hulk inclusion category: feature feature: digest-lists
---------------------------
Introduce search_trusted_key() to extend the key search to the primary or secondary built-in keyrings.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- certs/system_keyring.c | 22 ++++++++++++++++++++++ include/linux/verification.h | 5 +++++ 2 files changed, 27 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index bf118f34dc5c..33ddd8ce1c97 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -287,4 +287,26 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name) +{ + key_ref_t kref; + + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; + } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; +#else + trusted_keys = builtin_trusted_keys; +#endif + } + kref = keyring_search(make_key_ref(trusted_keys, 1), type, name); + if (IS_ERR(kref)) + return ERR_CAST(kref); + + return key_ref_to_ptr(kref); +} +EXPORT_SYMBOL_GPL(search_trusted_key); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ diff --git a/include/linux/verification.h b/include/linux/verification.h index cfa4730d607a..6aaf06c83daa 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -12,6 +12,8 @@ #ifndef _LINUX_VERIFICATION_H #define _LINUX_VERIFICATION_H
+#include <linux/key.h> + /* * Indicate that both builtin trusted keys and secondary trusted keys * should be used. @@ -51,5 +53,8 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen, enum key_being_used_for usage); #endif
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ #endif /* _LINUX_VERIFY_PEFILE_H */