From: Stephen Rothwell Date: Wed, 14 Apr 2021 04:36:02 +0000 (+1000) Subject: Merge remote-tracking branch 'keys/keys-next' X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=bdc522744d3b71861feda853fbf729cee26aa5e6;p=users%2Fjedix%2Flinux-maple.git Merge remote-tracking branch 'keys/keys-next' # Conflicts: # certs/system_keyring.c --- bdc522744d3b71861feda853fbf729cee26aa5e6 diff --cc certs/Makefile index e3185c57fbd8,b6db52ebf0be..0b763cd8080b --- a/certs/Makefile +++ b/certs/Makefile @@@ -29,17 -30,9 +30,17 @@@ $(obj)/x509_certificate_list: scripts/e $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING - clean-files := x509_certificate_list .x509.list + clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) + SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + SIGN_KEY = y +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been diff --cc certs/system_keyring.c index 2b3ad375ecc1,0c9a4795e847..74f7ce846b35 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@@ -133,88 -133,15 +134,36 @@@ static __init int system_trusted_keyrin */ device_initcall(system_trusted_keyring_init); - static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring) - { - key_ref_t key; - size_t plen; - - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(keyring, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - - dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; - } - +__init int load_module_cert(struct key *keyring) +{ - const u8 *p, *end; - + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + - p = system_certificate_list; - end = p + module_cert_size; - - return load_cert(p, end, keyring); ++ return load_certificate_list(system_certificate_list, module_cert_size, ++ keyring); +} + /* * Load the compiled-in list of X.509 certificates. */ static __init int load_system_certificate_list(void) { - const u8 *p, *end; ++ const u8 *p; + unsigned long size; + pr_notice("Loading compiled-in X.509 certificates\n"); - return load_certificate_list(system_certificate_list, system_certificate_list_size, - builtin_trusted_keys); +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; + size = system_certificate_list_size; +#else + p = system_certificate_list + module_cert_size; + size = system_certificate_list_size - module_cert_size; +#endif + - end = p + size; - return load_cert(p, end, builtin_trusted_keys); ++ return load_certificate_list(p, size, builtin_trusted_keys); } late_initcall(load_system_certificate_list);