Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: IMA: - provide ">" and "<" operators for fowner/uid/euid rules KEYS: - add a system blacklist keyring - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction functionality to userland via keyctl() LSM: - harden LSM API with __ro_after_init - add prlmit security hook, implement for SELinux - revive security_task_alloc hook TPM: - implement contextual TPM command 'spaces'" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits) tpm: Fix reference count to main device tpm_tis: convert to using locality callbacks tpm: fix handling of the TPM 2.0 event logs tpm_crb: remove a cruft constant keys: select CONFIG_CRYPTO when selecting DH / KDF apparmor: Make path_max parameter readonly apparmor: fix parameters so that the permission test is bypassed at boot apparmor: fix invalid reference to index variable of iterator line 836 apparmor: use SHASH_DESC_ON_STACK security/apparmor/lsm.c: set debug messages apparmor: fix boolreturn.cocci warnings Smack: Use GFP_KERNEL for smk_netlbl_mls(). smack: fix double free in smack_parse_opts_str() KEYS: add SP800-56A KDF support for DH KEYS: Keyring asymmetric key restrict method with chaining KEYS: Restrict asymmetric key linkage using a specific keychain KEYS: Add a lookup_restriction function for the asymmetric key type KEYS: Add KEYCTL_RESTRICT_KEYRING KEYS: Consistent ordering for __key_link_begin and restrict check KEYS: Add an optional lookup_restriction hook to key_type ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
commit: 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree: 405d4cb3f772ef069ed7f291adc4b74a4e73346e /Documentation/crypto
parent: 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent: 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)
1 files changed, 51 insertions, 0 deletions
diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt
index 2b7816dea370..5ad6480e3fb9 100644
--- a/Documentation/crypto/asymmetric-keys.txt
+++ b/Documentation/crypto/asymmetric-keys.txt
@@ -311,3 +311,54 @@ Functions are provided to register and unregister parsers:
 Parsers may not have the same name.  The names are otherwise only used for
 displaying in debugging messages.
+=========================
+KEYRING LINK RESTRICTIONS
+=========================
+Keyrings created from userspace using add_key can be configured to check the
+signature of the key being linked.
+Several restriction methods are available:
+ (1) Restrict using the kernel builtin trusted keyring
+     - Option string used with KEYCTL_RESTRICT_KEYRING:
+       - "builtin_trusted"
+     The kernel builtin trusted keyring will be searched for the signing
+     key. The ca_keys kernel parameter also affects which keys are used for
+     signature verification.
+ (2) Restrict using the kernel builtin and secondary trusted keyrings
+     - Option string used with KEYCTL_RESTRICT_KEYRING:
+       - "builtin_and_secondary_trusted"
+     The kernel builtin and secondary trusted keyrings will be searched for the
+     signing key. The ca_keys kernel parameter also affects which keys are used
+     for signature verification.
+ (3) Restrict using a separate key or keyring
+     - Option string used with KEYCTL_RESTRICT_KEYRING:
+       - "key_or_keyring:<key or keyring serial number>[:chain]"
+     Whenever a key link is requested, the link will only succeed if the key
+     being linked is signed by one of the designated keys. This key may be
+     specified directly by providing a serial number for one asymmetric key, or
+     a group of keys may be searched for the signing key by providing the
+     serial number for a keyring.
+     When the "chain" option is provided at the end of the string, the keys
+     within the destination keyring will also be searched for signing keys.
+     This allows for verification of certificate chains by adding each
+     cert in order (starting closest to the root) to one keyring.
+In all of these cases, if the signing key is found the signature of the key to
+be linked will be verified using the signing key.  The requested key is added
+to the keyring only if the signature is successfully verified.  -ENOKEY is
+returned if the parent certificate could not be found, or -EKEYREJECTED is
+returned if the signature check fails or the key is blacklisted.  Other errors
+may be returned if the signature check could not be performed.
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
commit	0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree	405d4cb3f772ef069ed7f291adc4b74a4e73346e /Documentation/crypto
parent	89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent	8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)

diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 2b7816dea370..5ad6480e3fb9 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt
@@ -311,3 +311,54 @@ Functions are provided to register and unregister parsers:
311		311
312	Parsers may not have the same name. The names are otherwise only used for	312	Parsers may not have the same name. The names are otherwise only used for
313	displaying in debugging messages.	313	displaying in debugging messages.
		314
		315
		316	=========================
		317	KEYRING LINK RESTRICTIONS
		318	=========================
		319
		320	Keyrings created from userspace using add_key can be configured to check the
		321	signature of the key being linked.
		322
		323	Several restriction methods are available:
		324
		325	(1) Restrict using the kernel builtin trusted keyring
		326
		327	- Option string used with KEYCTL_RESTRICT_KEYRING:
		328	- "builtin_trusted"
		329
		330	The kernel builtin trusted keyring will be searched for the signing
		331	key. The ca_keys kernel parameter also affects which keys are used for
		332	signature verification.
		333
		334	(2) Restrict using the kernel builtin and secondary trusted keyrings
		335
		336	- Option string used with KEYCTL_RESTRICT_KEYRING:
		337	- "builtin_and_secondary_trusted"
		338
		339	The kernel builtin and secondary trusted keyrings will be searched for the
		340	signing key. The ca_keys kernel parameter also affects which keys are used
		341	for signature verification.
		342
		343	(3) Restrict using a separate key or keyring
		344
		345	- Option string used with KEYCTL_RESTRICT_KEYRING:
		346	- "key_or_keyring:<key or keyring serial number>[:chain]"
		347
		348	Whenever a key link is requested, the link will only succeed if the key
		349	being linked is signed by one of the designated keys. This key may be
		350	specified directly by providing a serial number for one asymmetric key, or
		351	a group of keys may be searched for the signing key by providing the
		352	serial number for a keyring.
		353
		354	When the "chain" option is provided at the end of the string, the keys
		355	within the destination keyring will also be searched for signing keys.
		356	This allows for verification of certificate chains by adding each
		357	cert in order (starting closest to the root) to one keyring.
		358
		359	In all of these cases, if the signing key is found the signature of the key to
		360	be linked will be verified using the signing key. The requested key is added
		361	to the keyring only if the signature is successfully verified. -ENOKEY is
		362	returned if the parent certificate could not be found, or -EKEYREJECTED is
		363	returned if the signature check fails or the key is blacklisted. Other errors
		364	may be returned if the signature check could not be performed.