From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sat, 1 May 2021 22:32:18 +0000 (-0700)
Subject: Merge tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar... 
X-Git-Tag: v5.15~1214
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=e6f0bf09f0669b3c2cd77fa906830123279a0a21;p=platform%2Fkernel%2Flinux-starfive.git

Merge tag 'integrity-v5.13' of git://git./linux/kernel/git/zohar/linux-integrity

Pull IMA updates from Mimi Zohar:
 "In addition to loading the kernel module signing key onto the builtin
  keyring, load it onto the IMA keyring as well.

  Also six trivial changes and bug fixes"

* tag 'integrity-v5.13' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: ensure IMA_APPRAISE_MODSIG has necessary dependencies
  ima: Fix fall-through warnings for Clang
  integrity: Add declarations to init_once void arguments.
  ima: Fix function name error in comment.
  ima: enable loading of build time generated key on .ima keyring
  ima: enable signing of modules with build time generated key
  keys: cleanup build time module signing keys
  ima: Fix the error code for restoring the PCR value
  ima: without an IMA policy loaded, return quickly
---

e6f0bf09f0669b3c2cd77fa906830123279a0a21
diff --cc certs/Makefile
index b6db52e,2f369d6..359239a
--- a/certs/Makefile
+++ b/certs/Makefile
@@@ -30,9 -29,19 +30,19 @@@ $(obj)/x509_certificate_list: scripts/e
  	$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
  endif # CONFIG_SYSTEM_TRUSTED_KEYRING
  
 -clean-files := x509_certificate_list .x509.list
 +clean-files := x509_certificate_list .x509.list x509_revocation_list
  
  ifeq ($(CONFIG_MODULE_SIG),y)
+ 	SIGN_KEY = y
+ endif
+ 
+ ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ ifeq ($(CONFIG_MODULES),y)
+ 	SIGN_KEY = y
+ endif
+ endif
+ 
+ ifdef SIGN_KEY
  ###############################################################################
  #
  # If module signing is requested, say by allyesconfig, but a key has not been
diff --cc certs/system_keyring.c
index 0c9a479,2b3ad37..692365d
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,15 -133,88 +134,35 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
 -static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
 -{
 -	key_ref_t key;
 -	size_t plen;
 -
 -	while (p < end) {
 -		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
 -		 * than 256 bytes in size.
 -		 */
 -		if (end - p < 4)
 -			goto dodgy_cert;
 -		if (p[0] != 0x30 &&
 -		    p[1] != 0x82)
 -			goto dodgy_cert;
 -		plen = (p[2] << 8) | p[3];
 -		plen += 4;
 -		if (plen > end - p)
 -			goto dodgy_cert;
 -
 -		key = key_create_or_update(make_key_ref(keyring, 1),
 -					   "asymmetric",
 -					   NULL,
 -					   p,
 -					   plen,
 -					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 -					   KEY_USR_VIEW | KEY_USR_READ),
 -					   KEY_ALLOC_NOT_IN_QUOTA |
 -					   KEY_ALLOC_BUILT_IN |
 -					   KEY_ALLOC_BYPASS_RESTRICTION);
 -		if (IS_ERR(key)) {
 -			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
 -			       PTR_ERR(key));
 -		} else {
 -			pr_notice("Loaded X.509 cert '%s'\n",
 -				  key_ref_to_ptr(key)->description);
 -			key_ref_put(key);
 -		}
 -		p += plen;
 -	}
 -
 -	return 0;
 -
 -dodgy_cert:
 -	pr_err("Problem parsing in-kernel X.509 certificate list\n");
 -	return 0;
 -}
 -
+ __init int load_module_cert(struct key *keyring)
+ {
 -	const u8 *p, *end;
 -
+ 	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+ 		return 0;
+ 
+ 	pr_notice("Loading compiled-in module X.509 certificates\n");
+ 
 -	p = system_certificate_list;
 -	end = p + module_cert_size;
 -
 -	return load_cert(p, end, keyring);
++	return load_certificate_list(system_certificate_list, module_cert_size, keyring);
+ }
+ 
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
 -	const u8 *p, *end;
++	const u8 *p;
+ 	unsigned long size;
+ 
  	pr_notice("Loading compiled-in X.509 certificates\n");
  
- 	return load_certificate_list(system_certificate_list, system_certificate_list_size,
- 				     builtin_trusted_keys);
+ #ifdef CONFIG_MODULE_SIG
+ 	p = system_certificate_list;
+ 	size = system_certificate_list_size;
+ #else
+ 	p = system_certificate_list + module_cert_size;
+ 	size = system_certificate_list_size - module_cert_size;
+ #endif
+ 
 -	end = p + size;
 -	return load_cert(p, end, builtin_trusted_keys);
++	return load_certificate_list(p, size, builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);