Merge branch 'next-integrity' of... (c3665a6b) · Commits · 戴 / test

arch/x86/kernel/kexec-bzimage64.c

+11 −3

Original line number	Diff line number	Diff line
		@@ -538,9 +538,17 @@ static int bzImage64_cleanup(void *loader_data)
		#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
		static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
		{
		return verify_pefile_signature(kernel, kernel_len,
		int ret;

		ret = verify_pefile_signature(kernel, kernel_len,
		VERIFY_USE_SECONDARY_KEYRING,
		VERIFYING_KEXEC_PE_SIGNATURE);
		if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
		ret = verify_pefile_signature(kernel, kernel_len,
		VERIFY_USE_PLATFORM_KEYRING,
		VERIFYING_KEXEC_PE_SIGNATURE);
		}
		return ret;
		}
		#endif

+22 −1

Original line number	Diff line number	Diff line
		@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
		#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
		static struct key *secondary_trusted_keys;
		#endif
		#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
		static struct key *platform_trusted_keys;
		#endif

		extern __initconst const u8 system_certificate_list[];
		extern __initconst const unsigned long system_certificate_list_size;
		@@ -237,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
		#else
		trusted_keys = builtin_trusted_keys;
		#endif
		} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
		#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
		trusted_keys = platform_trusted_keys;
		#else
		trusted_keys = NULL;
		#endif
		if (!trusted_keys) {
		ret = -ENOKEY;
		pr_devel("PKCS#7 platform keyring is not available\n");
		goto error;
		}
		}
		ret = pkcs7_validate_trust(pkcs7, trusted_keys);
		if (ret < 0) {
		if (ret == -ENOKEY)
		pr_err("PKCS#7 signature not signed with a trusted key\n");
		pr_devel("PKCS#7 signature not signed with a trusted key\n");
		goto error;
		}

		@@ -266,3 +280,10 @@ error:
		EXPORT_SYMBOL_GPL(verify_pkcs7_signature);

		#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */

		#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
		void __init set_platform_trusted_keys(struct key *keyring)
		{
		platform_trusted_keys = keyring;
		}
		#endif

+1 −0

Original line number	Diff line number	Diff line
		@@ -3460,6 +3460,7 @@ struct dentry vfs_tmpfile(struct dentry dentry, umode_t mode, int open_flag)
		inode->i_state \|= I_LINKABLE;
		spin_unlock(&inode->i_lock);
		}
		ima_post_create_tmpfile(inode);
		return child;

		out_err:

+8 −0

Original line number	Diff line number	Diff line
		@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
		}
		#endif /* CONFIG_IMA_BLACKLIST_KEYRING */

		#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
		defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
		extern void __init set_platform_trusted_keys(struct key *keyring);
		#else
		static inline void set_platform_trusted_keys(struct key *keyring)
		{
		}
		#endif

		#endif /* _KEYS_SYSTEM_KEYRING_H */

+5 −0

Original line number	Diff line number	Diff line
		@@ -18,6 +18,7 @@ struct linux_binprm;
		#ifdef CONFIG_IMA
		extern int ima_bprm_check(struct linux_binprm *bprm);
		extern int ima_file_check(struct file *file, int mask);
		extern void ima_post_create_tmpfile(struct inode *inode);
		extern void ima_file_free(struct file *file);
		extern int ima_file_mmap(struct file *file, unsigned long prot);
		extern int ima_load_data(enum kernel_load_data_id id);
		@@ -56,6 +57,10 @@ static inline int ima_file_check(struct file *file, int mask)
		return 0;
		}

		static inline void ima_post_create_tmpfile(struct inode *inode)
		{
		}

		static inline void ima_file_free(struct file *file)
		{
		return;