tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

integrity: provide a function to load x509 certificate from the kernel

Provide the function to load x509 certificates from the kernel into the
integrity kernel keyring.

Changes in v2:
* configuration option removed
* function declared as '__init'

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

authored by

Dmitry Kasatkin and committed by
Mimi Zohar 65d543b2 e3c4abbf

+37 -1
+35 -1
security/integrity/digsig.c
··· 14 14 15 15 #include <linux/err.h> 16 16 #include <linux/sched.h> 17 - #include <linux/rbtree.h> 17 + #include <linux/slab.h> 18 18 #include <linux/cred.h> 19 19 #include <linux/key-type.h> 20 20 #include <linux/digsig.h> ··· 83 83 keyring[id] = NULL; 84 84 } 85 85 return err; 86 + } 87 + 88 + int __init integrity_load_x509(const unsigned int id, char *path) 89 + { 90 + key_ref_t key; 91 + char *data; 92 + int rc; 93 + 94 + if (!keyring[id]) 95 + return -EINVAL; 96 + 97 + rc = integrity_read_file(path, &data); 98 + if (rc < 0) 99 + return rc; 100 + 101 + key = key_create_or_update(make_key_ref(keyring[id], 1), 102 + "asymmetric", 103 + NULL, 104 + data, 105 + rc, 106 + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 107 + KEY_USR_VIEW | KEY_USR_READ), 108 + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); 109 + if (IS_ERR(key)) { 110 + rc = PTR_ERR(key); 111 + pr_err("Problem loading X.509 certificate (%d): %s\n", 112 + rc, path); 113 + } else { 114 + pr_notice("Loaded X.509 cert '%s': %s\n", 115 + key_ref_to_ptr(key)->description, path); 116 + key_ref_put(key); 117 + } 118 + kfree(data); 119 + return 0; 86 120 }
+2
security/integrity/integrity.h
··· 134 134 const char *digest, int digestlen); 135 135 136 136 int __init integrity_init_keyring(const unsigned int id); 137 + int __init integrity_load_x509(const unsigned int id, char *path); 137 138 #else 138 139 139 140 static inline int integrity_digsig_verify(const unsigned int id, ··· 148 147 { 149 148 return 0; 150 149 } 150 + 151 151 #endif /* CONFIG_INTEGRITY_SIGNATURE */ 152 152 153 153 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS