hulk inclusion category: feature feature: digest-lists
---------------------------
Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source directory.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- certs/Kconfig | 7 +++++++ certs/Makefile | 6 ++++++ certs/system_certificates.S | 18 ++++++++++++++++++ certs/system_keyring.c | 22 ++++++++++++++++++++++ 4 files changed, 53 insertions(+)
diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..71be583e55a4 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -83,4 +83,11 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each <hash> should be a string of hex digits.
+config PGP_PRELOAD_PUBLIC_KEYS + bool "Preload PGP public keys" + select PGP_PRELOAD + default n + help + Provide a keyring of PGP public keys. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 5d0999b9e21b..5053e3c86c97 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,6 +4,12 @@ #
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +ifneq ($(shell ls certs/pubring.gpg 2> /dev/null), certs/pubring.gpg) +$(shell touch certs/pubring.gpg) +endif +$(obj)/system_certificates.o: certs/pubring.gpg +endif obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 8f29058adf93..bcb7c4b4cc36 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -35,3 +35,21 @@ system_certificate_list_size: #else .long __cert_list_end - __cert_list_start #endif + + .align 8 + .globl pgp_public_keys +pgp_public_keys: +__pgp_key_list_start: +#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS + .incbin "certs/pubring.gpg" +#endif +__pgp_key_list_end: + + .align 8 + .globl pgp_public_keys_size +pgp_public_keys_size: +#ifdef CONFIG_64BIT + .quad __pgp_key_list_end - __pgp_key_list_start +#else + .long __pgp_key_list_end - __pgp_key_list_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..bf118f34dc5c 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -15,6 +15,7 @@ #include <linux/cred.h> #include <linux/err.h> #include <linux/slab.h> +#include <linux/pgp.h> #include <linux/verification.h> #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> @@ -188,6 +189,27 @@ static __init int load_system_certificate_list(void) } late_initcall(load_system_certificate_list);
+#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +extern __initconst const u8 pgp_public_keys[]; +extern __initconst const unsigned long pgp_public_keys_size; + +/* + * Load a list of PGP keys. + */ +static __init int load_pgp_public_keyring(void) +{ + pr_notice("Load PGP public keys\n"); + + if (preload_pgp_keys(pgp_public_keys, + pgp_public_keys_size, + builtin_trusted_keys) < 0) + pr_err("Can't load PGP public keys\n"); + + return 0; +} +late_initcall(load_pgp_public_keyring); +#endif /* CONFIG_PGP_PRELOAD_PUBLIC_KEYS */ + #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
/**