diff options
author | Laura Abbott <labbott@redhat.com> | 2019-04-23 16:24:31 -0700 |
---|---|---|
committer | Laura Abbott <labbott@redhat.com> | 2019-04-29 07:15:44 -0700 |
commit | 3138f776992a986bb8cfc6650f611e5d8fe08a92 (patch) | |
tree | 2897266ca314596bff1394e78986c9a8bd491e6a /0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch | |
parent | da4a3a41408ed200f158ba0b1d0c6daf9f6abb29 (diff) | |
download | kernel-3138f776992a986bb8cfc6650f611e5d8fe08a92.tar.gz kernel-3138f776992a986bb8cfc6650f611e5d8fe08a92.tar.xz kernel-3138f776992a986bb8cfc6650f611e5d8fe08a92.zip |
Add some dependent patches for the module signing fixup
Diffstat (limited to '0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch')
-rw-r--r-- | 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch new file mode 100644 index 000000000..816c4f0ea --- /dev/null +++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch @@ -0,0 +1,85 @@ +From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:28 +0800 +Subject: [PATCH] integrity, KEYS: add a reference to platform keyring + +commit 9dc92c45177a ("integrity: Define a trusted platform keyring") +introduced a .platform keyring for storing preboot keys, used for +verifying kernel image signatures. Currently only IMA-appraisal is able +to use the keyring to verify kernel images that have their signature +stored in xattr. + +This patch exposes the .platform keyring, making it accessible for +verifying PE signed kernel images as well. + +Suggested-by: Mimi Zohar <zohar@linux.ibm.com> +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + certs/system_keyring.c | 10 ++++++++++ + include/keys/system_keyring.h | 8 ++++++++ + security/integrity/digsig.c | 3 +++ + 3 files changed, 21 insertions(+) + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 81728717523d..da055e901df4 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++static struct key *platform_trusted_keys; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len, + EXPORT_SYMBOL_GPL(verify_pkcs7_signature); + + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ ++ ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++void __init set_platform_trusted_keys(struct key *keyring) ++{ ++ platform_trusted_keys = keyring; ++} ++#endif +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 359c2f936004..42a93eda331c 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) + } + #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ + ++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ ++ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) ++extern void __init set_platform_trusted_keys(struct key *keyring); ++#else ++static inline void set_platform_trusted_keys(struct key *keyring) ++{ ++} ++#endif + + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index f45d6edecf99..e19c2eb72c51 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, + pr_info("Can't allocate %s keyring (%d)\n", + keyring_name[id], err); + keyring[id] = NULL; ++ } else { ++ if (id == INTEGRITY_KEYRING_PLATFORM) ++ set_platform_trusted_keys(keyring[id]); + } + + return err; +-- +2.20.1 + |