From: Roberto Sassu roberto.sassu@huawei.com
Preload user asymmetric keys from 'uasym_keys.bin', placed in certs/ of the kernel source directory.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- certs/Kconfig | 11 ++++++++++ certs/Makefile | 7 +++++++ certs/system_certificates.S | 18 ++++++++++++++++ certs/system_keyring.c | 41 +++++++++++++++++++++++++++++++++++-- 4 files changed, 75 insertions(+), 2 deletions(-)
diff --git a/certs/Kconfig b/certs/Kconfig index 1f109b07087..16bbf0f4bb6 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -138,4 +138,15 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE keyring. The PKCS#7 signature of the description is set in the key payload. Blacklist keys cannot be removed.
+config UASYM_PRELOAD_PUBLIC_KEYS + bool "Preload user asymmetric keys" + depends on SYSTEM_TRUSTED_KEYRING + select UASYM_KEYS_SIGS + default n + help + Load at boot time the user asymmetric keys from a reserved area + (populated with the content of 'certs/uasym_keys.bin' provided at + kernel build time), and add them to the built-in keyring. Invalid + keys are ignored and the loading continues. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 799ad7b9e68..2e5be6668a6 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -22,6 +22,13 @@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
targets += blacklist_hash_list
+ifdef CONFIG_UASYM_PRELOAD_PUBLIC_KEYS +ifeq ($(shell ls $(srctree)/certs/uasym_keys.bin 2> /dev/null), $(srctree)/certs/uasym_keys.bin) +AFLAGS_system_certificates.o += -DHAVE_UASYM_KEYRING_BLOB +$(obj)/system_certificates.o: $(srctree)/certs/uasym_keys.bin +endif +endif + quiet_cmd_extract_certs = CERT $@ cmd_extract_certs = $(obj)/extract-cert "$(extract-cert-in)" $@ extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs)) diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 003e25d4a17..67b7c5effb6 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -44,3 +44,21 @@ module_cert_size: #else .long __module_cert_end - __module_cert_start #endif + + .align 8 + .globl uasym_keys +uasym_keys: +__uasym_key_list_start: +#ifdef HAVE_UASYM_KEYRING_BLOB + .incbin "certs/uasym_keys.bin" +#endif +__uasym_key_list_end: + + .align 8 + .globl uasym_keys_size +uasym_keys_size: +#ifdef CONFIG_64BIT + .quad __uasym_key_list_end - __uasym_key_list_start +#else + .long __uasym_key_list_end - __uasym_key_list_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index dbee2e5b732..6035bd2f795 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -179,6 +179,31 @@ static __init int system_trusted_keyring_init(void) return 0; }
+#ifdef CONFIG_UASYM_PRELOAD_PUBLIC_KEYS +extern __initconst const u8 uasym_keys[]; +extern __initconst const unsigned long uasym_keys_size; + +/** + * load_uasym_keyring - Load user asymmetric keys from a keyring blob + * + * Load user asymmetric keys from a keyring blob. Halt the parsing if + * a parsing error is encountered. If parsing succeed, ignore invalid keys. + * + * Return: Zero on success or on failure (ignored). + */ +static __init int load_uasym_keyring(void) +{ + pr_notice("Loading compiled-in user asymmetric keys\n"); + + if (preload_uasym_keys(uasym_keys, uasym_keys_size, + builtin_trusted_keys) < 0) + pr_err("Can't load user asymmetric keys\n"); + + return 0; +} +late_initcall(load_uasym_keyring); +#endif /* CONFIG_UASYM_PRELOAD_PUBLIC_KEYS */ + /* * Must be initialised before we try and load the keys into the keyring. */ @@ -186,13 +211,25 @@ device_initcall(system_trusted_keyring_init);
__init int load_module_cert(struct key *keyring) { + int ret; + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) return 0;
pr_notice("Loading compiled-in module X.509 certificates\n");
- return x509_load_certificate_list(system_certificate_list, - module_cert_size, keyring); + ret = x509_load_certificate_list(system_certificate_list, + module_cert_size, keyring); +#ifdef CONFIG_UASYM_PRELOAD_PUBLIC_KEYS + if (!ret) { + pr_notice("Loading compiled-in user asymmetric keys\n"); + + ret = preload_uasym_keys(uasym_keys, uasym_keys_size, keyring); + if (ret < 0) + pr_err("Can't load user asymmetric keys\n"); + } +#endif + return ret; }
/*