From: Roberto Sassu roberto.sassu@huawei.com
euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA
-------------------------------------------------
Introduce search_trusted_key() to extend the key search to the primary or secondary built-in keyrings.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Tianxing Zhang zhangtianxing3@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- certs/system_keyring.c | 22 ++++++++++++++++++++++ include/linux/verification.h | 4 ++++ 2 files changed, 26 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index da4a8b470cbb..e9770f4e5449 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -361,6 +361,28 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name) +{ + key_ref_t kref; + + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; + } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; +#else + trusted_keys = builtin_trusted_keys; +#endif + } + kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true); + if (IS_ERR(kref)) + return ERR_CAST(kref); + + return key_ref_to_ptr(kref); +} +EXPORT_SYMBOL_GPL(search_trusted_key); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING diff --git a/include/linux/verification.h b/include/linux/verification.h index f34e50ebcf60..4eac691f82b6 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -9,6 +9,7 @@ #define _LINUX_VERIFICATION_H
#include <linux/types.h> +#include <linux/key.h>
/* * Indicate that both builtin trusted keys and secondary trusted keys @@ -68,5 +69,8 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen, enum key_being_used_for usage); #endif
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type, + char *name); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ #endif /* _LINUX_VERIFY_PEFILE_H */