request threaded interrupt handler
tpm, tpm: Implement usage counter for locality
tpm, tpm_tis: do not check for the active locality in interrupt handler
tpm, tpm_tis: Move interrupt mask checks into own function
tpm, tpm_tis: Only handle supported interrupts
tpm, tpm_tis: Claim locality before writing interrupt registers
tpm, tpm_tis: Do not skip reset of original interrupt vector
tpm, tpm_tis: Disable interrupts if tpm_tis_probe_irq() failed
tpm, tpm_tis: Claim locality before writing TPM_INT_ENABLE register
...
Diffstat (limited to 'security/integrity')
| -rw-r--r-- | security/integrity/Kconfig | 23 | ||||
| -rw-r--r-- | security/integrity/digsig.c | 8 |
2 files changed, 28 insertions, 3 deletions
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 599429f99f99..ec6e0d789da1 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -68,13 +68,34 @@ config INTEGRITY_MACHINE_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING depends on LOAD_UEFI_KEYS - depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY help If set, provide a keyring to which Machine Owner Keys (MOK) may be added. This keyring shall contain just MOK keys. Unlike keys in the platform keyring, keys contained in the .machine keyring will be trusted within the kernel. +config INTEGRITY_CA_MACHINE_KEYRING + bool "Enforce Machine Keyring CA Restrictions" + depends on INTEGRITY_MACHINE_KEYRING + default n + help + The .machine keyring can be configured to enforce CA restriction + on any key added to it. By default no restrictions are in place + and all Machine Owner Keys (MOK) are added to the machine keyring. + If enabled only CA keys are added to the machine keyring, all + other MOK keys load into the platform keyring. + +config INTEGRITY_CA_MACHINE_KEYRING_MAX + bool "Only CA keys without DigitialSignature usage set" + depends on INTEGRITY_CA_MACHINE_KEYRING + default n + help + When selected, only load CA keys are loaded into the machine + keyring that contain the CA bit set along with the keyCertSign + Usage field. Keys containing the digitialSignature Usage field + will not be loaded. The remaining MOK keys are loaded into the + .platform keyring. + config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f2193c531f4a..6f31ffe23c48 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -132,7 +132,8 @@ int __init integrity_init_keyring(const unsigned int id) | KEY_USR_READ | KEY_USR_SEARCH; if (id == INTEGRITY_KEYRING_PLATFORM || - id == INTEGRITY_KEYRING_MACHINE) { + (id == INTEGRITY_KEYRING_MACHINE && + !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { restriction = NULL; goto out; } @@ -144,7 +145,10 @@ int __init integrity_init_keyring(const unsigned int id) if (!restriction) return -ENOMEM; - restriction->check = restrict_link_to_ima; + if (id == INTEGRITY_KEYRING_MACHINE) + restriction->check = restrict_link_by_ca; + else + restriction->check = restrict_link_to_ima; /* * MOK keys can only be added through a read-only runtime services |