From: Roberto Sassu <roberto.sassu@huawei.com> euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA ------------------------------------------------- This patch calls search_trusted_key() in request_asymmetric_key() if the key is not found in the IMA/EVM keyrings. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> Signed-off-by: Tianxing Zhang <zhangtianxing3@huawei.com> Reviewed-by: Jason Yan <yanaijie@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com> Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com> --- security/integrity/digsig_asymmetric.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index 895f4b9ce8c6b..b0ccb20cd284e 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -9,6 +9,9 @@ #include <linux/err.h> #include <linux/ratelimit.h> #include <linux/key-type.h> +#ifdef CONFIG_IMA_DIGEST_LIST +#include <linux/verification.h> +#endif #include <crypto/public_key.h> #include <crypto/hash_info.h> #include <keys/asymmetric-type.h> @@ -54,6 +57,16 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) key = request_key(&key_type_asymmetric, name, NULL); } +#ifdef CONFIG_IMA_DIGEST_LIST + if (IS_ERR(key)) { +#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY + keyring = VERIFY_USE_SECONDARY_KEYRING; +#else + keyring = NULL; +#endif + key = search_trusted_key(keyring, &key_type_asymmetric, name); + } +#endif /* CONFIG_IMA_DIGEST_LIST */ if (IS_ERR(key)) { if (keyring) pr_err_ratelimited("Request for unknown key '%s' in '%s' keyring. err %ld\n", -- 2.33.0