Re: [PATCH 2/2] [FIXED v2] Replace magic for trusting the secondary keyring with #define
From: Yannik Sembritzki
Date: Wed Aug 15 2018 - 18:07:48 EST
Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
---
Âarch/x86/kernel/kexec-bzimage64.cÂÂÂÂÂÂ | 2 +-
Âcerts/system_keyring.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ | 3 ++-
Âcrypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
Âinclude/linux/verification.hÂÂÂÂÂÂÂÂÂÂÂ | 3 +++
Â4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/kexec-bzimage64.c
b/arch/x86/kernel/kexec-bzimage64.c
index 74628275..97d199a3 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
Âstatic int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
Â{
ÂÂÂ Âreturn verify_pefile_signature(kernel, kernel_len,
-ÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂÂ ((struct key *)1UL),
+ÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂÂ TRUST_SECONDARY_KEYRING,
ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂÂ VERIFYING_KEXEC_PE_SIGNATURE);
Â}
Â#endif
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 6251d1b2..777ac7d2 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -15,6 +15,7 @@
Â#include <linux/cred.h>
Â#include <linux/err.h>
Â#include <linux/slab.h>
+#include <linux/verification.h>
Â#include <keys/asymmetric-type.h>
Â#include <keys/system_keyring.h>
Â#include <crypto/pkcs7.h>
@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *data, size_t len,
Â
ÂÂÂ Âif (!trusted_keys) {
ÂÂÂ ÂÂÂ Âtrusted_keys = builtin_trusted_keys;
-ÂÂ Â} else if (trusted_keys == (void *)1UL) {
+ÂÂ Â} else if (trusted_keys == TRUST_SECONDARY_KEYRING) {
Â#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
ÂÂÂ ÂÂÂ Âtrusted_keys = secondary_trusted_keys;
Â#else
diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c
b/crypto/asymmetric_keys/pkcs7_key_type.c
index e284d9cb..0783e555 100644
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -63,7 +63,7 @@ static int pkcs7_preparse(struct key_preparsed_payload
*prep)
Â
ÂÂÂ Âreturn verify_pkcs7_signature(NULL, 0,
ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂ prep->data, prep->datalen,
-ÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂ (void *)1UL, usage,
+ÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂ TRUST_SECONDARY_KEYRING, usage,
ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂÂÂÂ pkcs7_view_content, prep);
Â}
Â
diff --git a/include/linux/verification.h b/include/linux/verification.h
index a10549a6..c00c1143 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -12,6 +12,9 @@
Â#ifndef _LINUX_VERIFICATION_H
Â#define _LINUX_VERIFICATION_H
Â
+// Allow both builtin trusted keys and secondary trusted keys
+#define TRUST_SECONDARY_KEYRING ((struct key *)1UL)
+
Â/*
 * The use to which an asymmetric key is being put.
 */
--
2.17.1