summaryrefslogtreecommitdiffstats
path: root/certs/system_keyring.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2021-05-01 15:32:18 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2021-05-01 15:32:18 -0700
commite6f0bf09f0669b3c2cd77fa906830123279a0a21 (patch)
tree57aed6ff25d40e31f129b934403c7fac7a8cc8c8 /certs/system_keyring.c
parent10a3efd0fee5e881b1866cf45950808575cb0f24 (diff)
parent781a5739489949fd0f32432a9da17f7ddbccf1cc (diff)
Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA updates from Mimi Zohar: "In addition to loading the kernel module signing key onto the builtin keyring, load it onto the IMA keyring as well. Also six trivial changes and bug fixes" * tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies ima: Fix fall-through warnings for Clang integrity: Add declarations to init_once void arguments. ima: Fix function name error in comment. ima: enable loading of build time generated key on .ima keyring ima: enable signing of modules with build time generated key keys: cleanup build time module signing keys ima: Fix the error code for restoring the PCR value ima: without an IMA policy loaded, return quickly
Diffstat (limited to 'certs/system_keyring.c')
-rw-r--r--certs/system_keyring.c25
1 files changed, 23 insertions, 2 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 0c9a4795e847..692365dee2bd 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -28,6 +28,7 @@ static struct key *platform_trusted_keys;
extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
/**
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
@@ -133,15 +134,35 @@ static __init int system_trusted_keyring_init(void)
*/
device_initcall(system_trusted_keyring_init);
+__init int load_module_cert(struct key *keyring)
+{
+ if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+ return 0;
+
+ pr_notice("Loading compiled-in module X.509 certificates\n");
+
+ return load_certificate_list(system_certificate_list, module_cert_size, keyring);
+}
+
/*
* Load the compiled-in list of X.509 certificates.
*/
static __init int load_system_certificate_list(void)
{
+ const u8 *p;
+ unsigned long size;
+
pr_notice("Loading compiled-in X.509 certificates\n");
- return load_certificate_list(system_certificate_list, system_certificate_list_size,
- builtin_trusted_keys);
+#ifdef CONFIG_MODULE_SIG
+ p = system_certificate_list;
+ size = system_certificate_list_size;
+#else
+ p = system_certificate_list + module_cert_size;
+ size = system_certificate_list_size - module_cert_size;
+#endif
+
+ return load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);