diff options
author | Laura Abbott <labbott@redhat.com> | 2018-02-05 11:20:04 -0800 |
---|---|---|
committer | Laura Abbott <labbott@redhat.com> | 2018-02-05 11:35:34 -0800 |
commit | c41960f76806a516b0c4fd1953779fcd20bc7633 (patch) | |
tree | b71e9707b6ad3b47e8f80bddf5874777d6582b10 /KEYS-Add-a-system-blacklist-keyring.patch | |
parent | 622598fecff89da5536a5182e8f9dd5527b8471e (diff) | |
download | kernel-c41960f76806a516b0c4fd1953779fcd20bc7633.tar.gz kernel-c41960f76806a516b0c4fd1953779fcd20bc7633.tar.xz kernel-c41960f76806a516b0c4fd1953779fcd20bc7633.zip |
Linux v4.15
Diffstat (limited to 'KEYS-Add-a-system-blacklist-keyring.patch')
-rw-r--r-- | KEYS-Add-a-system-blacklist-keyring.patch | 102 |
1 files changed, 0 insertions, 102 deletions
diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch deleted file mode 100644 index 262c960b8..000000000 --- a/KEYS-Add-a-system-blacklist-keyring.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring - -This adds an additional keyring that is used to store certificates that -are blacklisted. This keyring is searched first when loading signed modules -and if the module's certificate is found, it will refuse to load. This is -useful in cases where third party certificates are used for module signing. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> ---- - certs/system_keyring.c | 22 ++++++++++++++++++++++ - include/keys/system_keyring.h | 4 ++++ - init/Kconfig | 9 +++++++++ - 3 files changed, 35 insertions(+) - -diff --git a/certs/system_keyring.c b/certs/system_keyring.c -index 50979d6dcecd..787eeead2f57 100644 ---- a/certs/system_keyring.c -+++ b/certs/system_keyring.c -@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; - #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING - static struct key *secondary_trusted_keys; - #endif -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+struct key *system_blacklist_keyring; -+#endif - - extern __initconst const u8 system_certificate_list[]; - extern __initconst const unsigned long system_certificate_list_size; -@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void) - if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0) - panic("Can't link trusted keyrings\n"); - #endif -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", -+ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), -+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), -+ KEY_ALLOC_NOT_IN_QUOTA, -+ NULL, NULL); -+ if (IS_ERR(system_blacklist_keyring)) -+ panic("Can't allocate system blacklist keyring\n"); -+#endif - - return 0; - } -@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len, - trusted_keys = builtin_trusted_keys; - #endif - } -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring); -+ if (!ret) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key is in the blacklist\n"); -+ ret = -EKEYREJECTED; -+ goto error; -+ } -+#endif - ret = pkcs7_validate_trust(pkcs7, trusted_keys); - if (ret < 0) { - if (ret == -ENOKEY) -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index fbd4647767e9..5bc291a3d261 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted( - #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted - #endif - -+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -+extern struct key *system_blacklist_keyring; -+#endif -+ - #ifdef CONFIG_IMA_BLACKLIST_KEYRING - extern struct key *ima_blacklist_keyring; - -diff --git a/init/Kconfig b/init/Kconfig -index 34407f15e6d3..461ad575a608 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION - module verification, kexec image verification and firmware blob - verification. - -+config SYSTEM_BLACKLIST_KEYRING -+ bool "Provide system-wide ring of blacklisted keys" -+ depends on KEYS -+ help -+ Provide a system keyring to which blacklisted keys can be added. -+ Keys in the keyring are considered entirely untrusted. Keys in this -+ keyring are used by the module signature checking to reject loading -+ of modules signed with a blacklisted key. -+ - config PROFILING - bool "Profiling support" - help --- -2.9.3 - |