Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity (e6f0bf09) · Commits · EulixOS / Software / Kernel

Makefile

+3 −3

Original line number	Diff line number	Diff line
		@@ -1507,9 +1507,9 @@ MRPROPER_FILES += include/config include/generated \
		debian snap tar-install \
		.config .config.old .version \
		Module.symvers \
		signing_key.pem signing_key.priv signing_key.x509 \
		x509.genkey extra_certificates signing_key.x509.keyid \
		signing_key.x509.signer vmlinux-gdb.py \
		certs/signing_key.pem certs/signing_key.x509 \
		certs/x509.genkey \
		vmlinux-gdb.py \
		*.spec

		# Directories & files removed with 'make distclean'

+1 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
		config MODULE_SIG_KEY
		string "File name or PKCS#11 URI of module signing key"
		default "certs/signing_key.pem"
		depends on MODULE_SIG
		depends on MODULE_SIG \|\| (IMA_APPRAISE_MODSIG && MODULES)
		help
		Provide the file name of a private key/certificate in PEM format,
		or a PKCS#11 URI according to RFC7512. The file should contain, or

+10 −0

Original line number	Diff line number	Diff line
		@@ -33,6 +33,16 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
		clean-files := x509_certificate_list .x509.list x509_revocation_list

		ifeq ($(CONFIG_MODULE_SIG),y)
		SIGN_KEY = y
		endif

		ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
		ifeq ($(CONFIG_MODULES),y)
		SIGN_KEY = y
		endif
		endif

		ifdef SIGN_KEY
		###############################################################################
		#
		# If module signing is requested, say by allyesconfig, but a key has not been

+13 −1

Original line number	Diff line number	Diff line
		@@ -8,9 +8,12 @@
		.globl system_certificate_list
		system_certificate_list:
		__cert_list_start:
		#ifdef CONFIG_MODULE_SIG
		__module_cert_start:
		#if defined(CONFIG_MODULE_SIG) \|\| (defined(CONFIG_IMA_APPRAISE_MODSIG) \
		&& defined(CONFIG_MODULES))
		.incbin "certs/signing_key.x509"
		#endif
		__module_cert_end:
		.incbin "certs/x509_certificate_list"
		__cert_list_end:

		@@ -35,3 +38,12 @@ system_certificate_list_size:
		#else
		.long __cert_list_end - __cert_list_start
		#endif

		.align 8
		.globl module_cert_size
		module_cert_size:
		#ifdef CONFIG_64BIT
		.quad __module_cert_end - __module_cert_start
		#else
		.long __module_cert_end - __module_cert_start
		#endif

+23 −2

Original line number	Diff line number	Diff line
		@@ -28,6 +28,7 @@ static struct key *platform_trusted_keys;

		extern __initconst const u8 system_certificate_list[];
		extern __initconst const unsigned long system_certificate_list_size;
		extern __initconst const unsigned long module_cert_size;

		/**
		* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
		@@ -133,15 +134,35 @@ static __init int system_trusted_keyring_init(void)
		*/
		device_initcall(system_trusted_keyring_init);

		__init int load_module_cert(struct key *keyring)
		{
		if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
		return 0;

		pr_notice("Loading compiled-in module X.509 certificates\n");

		return load_certificate_list(system_certificate_list, module_cert_size, keyring);
		}

		/*
		* Load the compiled-in list of X.509 certificates.
		*/
		static __init int load_system_certificate_list(void)
		{
		const u8 *p;
		unsigned long size;

		pr_notice("Loading compiled-in X.509 certificates\n");

		return load_certificate_list(system_certificate_list, system_certificate_list_size,
		builtin_trusted_keys);
		#ifdef CONFIG_MODULE_SIG
		p = system_certificate_list;
		size = system_certificate_list_size;
		#else
		p = system_certificate_list + module_cert_size;
		size = system_certificate_list_size - module_cert_size;
		#endif

		return load_certificate_list(p, size, builtin_trusted_keys);
		}
		late_initcall(load_system_certificate_list);