[PATCH v3 14/14] KEYS: Introduce load_pgp_public_keyring()

From: Roberto Sassu
Date: Wed Sep 11 2024 - 08:36:25 EST

Next message: Hans de Goede: "Re: [PATCH] platform/x86: asus-wmi: don't fail if platform_profile already registered"
Previous message: Roberto Sassu: "[PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob"
In reply to: Roberto Sassu: "[PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob"
Next in thread: Herbert Xu: "Re: [PATCH v3 00/14] KEYS: Add support for PGP keys and signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source
directory.

Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
certs/Kconfig | 11 +++++++++++
certs/Makefile | 7 +++++++
certs/system_certificates.S | 18 ++++++++++++++++++
certs/system_keyring.c | 23 +++++++++++++++++++++++
4 files changed, 59 insertions(+)

diff --git a/certs/Kconfig b/certs/Kconfig
index 78307dc25559..9b7ece1e45fa 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -154,4 +154,15 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE
keyring. The PKCS#7 signature of the description is set in the key
payload. Blacklist keys cannot be removed.

+config PGP_PRELOAD_PUBLIC_KEYS
+ bool "Preload PGP public keys"
+ depends on SYSTEM_TRUSTED_KEYRING
+ select PGP_PRELOAD
+ default n
+ help
+ Load at boot time the PGP public keys from a reserved area (populated
+ with the content of 'certs/pubring.gpg' provided at kernel build
+ time), and add them to the built-in keyring. Invalid keys are ignored
+ and the loading continues.
+
endmenu
diff --git a/certs/Makefile b/certs/Makefile
index 1094e3860c2a..7a3d68441e09 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -31,6 +31,13 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list
$(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE
$(call if_changed,extract_certs)

+ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS
+ifeq ($(shell ls $(srctree)/certs/pubring.gpg 2> /dev/null), $(srctree)/certs/pubring.gpg)
+AFLAGS_system_certificates.o := -DHAVE_PUBRING_GPG
+$(obj)/system_certificates.o: $(srctree)/certs/pubring.gpg
+endif
+endif
+
targets += x509_certificate_list

# If module signing is requested, say by allyesconfig, but a key has not been
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index 003e25d4a17e..b3cbf0811e3f 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -44,3 +44,21 @@ module_cert_size:
#else
.long __module_cert_end - __module_cert_start
#endif
+
+ .align 8
+ .globl pgp_public_keys
+pgp_public_keys:
+__pgp_key_list_start:
+#ifdef HAVE_PUBRING_GPG
+ .incbin "certs/pubring.gpg"
+#endif
+__pgp_key_list_end:
+
+ .align 8
+ .globl pgp_public_keys_size
+pgp_public_keys_size:
+#ifdef CONFIG_64BIT
+ .quad __pgp_key_list_end - __pgp_key_list_start
+#else
+ .long __pgp_key_list_end - __pgp_key_list_start
+#endif
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index f132773c6096..357d52d1d250 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -32,6 +32,10 @@ static struct key *platform_trusted_keys;
extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
extern __initconst const unsigned long module_cert_size;
+#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS
+extern __initconst const u8 pgp_public_keys[];
+extern __initconst const unsigned long pgp_public_keys_size;
+#endif

/**
* restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
@@ -268,6 +272,15 @@ __init int load_module_cert(struct key *keyring)
if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
return 0;

+#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS
+ pr_notice("Load PGP public keys to keyring %s\n", keyring->description);
+
+ if (preload_pgp_keys(pgp_public_keys,
+ pgp_public_keys_size,
+ keyring) < 0)
+ pr_err("Can't load PGP public keys\n");
+#endif
+
pr_notice("Loading compiled-in module X.509 certificates\n");

return x509_load_certificate_list(system_certificate_list,
@@ -292,6 +305,16 @@ static __init int load_system_certificate_list(void)
size = system_certificate_list_size - module_cert_size;
#endif

+#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS
+ pr_notice("Load PGP public keys to keyring %s\n",
+ builtin_trusted_keys->description);
+
+ if (preload_pgp_keys(pgp_public_keys,
+ pgp_public_keys_size,
+ builtin_trusted_keys) < 0)
+ pr_err("Can't load PGP public keys\n");
+#endif
+
return x509_load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);
--
2.34.1

Next message: Hans de Goede: "Re: [PATCH] platform/x86: asus-wmi: don't fail if platform_profile already registered"
Previous message: Roberto Sassu: "[PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob"
In reply to: Roberto Sassu: "[PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob"
Next in thread: Herbert Xu: "Re: [PATCH v3 00/14] KEYS: Add support for PGP keys and signatures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]