certs: Add a secondary system keyring that can be added to dynamically

	  This is the number of bytes reserved in the kernel image for a

	  certificate to be inserted.

config SECONDARY_TRUSTED_KEYRING

	bool "Provide a keyring to which extra trustable keys may be added"

	depends on SYSTEM_TRUSTED_KEYRING

	help

	  If set, provide a keyring to which extra keys may be added, provided

	  those keys are not blacklisted and are vouched for by a key built

	  into the kernel or already in the secondary trusted keyring.

endmenu

#include <keys/system_keyring.h>

#include <crypto/pkcs7.h>

static struct key *system_trusted_keyring;

static struct key *builtin_trusted_keys;

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

static struct key *secondary_trusted_keys;

#endif

extern __initconst const u8 system_certificate_list[];

extern __initconst const unsigned long system_certificate_list_size;

/**

 * restrict_link_by_builtin_trusted - Restrict keyring addition by system CA

 * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA

 *

 * Restrict the addition of keys into a keyring based on the key-to-be-added

 * being vouched for by a key in the system keyring.

 * being vouched for by a key in the built in system keyring.

 */

int restrict_link_by_builtin_trusted(struct key *keyring,

				     const struct key_type *type,

				     const union key_payload *payload)

{

	return restrict_link_by_signature(system_trusted_keyring,

					  type, payload);

	return restrict_link_by_signature(builtin_trusted_keys, type, payload);

}

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

/**

 * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring

 *   addition by both builtin and secondary keyrings

 *

 * Restrict the addition of keys into a keyring based on the key-to-be-added

 * being vouched for by a key in either the built-in or the secondary system

 * keyrings.

 */

int restrict_link_by_builtin_and_secondary_trusted(

	struct key *keyring,

	const struct key_type *type,

	const union key_payload *payload)

{

	/* If we have a secondary trusted keyring, then that contains a link

	 * through to the builtin keyring and the search will follow that link.

	 */

	if (type == &key_type_keyring &&

	    keyring == secondary_trusted_keys &&

	    payload == &builtin_trusted_keys->payload)

		/* Allow the builtin keyring to be added to the secondary */

		return 0;

	return restrict_link_by_signature(secondary_trusted_keys, type, payload);

}

#endif

/*

 * Load the compiled-in keys

 * Create the trusted keyrings

 */

static __init int system_trusted_keyring_init(void)

{

	pr_notice("Initialise system trusted keyring\n");

	pr_notice("Initialise system trusted keyrings\n");

	system_trusted_keyring =

		keyring_alloc(".system_keyring",

	builtin_trusted_keys =

		keyring_alloc(".builtin_trusted_keys",

			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),

			      KEY_ALLOC_NOT_IN_QUOTA,

			      restrict_link_by_builtin_trusted, NULL);

	if (IS_ERR(system_trusted_keyring))

		panic("Can't allocate system trusted keyring\n");

			      NULL, NULL);

	if (IS_ERR(builtin_trusted_keys))

		panic("Can't allocate builtin trusted keyring\n");

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

	secondary_trusted_keys =

		keyring_alloc(".secondary_trusted_keys",

			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

			       KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |

			       KEY_USR_WRITE),

			      KEY_ALLOC_NOT_IN_QUOTA,

			      restrict_link_by_builtin_and_secondary_trusted,

			      NULL);

	if (IS_ERR(secondary_trusted_keys))

		panic("Can't allocate secondary trusted keyring\n");

	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)

		panic("Can't link trusted keyrings\n");

#endif

	return 0;

}

		if (plen > end - p)

			goto dodgy_cert;

		key = key_create_or_update(make_key_ref(system_trusted_keyring, 1),

		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),

					   "asymmetric",

					   NULL,

					   p,

 * @len: Size of @data.

 * @raw_pkcs7: The PKCS#7 message that is the signature.

 * @pkcs7_len: The size of @raw_pkcs7.

 * @trusted_keys: Trusted keys to use (NULL for system_trusted_keyring).

 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,

 *					(void *)1UL for all trusted keys).

 * @usage: The use to which the key is being put.

 * @view_content: Callback to gain access to content.

 * @ctx: Context for callback.

	if (ret < 0)

		goto error;

	if (!trusted_keys)

		trusted_keys = system_trusted_keyring;

	if (!trusted_keys) {

		trusted_keys = builtin_trusted_keys;

	} else if (trusted_keys == (void *)1UL) {

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

		trusted_keys = secondary_trusted_keys;

#else

		trusted_keys = builtin_trusted_keys;

#endif

	}

	ret = pkcs7_validate_trust(pkcs7, trusted_keys);

	if (ret < 0) {

		if (ret == -ENOKEY)

#define restrict_link_by_builtin_trusted restrict_link_reject

#endif

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

extern int restrict_link_by_builtin_and_secondary_trusted(

	struct key *keyring,

	const struct key_type *type,

	const union key_payload *payload);

#else

#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted

#endif

#ifdef CONFIG_IMA_MOK_KEYRING

extern struct key *ima_mok_keyring;

extern struct key *ima_blacklist_keyring;