Add some dependent patches for the module signing fixup

1 files changed, 85 insertions, 0 deletions

diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
new file mode 100644
index 000000000..816c4f0ea
--- /dev/null
+++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
@@ -0,0 +1,85 @@
+From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Mon, 21 Jan 2019 17:59:28 +0800
+Subject: [PATCH] integrity, KEYS: add a reference to platform keyring
+
+commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
+introduced a .platform keyring for storing preboot keys, used for
+verifying kernel image signatures. Currently only IMA-appraisal is able
+to use the keyring to verify kernel images that have their signature
+stored in xattr.
+
+This patch exposes the .platform keyring, making it accessible for
+verifying PE signed kernel images as well.
+
+Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+---
+ certs/system_keyring.c        | 10 ++++++++++
+ include/keys/system_keyring.h |  8 ++++++++
+ security/integrity/digsig.c   |  3 +++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 81728717523d..da055e901df4 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ static struct key *secondary_trusted_keys;
+ #endif
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++static struct key *platform_trusted_keys;
++#endif
+ 
+ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+ 
+ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
++
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++void __init set_platform_trusted_keys(struct key *keyring)
++{
++	platform_trusted_keys = keyring;
++}
++#endif
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 359c2f936004..42a93eda331c 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
+ }
+ #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
+ 
++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
++	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
++extern void __init set_platform_trusted_keys(struct key *keyring);
++#else
++static inline void set_platform_trusted_keys(struct key *keyring)
++{
++}
++#endif
+ 
+ #endif /* _KEYS_SYSTEM_KEYRING_H */
+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
+index f45d6edecf99..e19c2eb72c51 100644
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
+ 		pr_info("Can't allocate %s keyring (%d)\n",
+ 			keyring_name[id], err);
+ 		keyring[id] = NULL;
++	} else {
++		if (id == INTEGRITY_KEYRING_PLATFORM)
++			set_platform_trusted_keys(keyring[id]);
+ 	}
+ 
+ 	return err;
+-- 
+2.20.1
+