From: Roberto Sassu roberto.sassu@huawei.com
euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA
-------------------------------------------------
Introduce search_trusted_key() to extend the key search to the primary or secondary built-in keyrings.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Tianxing Zhang zhangtianxing3@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- certs/system_keyring.c | 23 +++++++++++++++++++++++ include/linux/verification.h | 7 +++++++ 2 files changed, 30 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 0ade1cf800f74..f2581da2b68c7 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -362,6 +362,29 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+#ifdef CONFIG_IMA_DIGEST_LIST +struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name) +{ + key_ref_t kref; + + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; + } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; +#else + trusted_keys = builtin_trusted_keys; +#endif + } + kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true); + if (IS_ERR(kref)) + return ERR_CAST(kref); + + return key_ref_to_ptr(kref); +} +EXPORT_SYMBOL_GPL(search_trusted_key); +#endif /* CONFIG_IMA_DIGEST_LIST */ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING diff --git a/include/linux/verification.h b/include/linux/verification.h index f34e50ebcf60a..b01f813f45a8f 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -9,6 +9,9 @@ #define _LINUX_VERIFICATION_H
#include <linux/types.h> +#ifdef CONFIG_IMA_DIGEST_LIST +#include <linux/key.h> +#endif
/* * Indicate that both builtin trusted keys and secondary trusted keys @@ -68,5 +71,9 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen, enum key_being_used_for usage); #endif
+#ifdef CONFIG_IMA_DIGEST_LIST +struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name); +#endif /* CONFIG_IMA_DIGEST_LIST */ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ #endif /* _LINUX_VERIFY_PEFILE_H */