aleph/lkl_linux
1
0
Fork 0
mirror of https://github.com/lkl/linux.git synced 2025-12-19 08:03:01 +09:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Browse Source 
Pull IMA updates from Mimi Zohar:
 "In addition to loading the kernel module signing key onto the builtin
  keyring, load it onto the IMA keyring as well.

  Also six trivial changes and bug fixes"

* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
  ima: Fix fall-through warnings for Clang
  integrity: Add declarations to init_once void arguments.
  ima: Fix function name error in comment.
  ima: enable loading of build time generated key on .ima keyring
  ima: enable signing of modules with build time generated key
  keys: cleanup build time module signing keys
  ima: Fix the error code for restoring the PCR value
  ima: without an IMA policy loaded, return quickly
This commit is contained in:
Linus Torvalds
2021-05-01 15:32:18 -07:00
parent 10a3efd0fe 781a573948
commit e6f0bf09f0
12 changed files with 75 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
certs/system_keyring.c
View File

@@ -28,6 +28,7 @@ static struct key *platform_trusted_keys;
extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
extern __initconst const unsigned long module_cert_size;
/**
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
@@ -133,15 +134,35 @@ static __init int system_trusted_keyring_init(void)
*/
device_initcall(system_trusted_keyring_init);
__init int load_module_cert(struct key *keyring)
{
if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
return 0;
pr_notice("Loading compiled-in module X.509 certificates\n");
return load_certificate_list(system_certificate_list, module_cert_size, keyring);
}
/*
* Load the compiled-in list of X.509 certificates.
*/
static __init int load_system_certificate_list(void)
{
const u8 *p;
unsigned long size;
pr_notice("Loading compiled-in X.509 certificates\n");
return load_certificate_list(system_certificate_list, system_certificate_list_size,
builtin_trusted_keys);
#ifdef CONFIG_MODULE_SIG
p = system_certificate_list;
size = system_certificate_list_size;
#else
p = system_certificate_list + module_cert_size;
size = system_certificate_list_size - module_cert_size;
#endif
return load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);