From: Roberto Sassu roberto.sassu@huawei.com
euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA
-------------------------------------------------
Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source directory.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Tianxing Zhang zhangtianxing3@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- certs/Kconfig | 7 +++++++ certs/Makefile | 7 +++++++ certs/system_certificates.S | 18 ++++++++++++++++++ certs/system_keyring.c | 22 ++++++++++++++++++++++ 4 files changed, 54 insertions(+)
diff --git a/certs/Kconfig b/certs/Kconfig index 1f109b070877..3038adbaf58d 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -138,4 +138,11 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE keyring. The PKCS#7 signature of the description is set in the key payload. Blacklist keys cannot be removed.
+config PGP_PRELOAD_PUBLIC_KEYS + bool "Preload PGP public keys" + select PGP_PRELOAD + default n + help + Provide a keyring of PGP public keys. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 799ad7b9e68a..ab6da6f4e953 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -65,6 +65,13 @@ endif # CONFIG_MODULE_SIG_KEY
$(obj)/system_certificates.o: $(obj)/signing_key.x509
+ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +ifeq ($(shell ls $(srctree)/certs/pubring.gpg 2> /dev/null), $(srctree)/certs/pubring.gpg) +system_certificates.o += -DHAVE_PUBRING_GPG +$(obj)/system_certificates.o: $(srctree)/certs/pubring.gpg +endif +endif + PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)) ifdef PKCS11_URI $(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI) diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 003e25d4a17e..b3cbf0811e3f 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -44,3 +44,21 @@ module_cert_size: #else .long __module_cert_end - __module_cert_start #endif + + .align 8 + .globl pgp_public_keys +pgp_public_keys: +__pgp_key_list_start: +#ifdef HAVE_PUBRING_GPG + .incbin "certs/pubring.gpg" +#endif +__pgp_key_list_end: + + .align 8 + .globl pgp_public_keys_size +pgp_public_keys_size: +#ifdef CONFIG_64BIT + .quad __pgp_key_list_end - __pgp_key_list_start +#else + .long __pgp_key_list_end - __pgp_key_list_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index a7a49b17ceb1..da4a8b470cbb 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -11,6 +11,7 @@ #include <linux/cred.h> #include <linux/err.h> #include <linux/slab.h> +#include <linux/pgp.h> #include <linux/uidgid.h> #include <linux/verification.h> #include <keys/asymmetric-type.h> @@ -216,6 +217,27 @@ static __init int load_system_certificate_list(void) } late_initcall(load_system_certificate_list);
+#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +extern __initconst const u8 pgp_public_keys[]; +extern __initconst const unsigned long pgp_public_keys_size; + +/* + * Load a list of PGP keys. + */ +static __init int load_pgp_public_keyring(void) +{ + pr_notice("Load PGP public keys\n"); + + if (preload_pgp_keys(pgp_public_keys, + pgp_public_keys_size, + builtin_trusted_keys) < 0) + pr_err("Can't load PGP public keys\n"); + + return 0; +} +late_initcall(load_pgp_public_keyring); +#endif /* CONFIG_PGP_PRELOAD_PUBLIC_KEYS */ + #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
/**