!5363 [OLK-6.6] ima: Support modsig verify using trusted keys (4214ed2e) · Commits · EulixOS / Software / Kernel

arch/arm64/configs/openeuler_defconfig

+1 −1

Original line number	Diff line number	Diff line
		@@ -7285,7 +7285,7 @@ CONFIG_IMA_APPRAISE=y
		# CONFIG_IMA_ARCH_POLICY is not set
		# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
		CONFIG_IMA_APPRAISE_BOOTPARAM=y
		# CONFIG_IMA_APPRAISE_MODSIG is not set
		CONFIG_IMA_APPRAISE_MODSIG=y
		# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
		# CONFIG_IMA_BLACKLIST_KEYRING is not set
		CONFIG_IMA_LOAD_X509=y

+1 −1

Original line number	Diff line number	Diff line
		@@ -8461,7 +8461,7 @@ CONFIG_IMA_APPRAISE=y
		# CONFIG_IMA_ARCH_POLICY is not set
		# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
		CONFIG_IMA_APPRAISE_BOOTPARAM=y
		# CONFIG_IMA_APPRAISE_MODSIG is not set
		CONFIG_IMA_APPRAISE_MODSIG=y
		# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
		# CONFIG_IMA_BLACKLIST_KEYRING is not set
		CONFIG_IMA_LOAD_X509=y

+16 −2

Original line number	Diff line number	Diff line
		@@ -118,8 +118,22 @@ void ima_collect_modsig(struct modsig modsig, const void buf, loff_t size)

		int ima_modsig_verify(struct key keyring, const struct modsig modsig)
		{
		return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,
		int ret;

		ret = verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,
		VERIFYING_MODULE_SIGNATURE, NULL, NULL);
		#ifdef CONFIG_IMA_DIGEST_LIST
		if (ret < 0) {
		#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
		keyring = VERIFY_USE_SECONDARY_KEYRING;
		#else
		keyring = NULL;
		#endif
		return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg,
		keyring, VERIFYING_MODULE_SIGNATURE, NULL, NULL);
		}
		#endif
		return ret;
		}

		int ima_get_modsig_digest(const struct modsig modsig, enum hash_algo algo,