diff options
Diffstat (limited to '0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch')
-rw-r--r-- | 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch | 85 |
1 files changed, 0 insertions, 85 deletions
diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch deleted file mode 100644 index 816c4f0ea..000000000 --- a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 -From: Kairui Song <kasong@redhat.com> -Date: Mon, 21 Jan 2019 17:59:28 +0800 -Subject: [PATCH] integrity, KEYS: add a reference to platform keyring - -commit 9dc92c45177a ("integrity: Define a trusted platform keyring") -introduced a .platform keyring for storing preboot keys, used for -verifying kernel image signatures. Currently only IMA-appraisal is able -to use the keyring to verify kernel images that have their signature -stored in xattr. - -This patch exposes the .platform keyring, making it accessible for -verifying PE signed kernel images as well. - -Suggested-by: Mimi Zohar <zohar@linux.ibm.com> -Signed-off-by: Kairui Song <kasong@redhat.com> -Cc: David Howells <dhowells@redhat.com> -[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] -Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> ---- - certs/system_keyring.c | 10 ++++++++++ - include/keys/system_keyring.h | 8 ++++++++ - security/integrity/digsig.c | 3 +++ - 3 files changed, 21 insertions(+) - -diff --git a/certs/system_keyring.c b/certs/system_keyring.c -index 81728717523d..da055e901df4 100644 ---- a/certs/system_keyring.c -+++ b/certs/system_keyring.c -@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; - #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING - static struct key *secondary_trusted_keys; - #endif -+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING -+static struct key *platform_trusted_keys; -+#endif - - extern __initconst const u8 system_certificate_list[]; - extern __initconst const unsigned long system_certificate_list_size; -@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len, - EXPORT_SYMBOL_GPL(verify_pkcs7_signature); - - #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ -+ -+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING -+void __init set_platform_trusted_keys(struct key *keyring) -+{ -+ platform_trusted_keys = keyring; -+} -+#endif -diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 359c2f936004..42a93eda331c 100644 ---- a/include/keys/system_keyring.h -+++ b/include/keys/system_keyring.h -@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) - } - #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ - -+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ -+ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) -+extern void __init set_platform_trusted_keys(struct key *keyring); -+#else -+static inline void set_platform_trusted_keys(struct key *keyring) -+{ -+} -+#endif - - #endif /* _KEYS_SYSTEM_KEYRING_H */ -diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c -index f45d6edecf99..e19c2eb72c51 100644 ---- a/security/integrity/digsig.c -+++ b/security/integrity/digsig.c -@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, - pr_info("Can't allocate %s keyring (%d)\n", - keyring_name[id], err); - keyring[id] = NULL; -+ } else { -+ if (id == INTEGRITY_KEYRING_PLATFORM) -+ set_platform_trusted_keys(keyring[id]); - } - - return err; --- -2.20.1 - |