Commit 40d3585e authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

certs: Introduce search_trusted_key() 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

-------------------------------------------------

Introduce search_trusted_key() to extend the key search to the primary or
secondary built-in keyrings.

v4:
 - context adapt include/linux/verification.h for 6.6 kernel

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent 43d4042e

certs/system_keyring.c

+23 −0
Original line number Diff line number Diff line
@@ -441,6 +441,29 @@ int verify_pkcs7_signature(const void *data, size_t len, 
}

EXPORT_SYMBOL_GPL(verify_pkcs7_signature);



#ifdef CONFIG_IMA_DIGEST_LIST

struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,

			       char *name)

{

	key_ref_t kref;



	if (!trusted_keys) {

		trusted_keys = builtin_trusted_keys;

	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

		trusted_keys = secondary_trusted_keys;

#else

		trusted_keys = builtin_trusted_keys;

#endif

	}

	kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true);

	if (IS_ERR(kref))

		return ERR_CAST(kref);



	return key_ref_to_ptr(kref);

}

EXPORT_SYMBOL_GPL(search_trusted_key);

#endif /* CONFIG_IMA_DIGEST_LIST */

#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */



#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING

include/linux/verification.h

+7 −0
Original line number Diff line number Diff line
@@ -10,6 +10,9 @@ 


#include <linux/errno.h>

#include <linux/types.h>

#ifdef CONFIG_IMA_DIGEST_LIST

#include <linux/key.h>

#endif



/*

 * Indicate that both builtin trusted keys and secondary trusted keys
@@ -69,5 +72,9 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen, 
				   enum key_being_used_for usage);

#endif



#ifdef CONFIG_IMA_DIGEST_LIST

struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,

			       char *name);

#endif /* CONFIG_IMA_DIGEST_LIST */

#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */

#endif /* _LINUX_VERIFY_PEFILE_H */