Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs (0273fd42) · Commits · EulixOS / Software / Kernel

certs/Makefile

+2 −2

Original line number	Diff line number	Diff line
		@@ -3,8 +3,8 @@
		# Makefile for the linux kernel signature checking certificates.
		#

		obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
		obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
		obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
		obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
		obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
		ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)

+4 −4

Original line number	Diff line number	Diff line
		@@ -15,10 +15,9 @@
		#include <linux/err.h>
		#include <linux/seq_file.h>
		#include <linux/uidgid.h>
		#include <linux/verification.h>
		#include <keys/asymmetric-type.h>
		#include <keys/system_keyring.h>
		#include "blacklist.h"
		#include "common.h"

		/*
		* According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(),
		@@ -365,7 +364,8 @@ static __init int load_revocation_certificate_list(void)
		if (revocation_certificate_list_size)
		pr_notice("Loading compiled-in revocation X.509 certificates\n");

		return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
		return x509_load_certificate_list(revocation_certificate_list,
		revocation_certificate_list_size,
		blacklist_keyring);
		}
		late_initcall(load_revocation_certificate_list);

deleted100644 → 0

+0 −9

Original line number	Diff line number	Diff line
		/* SPDX-License-Identifier: GPL-2.0-or-later */

		#ifndef _CERT_COMMON_H
		#define _CERT_COMMON_H

		int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
		const struct key *keyring);

		#endif

+3 −3

Original line number	Diff line number	Diff line
		@@ -16,7 +16,6 @@
		#include <keys/asymmetric-type.h>
		#include <keys/system_keyring.h>
		#include <crypto/pkcs7.h>
		#include "common.h"

		static struct key *builtin_trusted_keys;
		#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
		@@ -183,7 +182,8 @@ __init int load_module_cert(struct key *keyring)

		pr_notice("Loading compiled-in module X.509 certificates\n");

		return load_certificate_list(system_certificate_list, module_cert_size, keyring);
		return x509_load_certificate_list(system_certificate_list,
		module_cert_size, keyring);
		}

		/*
		@@ -204,7 +204,7 @@ static __init int load_system_certificate_list(void)
		size = system_certificate_list_size - module_cert_size;
		#endif

		return load_certificate_list(p, size, builtin_trusted_keys);
		return x509_load_certificate_list(p, size, builtin_trusted_keys);
		}
		late_initcall(load_system_certificate_list);

+10 −0

Original line number	Diff line number	Diff line
		@@ -75,4 +75,14 @@ config SIGNED_PE_FILE_VERIFICATION
		This option provides support for verifying the signature(s) on a
		signed PE binary.

		config FIPS_SIGNATURE_SELFTEST
		bool "Run FIPS selftests on the X.509+PKCS7 signature verification"
		help
		This option causes some selftests to be run on the signature
		verification code, using some built in data. This is required
		for FIPS.
		depends on KEYS
		depends on ASYMMETRIC_KEY_TYPE
		depends on PKCS7_MESSAGE_PARSER

		endif # ASYMMETRIC_KEY_TYPE