From e763f1a0bd5dcf213e0560971e38037da33dd2d6 Mon Sep 17 00:00:00 2001 From: Kairui Song Date: Mon, 21 Jan 2019 17:59:28 +0800 Subject: [PATCH] integrity, KEYS: add a reference to platform keyring commit a4d39d79291a ("integrity: Define a trusted platform keyring") introduced a .platform keyring for storing preboot keys, used for verifying kernel image signatures. Currently only IMA-appraisal is able to use the keyring to verify kernel images that have their signature stored in xattr. This patch exposes the .platform keyring, making it accessible for verifying PE signed kernel images as well. Suggested-by: Mimi Zohar Signed-off-by: Kairui Song Cc: David Howells [zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] Signed-off-by: Mimi Zohar --- certs/system_keyring.c | 10 ++++++++++ include/keys/system_keyring.h | 8 ++++++++ security/integrity/digsig.c | 3 +++ 3 files changed, 21 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d0..da055e901df49 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING static struct key *secondary_trusted_keys; #endif +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +static struct key *platform_trusted_keys; +#endif extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; @@ -266,3 +269,10 @@ error: EXPORT_SYMBOL_GPL(verify_pkcs7_signature); #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ + +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING +void __init set_platform_trusted_keys(struct key *keyring) +{ + platform_trusted_keys = keyring; +} +#endif diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 359c2f936004b..42a93eda331cc 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) } #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ +#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ + defined(CONFIG_SYSTEM_TRUSTED_KEYRING) +extern void __init set_platform_trusted_keys(struct key *keyring); +#else +static inline void set_platform_trusted_keys(struct key *keyring) +{ +} +#endif #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index f45d6edecf99a..e19c2eb72c51b 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, pr_info("Can't allocate %s keyring (%d)\n", keyring_name[id], err); keyring[id] = NULL; + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); } return err; -- 2.39.5