Commit ee32635f authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

KEYS: Introduce load_pgp_public_keyring() 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

-------------------------------------------------

Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source
directory.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent e8c01f29

certs/Kconfig

+7 −0
Original line number Diff line number Diff line
@@ -138,4 +138,11 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE 
	  keyring.  The PKCS#7 signature of the description is set in the key

	  payload.  Blacklist keys cannot be removed.



config PGP_PRELOAD_PUBLIC_KEYS

	bool "Preload PGP public keys"

	select PGP_PRELOAD

	default n

	help

	  Provide a keyring of PGP public keys.



endmenu

certs/Makefile

+7 −0
Original line number Diff line number Diff line
@@ -65,6 +65,13 @@ endif # CONFIG_MODULE_SIG_KEY 


$(obj)/system_certificates.o: $(obj)/signing_key.x509



ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS

ifeq ($(shell ls $(srctree)/certs/pubring.gpg 2> /dev/null), $(srctree)/certs/pubring.gpg)

AFLAGS_system_certificates.o += -DHAVE_PUBRING_GPG

$(obj)/system_certificates.o: $(srctree)/certs/pubring.gpg

endif

endif



PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))

ifdef PKCS11_URI

$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)

certs/system_certificates.S

+20 −0
Original line number Diff line number Diff line
@@ -44,3 +44,23 @@ module_cert_size: 
#else

	.long __module_cert_end - __module_cert_start

#endif

#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS



	.align 8

	.globl pgp_public_keys

pgp_public_keys:

__pgp_key_list_start:

#ifdef HAVE_PUBRING_GPG

	.incbin "certs/pubring.gpg"

#endif

__pgp_key_list_end:



	.align 8

	.globl pgp_public_keys_size

pgp_public_keys_size:

#ifdef CONFIG_64BIT

	.quad __pgp_key_list_end - __pgp_key_list_start

#else

	.long __pgp_key_list_end - __pgp_key_list_start

#endif

#endif

certs/system_keyring.c

+23 −0
Original line number Diff line number Diff line
@@ -11,6 +11,9 @@ 
#include <linux/cred.h>

#include <linux/err.h>

#include <linux/slab.h>

#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS

#include <linux/pgp.h>

#endif

#include <linux/uidgid.h>

#include <linux/verification.h>

#include <keys/asymmetric-type.h>
@@ -294,6 +297,26 @@ static __init int load_system_certificate_list(void) 
	return x509_load_certificate_list(p, size, builtin_trusted_keys);

}

late_initcall(load_system_certificate_list);

#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS

extern __initconst const u8 pgp_public_keys[];

extern __initconst const unsigned long pgp_public_keys_size;



/*

 * Load a list of PGP keys.

 */

static __init int load_pgp_public_keyring(void)

{

	pr_notice("Load PGP public keys\n");



	if (preload_pgp_keys(pgp_public_keys,

			     pgp_public_keys_size,

			     builtin_trusted_keys) < 0)

		pr_err("Can't load PGP public keys\n");



	return 0;

}

late_initcall(load_pgp_public_keyring);

#endif /* CONFIG_PGP_PRELOAD_PUBLIC_KEYS */



#ifdef CONFIG_SYSTEM_DATA_VERIFICATION