integrity: Define a trusted platform keyring

	   .evm keyrings be signed by a key on the system trusted

	   keyring.

config INTEGRITY_PLATFORM_KEYRING

        bool "Provide keyring for platform/firmware trusted keys"

        depends on INTEGRITY_ASYMMETRIC_KEYS

        depends on SYSTEM_BLACKLIST_KEYRING

        depends on EFI

        help

         Provide a separate, distinct keyring for platform trusted keys, which

         the kernel automatically populates during initialization from values

         provided by the platform for verifying the kexec'ed kerned image

         and, possibly, the initramfs signature.

config INTEGRITY_AUDIT

	bool "Enables integrity auditing support "

	depends on AUDIT

integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o

integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o

integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o

integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o

subdir-$(CONFIG_IMA)			+= ima

obj-$(CONFIG_IMA)			+= ima/

	".ima",

#endif

	"_module",

	".platform",

};

#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

	return -EOPNOTSUPP;

}

int __init integrity_init_keyring(const unsigned int id)

static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,

				    struct key_restriction *restriction)

{

	const struct cred *cred = current_cred();

	struct key_restriction *restriction;

	int err = 0;

	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))

		return 0;

	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);

	if (!restriction)

		return -ENOMEM;

	restriction->check = restrict_link_to_ima;

	keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),

				    KGIDT_INIT(0), cred,

				    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

				     KEY_USR_VIEW | KEY_USR_READ |

				     KEY_USR_WRITE | KEY_USR_SEARCH),

				    KGIDT_INIT(0), cred, perm,

				    KEY_ALLOC_NOT_IN_QUOTA,

				    restriction, NULL);

	if (IS_ERR(keyring[id])) {

			keyring_name[id], err);

		keyring[id] = NULL;

	}

	return err;

}

int __init integrity_init_keyring(const unsigned int id)

{

	struct key_restriction *restriction;

	key_perm_t perm;

	perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW

		| KEY_USR_READ | KEY_USR_SEARCH;

	if (id == INTEGRITY_KEYRING_PLATFORM) {

		restriction = NULL;

		goto out;

	}

	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))

		return 0;

	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);

	if (!restriction)

		return -ENOMEM;

	restriction->check = restrict_link_to_ima;

	perm |= KEY_USR_WRITE;

out:

	return __integrity_init_keyring(id, perm, restriction);

}

int __init integrity_load_x509(const unsigned int id, const char *path)

{

	key_ref_t key;

#define INTEGRITY_KEYRING_EVM		0

#define INTEGRITY_KEYRING_IMA		1

#define INTEGRITY_KEYRING_MODULE	2

#define INTEGRITY_KEYRING_MAX		3

#define INTEGRITY_KEYRING_PLATFORM	3

#define INTEGRITY_KEYRING_MAX		4

extern struct dentry *integrity_dir;

// SPDX-License-Identifier: GPL-2.0+

/*

 * Platform keyring for firmware/platform keys

 *

 * Copyright IBM Corporation, 2018

 * Author(s): Nayna Jain <nayna@linux.ibm.com>

 */

#include <linux/export.h>

#include <linux/kernel.h>

#include <linux/sched.h>

#include <linux/cred.h>

#include <linux/err.h>

#include <linux/slab.h>

#include "../integrity.h"

/*

 * Create the trusted keyrings.

 */

static __init int platform_keyring_init(void)

{

	int rc;

	rc = integrity_init_keyring(INTEGRITY_KEYRING_PLATFORM);

	if (rc)

		return rc;

	pr_notice("Platform Keyring initialized\n");

	return 0;

}

/*

 * Must be initialised before we try and load the keys into the keyring.

 */

device_initcall(platform_keyring_init);