Commit 219a3e86 authored by Kairui Song's avatar Kairui Song Committed by Mimi Zohar
Browse files

integrity, KEYS: add a reference to platform keyring 



commit 9dc92c45 ("integrity: Define a trusted platform keyring")
introduced a .platform keyring for storing preboot keys, used for
verifying kernel image signatures. Currently only IMA-appraisal is able
to use the keyring to verify kernel images that have their signature
stored in xattr.

This patch exposes the .platform keyring, making it accessible for
verifying PE signed kernel images as well.

Suggested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Signed-off-by: default avatarKairui Song <kasong@redhat.com>
Cc: David Howells <dhowells@redhat.com>
[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 2181e084

certs/system_keyring.c

+10 −0
Original line number Diff line number Diff line
@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; 
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

static struct key *secondary_trusted_keys;

#endif

#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING

static struct key *platform_trusted_keys;

#endif



extern __initconst const u8 system_certificate_list[];

extern __initconst const unsigned long system_certificate_list_size;
@@ -266,3 +269,10 @@ error: 
EXPORT_SYMBOL_GPL(verify_pkcs7_signature);



#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */



#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING

void __init set_platform_trusted_keys(struct key *keyring)

{

	platform_trusted_keys = keyring;

}

#endif

include/keys/system_keyring.h

+8 −0
Original line number Diff line number Diff line
@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) 
}

#endif /* CONFIG_IMA_BLACKLIST_KEYRING */



#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \

	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)

extern void __init set_platform_trusted_keys(struct key *keyring);

#else

static inline void set_platform_trusted_keys(struct key *keyring)

{

}

#endif



#endif /* _KEYS_SYSTEM_KEYRING_H */

security/integrity/digsig.c

+3 −0
Original line number Diff line number Diff line
@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, 
		pr_info("Can't allocate %s keyring (%d)\n",

			keyring_name[id], err);

		keyring[id] = NULL;

	} else {

		if (id == INTEGRITY_KEYRING_PLATFORM)

			set_platform_trusted_keys(keyring[id]);

	}



	return err;

CRA Git | Maintained and supported by SUSTech CRA and CCSE