Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...
authorLinus Torvalds <torvalds@linux-foundation.org>
Sat, 1 May 2021 22:32:18 +0000 (15:32 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sat, 1 May 2021 22:32:18 +0000 (15:32 -0700)
Pull IMA updates from Mimi Zohar:
 "In addition to loading the kernel module signing key onto the builtin
  keyring, load it onto the IMA keyring as well.

  Also six trivial changes and bug fixes"

* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
  ima: Fix fall-through warnings for Clang
  integrity: Add declarations to init_once void arguments.
  ima: Fix function name error in comment.
  ima: enable loading of build time generated key on .ima keyring
  ima: enable signing of modules with build time generated key
  keys: cleanup build time module signing keys
  ima: Fix the error code for restoring the PCR value
  ima: without an IMA policy loaded, return quickly

1  2 
Makefile
certs/Kconfig
certs/Makefile
certs/system_keyring.c
include/keys/system_keyring.h
init/Kconfig
security/integrity/ima/ima_main.c

diff --cc Makefile
Simple merge
diff --cc certs/Kconfig
Simple merge
diff --cc certs/Makefile
@@@ -30,9 -29,19 +30,19 @@@ $(obj)/x509_certificate_list: scripts/e
        $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
  endif # CONFIG_SYSTEM_TRUSTED_KEYRING
  
 -clean-files := x509_certificate_list .x509.list
 +clean-files := x509_certificate_list .x509.list x509_revocation_list
  
  ifeq ($(CONFIG_MODULE_SIG),y)
+       SIGN_KEY = y
+ endif
+ ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ ifeq ($(CONFIG_MODULES),y)
+       SIGN_KEY = y
+ endif
+ endif
+ ifdef SIGN_KEY
  ###############################################################################
  #
  # If module signing is requested, say by allyesconfig, but a key has not been
@@@ -133,15 -133,88 +134,35 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
 -static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
 -{
 -      key_ref_t key;
 -      size_t plen;
 -
 -      while (p < end) {
 -              /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
 -               * than 256 bytes in size.
 -               */
 -              if (end - p < 4)
 -                      goto dodgy_cert;
 -              if (p[0] != 0x30 &&
 -                  p[1] != 0x82)
 -                      goto dodgy_cert;
 -              plen = (p[2] << 8) | p[3];
 -              plen += 4;
 -              if (plen > end - p)
 -                      goto dodgy_cert;
 -
 -              key = key_create_or_update(make_key_ref(keyring, 1),
 -                                         "asymmetric",
 -                                         NULL,
 -                                         p,
 -                                         plen,
 -                                         ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 -                                         KEY_USR_VIEW | KEY_USR_READ),
 -                                         KEY_ALLOC_NOT_IN_QUOTA |
 -                                         KEY_ALLOC_BUILT_IN |
 -                                         KEY_ALLOC_BYPASS_RESTRICTION);
 -              if (IS_ERR(key)) {
 -                      pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 -                             PTR_ERR(key));
 -              } else {
 -                      pr_notice("Loaded X.509 cert '%s'\n",
 -                                key_ref_to_ptr(key)->description);
 -                      key_ref_put(key);
 -              }
 -              p += plen;
 -      }
 -
 -      return 0;
 -
 -dodgy_cert:
 -      pr_err("Problem parsing in-kernel X.509 certificate list\n");
 -      return 0;
 -}
 -
+ __init int load_module_cert(struct key *keyring)
+ {
 -      const u8 *p, *end;
 -
+       if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+               return 0;
+       pr_notice("Loading compiled-in module X.509 certificates\n");
 -      p = system_certificate_list;
 -      end = p + module_cert_size;
 -
 -      return load_cert(p, end, keyring);
++      return load_certificate_list(system_certificate_list, module_cert_size, keyring);
+ }
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
 -      const u8 *p, *end;
++      const u8 *p;
+       unsigned long size;
        pr_notice("Loading compiled-in X.509 certificates\n");
  
-       return load_certificate_list(system_certificate_list, system_certificate_list_size,
-                                    builtin_trusted_keys);
+ #ifdef CONFIG_MODULE_SIG
+       p = system_certificate_list;
+       size = system_certificate_list_size;
+ #else
+       p = system_certificate_list + module_cert_size;
+       size = system_certificate_list_size - module_cert_size;
+ #endif
 -      end = p + size;
 -      return load_cert(p, end, builtin_trusted_keys);
++      return load_certificate_list(p, size, builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);
  
Simple merge
diff --cc init/Kconfig
Simple merge
Simple merge