KEYS: Separate the kernel signature checking keyring from module signing

/* System keyring containing trusted public keys.

 *

 * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.

 * Written by David Howells (dhowells@redhat.com)

 *

 * This program is free software; you can redistribute it and/or

 * modify it under the terms of the GNU General Public Licence

 * as published by the Free Software Foundation; either version

 * 2 of the Licence, or (at your option) any later version.

 */

#ifndef _KEYS_SYSTEM_KEYRING_H

#define _KEYS_SYSTEM_KEYRING_H

#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING

#include <linux/key.h>

extern struct key *system_trusted_keyring;

#endif

#endif /* _KEYS_SYSTEM_KEYRING_H */

	default 0 if BASE_FULL

	default 1 if !BASE_FULL

config SYSTEM_TRUSTED_KEYRING

	bool "Provide system-wide ring of trusted keys"

	depends on KEYS

	help

	  Provide a system keyring to which trusted keys can be added.  Keys in

	  the keyring are considered to be trusted.  Keys may be added at will

	  by the kernel from compiled-in data and from hardware key stores, but

	  userspace may only add extra keys if those keys can be verified by

	  keys already in the keyring.

	  Keys in this keyring are used by module signature checking.

menuconfig MODULES

	bool "Enable loadable module support"

	option modules

config MODULE_SIG

	bool "Module signature verification"

	depends on MODULES

	select SYSTEM_TRUSTED_KEYRING

	select KEYS

	select CRYPTO

	select ASYMMETRIC_KEY_TYPE

obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o

obj-$(CONFIG_PROVE_LOCKING) += spinlock.o

obj-$(CONFIG_UID16) += uid16.o

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o

obj-$(CONFIG_MODULES) += module.o

obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o

obj-$(CONFIG_MODULE_SIG) += module_signing.o

obj-$(CONFIG_KALLSYMS) += kallsyms.o

obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o

obj-$(CONFIG_KEXEC) += kexec.o

$(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE

	$(call if_changed,bc)

ifeq ($(CONFIG_MODULE_SIG),y)

###############################################################################

#

# Roll all the X.509 certificates that we can find together and pull them into

# the kernel.

# the kernel so that they get loaded into the system trusted keyring during

# boot.

#

# We look in the source root and the build root for all files whose name ends

# in ".x509".  Unfortunately, this will generate duplicate filenames, so we

# duplicates.

#

###############################################################################

ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)

X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509)

X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509

X509_CERTIFICATES := $(sort $(foreach CERT,$(X509_CERTIFICATES-y), \

endif

endif

kernel/modsign_certificate.o: $(obj)/x509_certificate_list

kernel/system_certificates.o: $(obj)/x509_certificate_list

quiet_cmd_x509certs  = CERTS   $@

      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@

      cmd_x509certs  = cat $(X509_CERTIFICATES) /dev/null >$@ $(foreach X509,$(X509_CERTIFICATES),; echo "  - Including cert $(X509)")

targets += $(obj)/x509_certificate_list

$(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list

	$(call if_changed,x509certs)

	@echo $(X509_CERTIFICATES) >$@

clean-files := x509_certificate_list .x509.list

endif

ifeq ($(CONFIG_MODULE_SIG),y)

###############################################################################

#

# If module signing is requested, say by allyesconfig, but a key has not been

 * 2 of the Licence, or (at your option) any later version.

 */

extern struct key *modsign_keyring;

extern int mod_verify_sig(const void *mod, unsigned long *_modlen);

#include <crypto/public_key.h>

#include <crypto/hash.h>

#include <keys/asymmetric-type.h>

#include <keys/system_keyring.h>

#include "module-internal.h"

/*

	pr_debug("Look up: \"%s\"\n", id);

	key = keyring_search(make_key_ref(modsign_keyring, 1),

	key = keyring_search(make_key_ref(system_trusted_keyring, 1),

			     &key_type_asymmetric, id);

	if (IS_ERR(key))

		pr_warn("Request for unknown module key '%s' err %ld\n",