summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--certs/Kconfig16
-rw-r--r--crypto/asymmetric_keys/restrict.c4
2 files changed, 19 insertions, 1 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index 1f109b070877..62036974367c 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -88,7 +88,21 @@ config SECONDARY_TRUSTED_KEYRING
help
If set, provide a keyring to which extra keys may be added, provided
those keys are not blacklisted and are vouched for by a key built
- into the kernel or already in the secondary trusted keyring.
+ into the kernel, machine keyring (if configured), or already in the
+ secondary trusted keyring.
+
+config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
+ bool "Only allow additional certs signed by keys on the builtin trusted keyring"
+ depends on SECONDARY_TRUSTED_KEYRING
+ help
+ If set, only certificates signed by keys on the builtin trusted
+ keyring may be loaded onto the secondary trusted keyring.
+
+ Note: The machine keyring, if configured, will be linked to the
+ secondary keyring. When enabling this option, it is recommended
+ to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
+ linking code signing keys with imputed trust to the secondary
+ trusted keyring.
config SYSTEM_BLACKLIST_KEYRING
bool "Provide system-wide ring of blacklisted keys"
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 6b69ea40da23..afcd4d101ac5 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -102,6 +102,10 @@ int restrict_link_by_signature(struct key *dest_keyring,
if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
ret = -ENOKEY;
+ else if (IS_BUILTIN(CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN) &&
+ !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&
+ !test_bit(KEY_FLAG_BUILTIN, &key->flags))
+ ret = -ENOKEY;
else
ret = verify_signature(key, sig);
key_put(key);