Commit 7634d983 authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

ima: Search key in the built-in keyrings 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

-------------------------------------------------

This patch calls search_trusted_key() in request_asymmetric_key() if the
key is not found in the IMA/EVM keyrings.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent 40d3585e

security/integrity/digsig_asymmetric.c

+13 −0
Original line number Diff line number Diff line
@@ -9,6 +9,9 @@ 
#include <linux/err.h>

#include <linux/ratelimit.h>

#include <linux/key-type.h>

#ifdef CONFIG_IMA_DIGEST_LIST

#include <linux/verification.h>

#endif

#include <crypto/public_key.h>

#include <crypto/hash_info.h>

#include <keys/asymmetric-type.h>
@@ -54,6 +57,16 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) 
		key = request_key(&key_type_asymmetric, name, NULL);

	}



#ifdef CONFIG_IMA_DIGEST_LIST

	if (IS_ERR(key)) {

#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

		keyring = VERIFY_USE_SECONDARY_KEYRING;

#else

		keyring = NULL;

#endif

		key = search_trusted_key(keyring, &key_type_asymmetric, name);

	}

#endif  /* CONFIG_IMA_DIGEST_LIST */

	if (IS_ERR(key)) {

		if (keyring)

			pr_err_ratelimited("Request for unknown key '%s' in '%s' keyring. err %ld\n",