From 6364d106e0417e00eb5f223d8a90287d1c421ce0 Mon Sep 17 00:00:00 2001 From: Mickaël Salaün Date: Mon, 12 Jul 2021 19:03:13 +0200 Subject: certs: Allow root user to append signed hashes to the blacklist keyring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user to dynamically add new keys to the blacklist keyring. This enables to invalidate new certificates, either from being loaded in a keyring, or from being trusted in a PKCS#7 certificate chain. This also enables to add new file hashes to be denied by the integrity infrastructure. Being able to untrust a certificate which could have normaly been trusted is a sensitive operation. This is why adding new hashes to the blacklist keyring is only allowed when these hashes are signed and vouched by the builtin trusted keyring. A blacklist hash is stored as a key description. The PKCS#7 signature of this description must be provided as the key payload. Marking a certificate as untrusted should be enforced while the system is running. It is then forbiden to remove such blacklist keys. Update blacklist keyring, blacklist key and revoked certificate access rights: * allows the root user to search for a specific blacklisted hash, which make sense because the descriptions are already viewable; * forbids key update (blacklist and asymmetric ones); * restricts kernel rights on the blacklist keyring to align with the root user rights. See help in tools/certs/print-cert-tbs-hash.sh . Cc: David Howells Cc: David Woodhouse Cc: Eric Snowberg Cc: Jarkko Sakkinen Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210712170313.884724-6-mic@digikod.net Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen --- certs/Kconfig | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'certs/Kconfig') diff --git a/certs/Kconfig b/certs/Kconfig index 4bd385b25084..476755703cf8 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -127,4 +127,14 @@ config SYSTEM_REVOCATION_KEYS containing X.509 certificates to be included in the default blacklist keyring. +config SYSTEM_BLACKLIST_AUTH_UPDATE + bool "Allow root to add signed blacklist keys" + depends on SYSTEM_BLACKLIST_KEYRING + depends on SYSTEM_DATA_VERIFICATION + help + If set, provide the ability to load new blacklist keys at run time if + they are signed and vouched by a certificate from the builtin trusted + keyring. The PKCS#7 signature of the description is set in the key + payload. Blacklist keys cannot be removed. + endmenu -- cgit