Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-12 23:23:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

KEYS: store reference to machine keyring

Browse Source 
Expose the .machine keyring created in integrity code by adding
a reference.  Store a reference to the machine keyring in
system keyring code. The system keyring code needs this to complete
the keyring link to the machine keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
Eric Snowberg 2022-01-25 21:58:30 -05:00 committed by Jarkko Sakkinen
parent 45fcd5e521
commit 56edb6c25f
3 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
certs/system_keyring.c
View File

@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
static struct key *secondary_trusted_keys; static struct key *secondary_trusted_keys;
#endif #endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
static struct key *machine_trusted_keys;
#endif
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
static struct key *platform_trusted_keys; static struct key *platform_trusted_keys;
#endif #endif
@ -91,6 +94,12 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
return restriction; return restriction;
} }
#endif #endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
void __init set_machine_trusted_keys(struct key *keyring)
{
machine_trusted_keys = keyring;
}
#endif
/* /*
* Create the trusted keyrings * Create the trusted keyrings

8
include/keys/system_keyring.h
View File

@ -38,6 +38,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif #endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
extern void __init set_machine_trusted_keys(struct key *keyring);
#else
static inline void __init set_machine_trusted_keys(struct key *keyring)
{
}
#endif
extern struct pkcs7_message *pkcs7; extern struct pkcs7_message *pkcs7;
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
extern int mark_hash_blacklisted(const char *hash); extern int mark_hash_blacklisted(const char *hash);

2
security/integrity/digsig.c
View File

@ -112,6 +112,8 @@ static int __init __integrity_init_keyring(const unsigned int id,
} else { } else {
if (id == INTEGRITY_KEYRING_PLATFORM) if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]); set_platform_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_MACHINE)
set_machine_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_IMA) if (id == INTEGRITY_KEYRING_IMA)
load_module_cert(keyring[id]); load_module_cert(keyring[id]);
} }