IMA: Use the the system trusted keyrings instead of .ima_mok

#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted

#endif

#ifdef CONFIG_IMA_MOK_KEYRING

extern struct key *ima_mok_keyring;

#ifdef CONFIG_IMA_BLACKLIST_KEYRING

extern struct key *ima_blacklist_keyring;

static inline struct key *get_ima_mok_keyring(void)

{

	return ima_mok_keyring;

}

static inline struct key *get_ima_blacklist_keyring(void)

{

	return ima_blacklist_keyring;

}

#else

static inline struct key *get_ima_mok_keyring(void)

{

	return NULL;

}

static inline struct key *get_ima_blacklist_keyring(void)

{

	return NULL;

}

#endif /* CONFIG_IMA_MOK_KEYRING */

#endif /* CONFIG_IMA_BLACKLIST_KEYRING */

#endif /* _KEYS_SYSTEM_KEYRING_H */

static bool init_keyring __initdata;

#endif

#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING

/*

 * Restrict the addition of keys into the IMA keyring.

 *

 * Any key that needs to go in .ima keyring must be signed by CA in

 * either .system or .ima_mok keyrings.

 */

static int restrict_link_by_ima_mok(struct key *keyring,

				    const struct key_type *type,

				    const union key_payload *payload)

{

	int ret;

	ret = restrict_link_by_builtin_trusted(keyring, type, payload);

	if (ret != -ENOKEY)

		return ret;

	return restrict_link_by_signature(get_ima_mok_keyring(),

					  type, payload);

}

#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted

#else

/*

 * If there's no system trusted keyring, then keys cannot be loaded into

 * .ima_mok and added keys cannot be marked trusted.

 */

#define restrict_link_by_ima_mok restrict_link_reject

#define restrict_link_to_ima restrict_link_by_builtin_trusted

#endif

int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,

				     KEY_USR_VIEW | KEY_USR_READ |

				     KEY_USR_WRITE | KEY_USR_SEARCH),

				    KEY_ALLOC_NOT_IN_QUOTA,

				    restrict_link_by_ima_mok, NULL);

				    restrict_link_to_ima, NULL);

	if (IS_ERR(keyring[id])) {

		err = PTR_ERR(keyring[id]);

		pr_info("Can't allocate %s keyring (%d)\n",

	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_MOK_KEYRING

	bool "Create IMA machine owner keys (MOK) and blacklist keyrings"

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY

	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"

	depends on SYSTEM_TRUSTED_KEYRING

	depends on SECONDARY_TRUSTED_KEYRING

	depends on INTEGRITY_ASYMMETRIC_KEYS

	select INTEGRITY_TRUSTED_KEYRING

	default n

	help

	  Keys may be added to the IMA or IMA blacklist keyrings, if the

	  key is validly signed by a CA cert in the system built-in or

	  secondary trusted keyrings.

	  Intermediate keys between those the kernel has compiled in and the

	  IMA keys to be added may be added to the system secondary keyring,

	  provided they are validly signed by a key already resident in the

	  built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING

	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"

	depends on SYSTEM_TRUSTED_KEYRING

	depends on IMA_TRUSTED_KEYRING

	default n

	help

	   This option creates IMA MOK and blacklist keyrings.  IMA MOK is an

	   intermediate keyring that sits between .system and .ima keyrings,

	   effectively forming a simple CA hierarchy.  To successfully import a

	   key into .ima_mok it must be signed by a key which CA is in .system

	   keyring.  On turn any key that needs to go in .ima keyring must be

	   signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty

	   at kernel boot.

	   IMA blacklist keyring contains all revoked IMA keys.  It is consulted

	   before any other keyring.  If the search is successful the requested

	   operation is rejected and error is returned to the caller.

	   This option creates an IMA blacklist keyring, which contains all

	   revoked IMA keys.  It is consulted before any other keyring.  If

	   the search is successful the requested operation is rejected and

	   an error is returned to the caller.

config IMA_LOAD_X509

	bool "Load X509 certificate onto the '.ima' trusted keyring"

ima-y := ima_fs.o ima_queue.o ima_init.o ima_main.o ima_crypto.o ima_api.o \

	 ima_policy.o ima_template.o ima_template_lib.o

ima-$(CONFIG_IMA_APPRAISE) += ima_appraise.o

obj-$(CONFIG_IMA_MOK_KEYRING) += ima_mok.o

obj-$(CONFIG_IMA_BLACKLIST_KEYRING) += ima_mok.o

#include <keys/system_keyring.h>

struct key *ima_mok_keyring;

struct key *ima_blacklist_keyring;

/*

 * Allocate the IMA MOK and blacklist keyrings

 * Allocate the IMA blacklist keyring

 */

__init int ima_mok_init(void)

{

	pr_notice("Allocating IMA MOK and blacklist keyrings.\n");

	ima_mok_keyring = keyring_alloc(".ima_mok",

			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

			      (KEY_POS_ALL & ~KEY_POS_SETATTR) |

			      KEY_USR_VIEW | KEY_USR_READ |

			      KEY_USR_WRITE | KEY_USR_SEARCH,

			      KEY_ALLOC_NOT_IN_QUOTA,

			      restrict_link_by_builtin_trusted, NULL);

	pr_notice("Allocating IMA blacklist keyring.\n");

	ima_blacklist_keyring = keyring_alloc(".ima_blacklist",

				KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

				KEY_ALLOC_NOT_IN_QUOTA,

				restrict_link_by_builtin_trusted, NULL);

	if (IS_ERR(ima_mok_keyring) || IS_ERR(ima_blacklist_keyring))

		panic("Can't allocate IMA MOK or blacklist keyrings.");

	if (IS_ERR(ima_blacklist_keyring))

		panic("Can't allocate IMA blacklist keyring.");

	set_bit(KEY_FLAG_KEEP, &ima_blacklist_keyring->flags);

	return 0;