certs: Add EFI_CERT_X509_GUID support for dbx entries (e20b90e4) · Commits · e / devices / android_kernel_fairphone_FP5

certs/Kconfig

+9 −0

Original line number	Diff line number	Diff line
		@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
		wrapper to incorporate the list into the kernel. Each <hash> should
		be a string of hex digits.

		config SYSTEM_REVOCATION_LIST
		bool "Provide system-wide ring of revocation certificates"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on PKCS7_MESSAGE_PARSER=y
		help
		If set, this allows revocation certificates to be stored in the
		blacklist keyring and implements a hook whereby a PKCS#7 message can
		be checked to see if it matches such a certificate.

		endmenu

+43 −0

Original line number	Diff line number	Diff line
		@@ -144,6 +144,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
		}
		EXPORT_SYMBOL_GPL(is_binary_blacklisted);

		#ifdef CONFIG_SYSTEM_REVOCATION_LIST
		/**
		* add_key_to_revocation_list - Add a revocation certificate to the blacklist
		* @data: The data blob containing the certificate
		* @size: The size of data blob
		*/
		int add_key_to_revocation_list(const char *data, size_t size)
		{
		key_ref_t key;

		key = key_create_or_update(make_key_ref(blacklist_keyring, true),
		"asymmetric",
		NULL,
		data,
		size,
		((KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW),
		KEY_ALLOC_NOT_IN_QUOTA \| KEY_ALLOC_BUILT_IN);

		if (IS_ERR(key)) {
		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
		return PTR_ERR(key);
		}

		return 0;
		}

		/**
		* is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
		* @pkcs7: The PKCS#7 message to check
		*/
		int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
		{
		int ret;

		ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);

		if (ret == 0)
		return -EKEYREJECTED;

		return -ENOKEY;
		}
		#endif

		/*
		* Initialise the blacklist
		*/

+2 −0

Original line number	Diff line number	Diff line
		#include <linux/kernel.h>
		#include <linux/errno.h>
		#include <crypto/pkcs7.h>

		extern const char __initconst *const blacklist_hashes[];

+6 −0

Original line number	Diff line number	Diff line
		@@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
		pr_devel("PKCS#7 platform keyring is not available\n");
		goto error;
		}

		ret = is_key_on_revocation_list(pkcs7);
		if (ret != -ENOKEY) {
		pr_devel("PKCS#7 platform key is on revocation list\n");
		goto error;
		}
		}
		ret = pkcs7_validate_trust(pkcs7, trusted_keys);
		if (ret < 0) {

+15 −0

Original line number	Diff line number	Diff line
		@@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
		#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
		#endif

		extern struct pkcs7_message *pkcs7;
		#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
		extern int mark_hash_blacklisted(const char *hash);
		extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
		@@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
		}
		#endif

		#ifdef CONFIG_SYSTEM_REVOCATION_LIST
		extern int add_key_to_revocation_list(const char *data, size_t size);
		extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
		#else
		static inline int add_key_to_revocation_list(const char *data, size_t size)
		{
		return 0;
		}
		static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
		{
		return -ENOKEY;
		}
		#endif

		#ifdef CONFIG_IMA_BLACKLIST_KEYRING
		extern struct key *ima_blacklist_keyring;