[RFC v3 19/27] PCI/CMA: Support built in X.509 certificates

[alistair23]

From: Alistair Francis <alistair@xxxxxxxxxxxxx>

Support building the X.509 certificates into the CMA certificate store.
This allows certificates to be built into the kernel which can be used
to authenticate PCIe devices via SPDM.

Signed-off-by: Alistair Francis <alistair@xxxxxxxxxxxxx>
---
 certs/system_keyring.c        |  4 ----
 drivers/pci/cma.c             | 28 ++++++++++++++++++++++++++++
 include/keys/system_keyring.h |  4 ++++
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index f3d8ea4f70b4..adfc24139133 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -28,10 +28,6 @@ static struct key *machine_trusted_keys;
 static struct key *platform_trusted_keys;
 #endif
 
-extern __initconst const u8 system_certificate_list[];
-extern __initconst const unsigned long system_certificate_list_size;
-extern __initconst const unsigned long module_cert_size;
-
 /**
  * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
  * @dest_keyring: Keyring being linked to.
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index f2c435b04b92..8d64008594e2 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -10,6 +10,7 @@
 
 #define dev_fmt(fmt) "CMA: " fmt
 
+#include <keys/system_keyring.h>
 #include <keys/x509-parser.h>
 #include <linux/asn1_decoder.h>
 #include <linux/oid_registry.h>
@@ -218,8 +219,31 @@ void pci_cma_destroy(struct pci_dev *pdev)
 	spdm_destroy(pdev->spdm_state);
 }
 
+/*
+ * Load the compiled-in list of X.509 certificates.
+ */
+static int load_system_certificate_list(void)
+{
+	const u8 *p;
+	unsigned long size;
+
+	pr_notice("Loading compiled-in X.509 certificates for CMA\n");
+
+#ifdef CONFIG_MODULE_SIG
+	p = system_certificate_list;
+	size = system_certificate_list_size;
+#else
+	p = system_certificate_list + module_cert_size;
+	size = system_certificate_list_size - module_cert_size;
+#endif
+
+	return x509_load_certificate_list(p, size, pci_cma_keyring);
+}
+
 __init static int pci_cma_keyring_init(void)
 {
+	int rc;
+
 	pci_cma_keyring = keyring_alloc(".cma", KUIDT_INIT(0), KGIDT_INIT(0),
 					current_cred(),
 					(KEY_POS_ALL & ~KEY_POS_SETATTR) |
@@ -232,6 +256,10 @@ __init static int pci_cma_keyring_init(void)
 		return PTR_ERR(pci_cma_keyring);
 	}
 
+	rc = load_system_certificate_list();
+	if (rc)
+		return rc;
+
 	return 0;
 }
 arch_initcall(pci_cma_keyring_init);
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index a6c2897bcc63..35a33412e175 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -130,4 +130,8 @@ static inline void set_platform_trusted_keys(struct key *keyring)
 }
 #endif
 
+extern __initconst const u8 system_certificate_list[];
+extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
+
 #endif /* _KEYS_SYSTEM_KEYRING_H */
-- 
2.52.0