diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2021-05-01 15:32:18 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2021-05-01 15:32:18 -0700 |
commit | e6f0bf09f0669b3c2cd77fa906830123279a0a21 (patch) | |
tree | 57aed6ff25d40e31f129b934403c7fac7a8cc8c8 /certs | |
parent | 10a3efd0fee5e881b1866cf45950808575cb0f24 (diff) | |
parent | 781a5739489949fd0f32432a9da17f7ddbccf1cc (diff) | |
download | lwn-e6f0bf09f0669b3c2cd77fa906830123279a0a21.tar.gz lwn-e6f0bf09f0669b3c2cd77fa906830123279a0a21.zip |
Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA updates from Mimi Zohar:
"In addition to loading the kernel module signing key onto the builtin
keyring, load it onto the IMA keyring as well.
Also six trivial changes and bug fixes"
* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
ima: Fix fall-through warnings for Clang
integrity: Add declarations to init_once void arguments.
ima: Fix function name error in comment.
ima: enable loading of build time generated key on .ima keyring
ima: enable signing of modules with build time generated key
keys: cleanup build time module signing keys
ima: Fix the error code for restoring the PCR value
ima: without an IMA policy loaded, return quickly
Diffstat (limited to 'certs')
-rw-r--r-- | certs/Kconfig | 2 | ||||
-rw-r--r-- | certs/Makefile | 10 | ||||
-rw-r--r-- | certs/system_certificates.S | 14 | ||||
-rw-r--r-- | certs/system_keyring.c | 25 |
4 files changed, 47 insertions, 4 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index ab88d2a7f3c7..f4e61116f94e 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/certs/Makefile b/certs/Makefile index b6db52ebf0be..359239a0ee9e 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -33,6 +33,16 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) + SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) +ifeq ($(CONFIG_MODULES),y) + SIGN_KEY = y +endif +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 8f29058adf93..e1645e6f4d97 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -8,9 +8,12 @@ .globl system_certificate_list system_certificate_list: __cert_list_start: -#ifdef CONFIG_MODULE_SIG +__module_cert_start: +#if defined(CONFIG_MODULE_SIG) || (defined(CONFIG_IMA_APPRAISE_MODSIG) \ + && defined(CONFIG_MODULES)) .incbin "certs/signing_key.x509" #endif +__module_cert_end: .incbin "certs/x509_certificate_list" __cert_list_end: @@ -35,3 +38,12 @@ system_certificate_list_size: #else .long __cert_list_end - __cert_list_start #endif + + .align 8 + .globl module_cert_size +module_cert_size: +#ifdef CONFIG_64BIT + .quad __module_cert_end - __module_cert_start +#else + .long __module_cert_end - __module_cert_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 0c9a4795e847..692365dee2bd 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -28,6 +28,7 @@ static struct key *platform_trusted_keys; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; +extern __initconst const unsigned long module_cert_size; /** * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA @@ -133,15 +134,35 @@ static __init int system_trusted_keyring_init(void) */ device_initcall(system_trusted_keyring_init); +__init int load_module_cert(struct key *keyring) +{ + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + + return load_certificate_list(system_certificate_list, module_cert_size, keyring); +} + /* * Load the compiled-in list of X.509 certificates. */ static __init int load_system_certificate_list(void) { + const u8 *p; + unsigned long size; + pr_notice("Loading compiled-in X.509 certificates\n"); - return load_certificate_list(system_certificate_list, system_certificate_list_size, - builtin_trusted_keys); +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; + size = system_certificate_list_size; +#else + p = system_certificate_list + module_cert_size; + size = system_certificate_list_size - module_cert_size; +#endif + + return load_certificate_list(p, size, builtin_trusted_keys); } late_initcall(load_system_certificate_list); |