1 files changed, 0 insertions, 102 deletions

diff --git a/KEYS-Add-a-system-blacklist-keyring.patch b/KEYS-Add-a-system-blacklist-keyring.patch
deleted file mode 100644
index 262c960b8..000000000
--- a/KEYS-Add-a-system-blacklist-keyring.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
-
-This adds an additional keyring that is used to store certificates that
-are blacklisted.  This keyring is searched first when loading signed modules
-and if the module's certificate is found, it will refuse to load.  This is
-useful in cases where third party certificates are used for module signing.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
----
- certs/system_keyring.c        | 22 ++++++++++++++++++++++
- include/keys/system_keyring.h |  4 ++++
- init/Kconfig                  |  9 +++++++++
- 3 files changed, 35 insertions(+)
-
-diff --git a/certs/system_keyring.c b/certs/system_keyring.c
-index 50979d6dcecd..787eeead2f57 100644
---- a/certs/system_keyring.c
-+++ b/certs/system_keyring.c
-@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
- #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
- static struct key *secondary_trusted_keys;
- #endif
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+struct key *system_blacklist_keyring;
-+#endif
- 
- extern __initconst const u8 system_certificate_list[];
- extern __initconst const unsigned long system_certificate_list_size;
-@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
- 	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
- 		panic("Can't link trusted keyrings\n");
- #endif
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
-+			KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
-+			((KEY_POS_ALL & ~KEY_POS_SETATTR) |
-+			 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
-+			KEY_ALLOC_NOT_IN_QUOTA,
-+			NULL, NULL);
-+	if (IS_ERR(system_blacklist_keyring))
-+		panic("Can't allocate system blacklist keyring\n");
-+#endif
- 
- 	return 0;
- }
-@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
- 		trusted_keys = builtin_trusted_keys;
- #endif
- 	}
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+	ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
-+	if (!ret) {
-+		/* module is signed with a cert in the blacklist.  reject */
-+		pr_err("Module key is in the blacklist\n");
-+		ret = -EKEYREJECTED;
-+		goto error;
-+	}
-+#endif
- 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
- 	if (ret < 0) {
- 		if (ret == -ENOKEY)
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index fbd4647767e9..5bc291a3d261 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
- #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
- #endif
- 
-+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
-+extern struct key *system_blacklist_keyring;
-+#endif
-+
- #ifdef CONFIG_IMA_BLACKLIST_KEYRING
- extern struct key *ima_blacklist_keyring;
- 
-diff --git a/init/Kconfig b/init/Kconfig
-index 34407f15e6d3..461ad575a608 100644
---- a/init/Kconfig
-+++ b/init/Kconfig
-@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION
- 	  module verification, kexec image verification and firmware blob
- 	  verification.
- 
-+config SYSTEM_BLACKLIST_KEYRING
-+	bool "Provide system-wide ring of blacklisted keys"
-+	depends on KEYS
-+	help
-+	  Provide a system keyring to which blacklisted keys can be added.
-+	  Keys in the keyring are considered entirely untrusted.  Keys in this
-+	  keyring are used by the module signature checking to reject loading
-+	  of modules signed with a blacklisted key.
-+
- config PROFILING
- 	bool "Profiling support"
- 	help
--- 
-2.9.3
-