KEYS: Provide a function to load keys from a PGP keyring blob

	  for key data and provides the ability to instantiate a crypto key

	  from a public key packet found inside the blob.

config PGP_PRELOAD

	bool "PGP public key preloading facility"

	select PGP_KEY_PARSER

	help

	  This option provides a facility for the kernel to preload PGP-wrapped

	  bundles of keys during boot.  It is used by module signing to load

	  the module signing keys for example.

endif # ASYMMETRIC_KEY_TYPE

# PGP handling

#

obj-$(CONFIG_PGP_LIBRARY) += pgp_library.o

obj-$(CONFIG_PGP_PRELOAD) += pgp_preload.o

obj-$(CONFIG_PGP_KEY_PARSER) += pgp_key_parser.o

pgp_key_parser-y := \

// SPDX-License-Identifier: GPL-2.0

/* Cryptographic key request handling

 *

 * Copyright (C) 2011 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public Licence

 * as published by the Free Software Foundation; either version

 * 2 of the Licence, or (at your option) any later version.

 *

 * See Documentation/security/keys-crypto.txt

 */

#ifdef CONFIG_PGP_PRELOAD

#include <linux/module.h>

#include <linux/key.h>

#include <linux/pgplib.h>

#include <linux/pgp.h>

#include <linux/err.h>

#include <keys/asymmetric-type.h>

struct preload_pgp_keys_context {

	struct pgp_parse_context pgp;

	key_ref_t keyring;

	const u8 *key_start;

	const u8 *key_end;

	bool found_key;

};

/*

 * Create a key.

 */

static int __init create_pgp_key(struct preload_pgp_keys_context *ctx)

{

	key_ref_t key;

	key = key_create_or_update(ctx->keyring,

				   "asymmetric",

				   NULL,

				   ctx->key_start,

				   ctx->key_end - ctx->key_start,

				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

				    KEY_USR_VIEW | KEY_USR_READ),

				   KEY_ALLOC_NOT_IN_QUOTA |

				   KEY_ALLOC_BUILT_IN |

				   KEY_ALLOC_BYPASS_RESTRICTION);

	if (IS_ERR(key))

		return PTR_ERR(key);

	pr_notice("Loaded PGP key '%s'\n",

		  key_ref_to_ptr(key)->description);

	key_ref_put(key);

	return 0;

}

/*

 * Extract a public key or subkey from the PGP stream.

 */

static int __init found_pgp_key(struct pgp_parse_context *context,

				enum pgp_packet_tag type, u8 headerlen,

				const u8 *data, size_t datalen)

{

	struct preload_pgp_keys_context *ctx =

		container_of(context, struct preload_pgp_keys_context, pgp);

	int ret;

	if (ctx->found_key) {

		ctx->key_end = data - headerlen;

		ret = create_pgp_key(ctx);

		if (ret < 0)

			return ret;

	}

	ctx->key_start = data - headerlen;

	ctx->found_key = true;

	return 0;

}

/**

 * preload_pgp_keys - Load keys from a PGP keyring blob

 * @pgpdata: The PGP keyring blob containing the keys.

 * @pgpdatalen: The size of the @pgpdata blob.

 * @keyring: The keyring to add the new keys to.

 *

 * Preload a pack of keys from a PGP keyring blob.

 *

 * The keys have their descriptions generated from the user ID and fingerprint

 * in the PGP stream.  Since keys can be matched on their key IDs independently

 * of the key description, the description is mostly irrelevant apart from the

 * fact that keys of the same description displace one another from a keyring.

 *

 * The caller should override the current creds if they want the keys to be

 * owned by someone other than the current process's owner.  Keys will not be

 * accounted towards the owner's quota.

 *

 * This function may only be called whilst the kernel is booting.

 */

int __init preload_pgp_keys(const u8 *pgpdata, size_t pgpdatalen,

			    struct key *keyring)

{

	struct preload_pgp_keys_context ctx;

	int ret;

	ctx.pgp.types_of_interest = (1 << PGP_PKT_PUBLIC_KEY);

	ctx.pgp.process_packet = found_pgp_key;

	ctx.keyring = make_key_ref(keyring, 1);

	ctx.found_key = false;

	ret = pgp_parse_packets(pgpdata, pgpdatalen, &ctx.pgp);

	if (ret < 0)

		return ret;

	if (ctx.found_key) {

		ctx.key_end = pgpdata + pgpdatalen;

		return create_pgp_key(&ctx);

	}

	return 0;

}

#endif /* CONFIG_PGP_PRELOAD */

#ifdef CONFIG_PGP_LIBRARY

#include <linux/types.h>

#include <linux/key.h>

struct pgp_key_ID {

	u8 id[8];

	PGP_LIT_FORMAT_TEXT_UTF8		= 0x75,

};

int __init preload_pgp_keys(const u8 *pgpdata, size_t pgpdatalen,

			    struct key *keyring);

#endif /* CONFIG_PGP_LIBRARY */

#endif /* _LINUX_PGP_H */