kexec, KEYS: Make use of platform keyring for signature verify (278311e4) · Commits · 戴 / test

arch/x86/kernel/kexec-bzimage64.c

+11 −3

Original line number	Diff line number	Diff line
		@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data)
		#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
		static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
		{
		return verify_pefile_signature(kernel, kernel_len,
		int ret;

		ret = verify_pefile_signature(kernel, kernel_len,
		VERIFY_USE_SECONDARY_KEYRING,
		VERIFYING_KEXEC_PE_SIGNATURE);
		if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
		ret = verify_pefile_signature(kernel, kernel_len,
		VERIFY_USE_PLATFORM_KEYRING,
		VERIFYING_KEXEC_PE_SIGNATURE);
		}
		return ret;
		}
		#endif

+12 −1

Original line number	Diff line number	Diff line
		@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
		#else
		trusted_keys = builtin_trusted_keys;
		#endif
		} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
		#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
		trusted_keys = platform_trusted_keys;
		#else
		trusted_keys = NULL;
		#endif
		if (!trusted_keys) {
		ret = -ENOKEY;
		pr_devel("PKCS#7 platform keyring is not available\n");
		goto error;
		}
		}
		ret = pkcs7_validate_trust(pkcs7, trusted_keys);
		if (ret < 0) {
		if (ret == -ENOKEY)
		pr_err("PKCS#7 signature not signed with a trusted key\n");
		pr_devel("PKCS#7 signature not signed with a trusted key\n");
		goto error;
		}

+1 −0

Original line number	Diff line number	Diff line
		@@ -17,6 +17,7 @@
		* should be used.
		*/
		#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
		#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL)

		/*
		* The use to which an asymmetric key is being put.