Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b56e5a17 authored by David Howells's avatar David Howells
Browse files

KEYS: Separate the kernel signature checking keyring from module signing



Separate the kernel signature checking keyring from module signing so that it
can be used by code other than the module-signing code.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 0fbd39cf
Loading
Loading
Loading
Loading
+23 −0
Original line number Diff line number Diff line
/* System keyring containing trusted public keys.
 *
 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public Licence
 * as published by the Free Software Foundation; either version
 * 2 of the Licence, or (at your option) any later version.
 */

#ifndef _KEYS_SYSTEM_KEYRING_H
#define _KEYS_SYSTEM_KEYRING_H

#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING

#include <linux/key.h>

extern struct key *system_trusted_keyring;

#endif

#endif /* _KEYS_SYSTEM_KEYRING_H */
+13 −0
Original line number Diff line number Diff line
@@ -1668,6 +1668,18 @@ config BASE_SMALL
	default 0 if BASE_FULL
	default 1 if !BASE_FULL

config SYSTEM_TRUSTED_KEYRING
	bool "Provide system-wide ring of trusted keys"
	depends on KEYS
	help
	  Provide a system keyring to which trusted keys can be added.  Keys in
	  the keyring are considered to be trusted.  Keys may be added at will
	  by the kernel from compiled-in data and from hardware key stores, but
	  userspace may only add extra keys if those keys can be verified by
	  keys already in the keyring.

	  Keys in this keyring are used by module signature checking.

menuconfig MODULES
	bool "Enable loadable module support"
	option modules
@@ -1741,6 +1753,7 @@ config MODULE_SRCVERSION_ALL
config MODULE_SIG
	bool "Module signature verification"
	depends on MODULES
	select SYSTEM_TRUSTED_KEYRING
	select KEYS
	select CRYPTO
	select ASYMMETRIC_KEY_TYPE
+10 −5
Original line number Diff line number Diff line
@@ -54,8 +54,9 @@ obj-$(CONFIG_SMP) += spinlock.o
obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_KEXEC) += kexec.o
@@ -141,11 +142,11 @@ targets += timeconst.h
$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE
	$(call if_changed,bc)

ifeq ($(CONFIG_MODULE_SIG),y)
###############################################################################
#
# Roll all the X.509 certificates that we can find together and pull them into
# the kernel.
# the kernel so that they get loaded into the system trusted keyring during
# boot.
#
# We look in the source root and the build root for all files whose name ends
# in ".x509".  Unfortunately, this will generate duplicate filenames, so we
@@ -153,6 +154,7 @@ ifeq ($(CONFIG_MODULE_SIG),y)
# duplicates.
#
###############################################################################
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)
X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509
X509_CERTIFICATES := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \
@@ -169,10 +171,11 @@ $(shell rm $(obj)/.x509.list)
endif
endif

kernel/modsign_certificate.o: $(obj)/x509_certificate_list
kernel/system_certificates.o: $(obj)/x509_certificate_list

quiet_cmd_x509certs  = CERTS   $@
      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@
      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo "  - Including cert $(X509)")

targets += $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list
	$(call if_changed,x509certs)
@@ -182,7 +185,9 @@ $(obj)/.x509.list:
	@echo $(X509_CERTIFICATES) >$@

clean-files := x509_certificate_list .x509.list
endif

ifeq ($(CONFIG_MODULE_SIG),y)
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been
+0 −2
Original line number Diff line number Diff line
@@ -9,6 +9,4 @@
 * 2 of the Licence, or (at your option) any later version.
 */

extern struct key *modsign_keyring;

extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
+2 −1
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@
#include <crypto/public_key.h>
#include <crypto/hash.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include "module-internal.h"

/*
@@ -157,7 +158,7 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,

	pr_debug("Look up: \"%s\"\n", id);

	key = keyring_search(make_key_ref(modsign_keyring, 1),
	key = keyring_search(make_key_ref(system_trusted_keyring, 1),
			     &key_type_asymmetric, id);
	if (IS_ERR(key))
		pr_warn("Request for unknown module key '%s' err %ld\n",
Loading