Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1033677AbdDTW3e (ORCPT ); Thu, 20 Apr 2017 18:29:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:46848 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033289AbdDTW33 (ORCPT ); Thu, 20 Apr 2017 18:29:29 -0400 From: Mehmet Kayaalp To: David Howells Cc: David Woodhouse , keyrings , LSM , kernel , Mimi Zohar , Stefan Berger , George Wilson , Mehmet Kayaalp Subject: [PATCH v4 0/4] Certificate insertion support for x86 bzImages Date: Thu, 20 Apr 2017 18:28:36 -0400 X-Mailer: git-send-email 2.7.4 X-TM-AS-GCONF: 00 x-cbid: 17042022-0024-0000-0000-000002504331 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00006946; HX=3.00000240; KW=3.00000007; PH=3.00000004; SC=3.00000208; SDB=6.00850214; UDB=6.00419937; IPR=6.00628902; BA=6.00005305; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00015114; XFM=3.00000013; UTC=2017-04-20 22:29:25 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17042022-0025-0000-0000-000043892244 Message-Id: <1492727320-26194-1-git-send-email-mkayaalp@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-04-20_20:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1704200226 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1539 Lines: 39 These patches add support for modifying the reserved space for extra certificates in a compressed bzImage in x86. This allows separating the system keyring certificate from the kernel build process. After the kernel image is distributed, the insert-sys-cert script can be used to insert the certificate for x86. Changes: v4: * Applied checkpatch.pl suggestions (2/4, 3/4) * Cleaned up the commit messages (1/4, 2/4) * Added the build file to .gitignore (1/4) v3: * Rewrote 1/4 to insert incompressible bytes are at build time. Previous solution required changes to /boot/Makefile's for modifying the vmlinux file after linking, and did not work well with cross compilation. * Added 2/4 for ELF class-independent processing of vmlinux file, in case the script was compiled for 64-bit and the kernel was compiled for 32-bit. * Reordered 3/4, added x86 bzImage boot version (>=2.08) verification. v2: * Rebased arch/boot/x86/Makefile patch (removed in v3) Mehmet Kayaalp (4): KEYS: Insert incompressible bytes to reserve space in bzImage KEYS: Add ELF class-independent certificate insertion support KEYS: Support for inserting a certificate into x86 bzImage KEYS: Print insert-sys-cert information to stdout instead of stderr certs/.gitignore | 1 + certs/Makefile | 21 +- certs/system_certificates.S | 2 +- scripts/Makefile | 1 + scripts/insert-sys-cert.c | 453 +++++++++++++++++++++++++++++++++----------- 5 files changed, 361 insertions(+), 117 deletions(-) -- 2.7.4