]> git.baikalelectronics.ru Git - kernel.git/commitdiff
projects / kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: b4001a3 4fb9d76)
Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells...
authorLinus Torvalds <torvalds@linux-foundation.org>
Tue, 21 Jun 2022 17:13:53 +0000 (12:13 -0500)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 21 Jun 2022 17:13:53 +0000 (12:13 -0500)
Pull signature checking selftest from David Howells:
 "The signature checking code, as used by module signing, kexec, etc.,
  is non-FIPS compliant as there is no selftest.

  For a kernel to be FIPS-compliant, signature checking would have to be
  tested before being used, and the box would need to panic if it's not
  available (probably reasonable as simply disabling signature checking
  would prevent you from loading any driver modules).

  Deal with this by adding a minimal test.

  This is split into two patches: the first moves load_certificate_list()
  to the same place as the X.509 code to make it more accessible
  internally; the second adds a selftest"

* tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  certs: Add FIPS selftests
  certs: Move load_certificate_list() to be with the asymmetric keys code

1  2 
certs/Makefile patch | diff1 | diff2 | blob | history

diff --cc certs/Makefile
index a8d628fd5f7b7aaa694db62b1d1a80ccb08b0e8d,3aac9f33ee22dbadfbd36865e4e34ed4c90dab91..88a73b28d254a2da623e3a5e645b44f711d2cf0d
--- 1/certs/Makefile
--- 2/certs/Makefile
+++ b/certs/Makefile
@@@ -3,21 -3,22 +3,21 @@@
  # Makefile for the linux kernel signature checking certificates.
  #
  
- obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
- obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
+ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
+ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
  obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
  ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)
 -quiet_cmd_check_blacklist_hashes = CHECK   $(patsubst "%",%,$(2))
 -      cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@
  
 -$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST))
 +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list
 +CFLAGS_blacklist_hashes.o := -I $(obj)
  
 -$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked
 +quiet_cmd_check_and_copy_blacklist_hash_list = GEN     $@
 +      cmd_check_and_copy_blacklist_hash_list = \
 +      $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \
 +      cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@
  
 -CFLAGS_blacklist_hashes.o += -I$(srctree)
 -
 -targets += blacklist_hashes_checked
 -$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE
 -      $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST))
 +$(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
 +      $(call if_changed,check_and_copy_blacklist_hash_list)
  obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
  else
  obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
Linux Kernel Source Tree.