Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1174990imm; Wed, 15 Aug 2018 12:45:38 -0700 (PDT) X-Google-Smtp-Source: AA+uWPyOD+Ic1QyLYiFN+4ondjunj+4p9L0DEyT7BKfo0L6ptu0K6q7th1IxwrVcgZqqQw96xgdo X-Received: by 2002:a63:1844:: with SMTP id 4-v6mr26767998pgy.313.1534362338548; Wed, 15 Aug 2018 12:45:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534362338; cv=none; d=google.com; s=arc-20160816; b=Gq4TmXH2b5/r3vvVE785CvzN4bhqMwwgzxwCRuJ16SAhLIcn4L2oHYq6R+tcn1zzEj kcd8whARgsHpINbk/vjiUf0OyTwRuV8fwAwAJj6kZHqfhIM9dL7/1dRhmFWL18u7vSAY 8fWwcf6yuCvQpNnN7XaTWVrjeu7By+m+cCZzx0yAMCqeGiJ28lLktiS/bauVcOyrzHF1 e5AbSINjly8xOtciLIUCbFAmPbxvIntqhmApO2+K00iY4RqSLaTHUdYrzbUn3pZhVuFg vnOipKdu5nx6Gkphscsg6PeHfUJZAi+ejtwssgqtMSVG/RFvjz/EVS5ZmTn9xjzYJ+V5 +U6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SF8GEvBBKzWPSUUVjyodijAncwXQmS3LRoz9vy5BrYE=; b=OPqry4G7yxiOWMo9iLfMv6o/LSwNufMRFTHGu2Jm9VbfKh+vjwMOp1OuxnjiWc5bzQ s4saJGaIkHcYchznaFvUzXZdTe+pHKFnQ2O1D6hsoI/TPAtWW+ntSo7MOMU4/8qVzm6/ f6ypuDElco8qGG7JtVrnhTl9TNWQeKoLcEf9gqYw18AbOlTqqIibPvgcyRrNCd1zEmWW ZXXaXlsFQ4COCh2lZ4ysHNnWB2bavGoIl8jmkWSzf7zaMHbAXQvjAnvBbrTdXcRnrj9s tq+OV03Ynw9oAZwIa7l2v8Sx1nIKW7PZcgSc9CDdQNAENMTOjnOvQ/0u7QkQsB4VsfIV h2JQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l36-v6si1341334plg.345.2018.08.15.12.45.23; Wed, 15 Aug 2018 12:45:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727993AbeHOWg4 (ORCPT + 99 others); Wed, 15 Aug 2018 18:36:56 -0400 Received: from mail.sembritzki.me ([5.45.101.249]:60556 "EHLO mail.sembritzki.me" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727619AbeHOWg4 (ORCPT ); Wed, 15 Aug 2018 18:36:56 -0400 Received: from yannik-laptop.fritz.box (x4dbb4132.dyn.telefonica.de [77.187.65.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.sembritzki.me (Postfix) with ESMTPSA id 08433A7A8E; Wed, 15 Aug 2018 21:43:23 +0200 (CEST) From: Yannik Sembritzki To: Linus Torvalds , David Howells , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , "Justin M. Forbes" , Peter Jones , James Bottomley , Matthew Garrett , Vivek Goyal Cc: Yannik Sembritzki Subject: [PATCH 2/2] Replace magic for trusting the secondary keyring with #define Date: Wed, 15 Aug 2018 21:42:44 +0200 Message-Id: <20180815194244.29564-3-yannik@sembritzki.me> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180815194244.29564-1-yannik@sembritzki.me> References: <20180815194244.29564-1-yannik@sembritzki.me> In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Yannik Sembritzki --- arch/x86/kernel/kexec-bzimage64.c | 2 +- certs/system_keyring.c | 3 ++- crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- include/linux/verification.h | 4 ++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 74628275..97d199a3 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data) static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { return verify_pefile_signature(kernel, kernel_len, - ((struct key *)1UL), + TRUST_SECONDARY_KEYRING, VERIFYING_KEXEC_PE_SIGNATURE); } #endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 6251d1b2..777ac7d2 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *data, size_t len, if (!trusted_keys) { trusted_keys = builtin_trusted_keys; - } else if (trusted_keys == (void *)1UL) { + } else if (trusted_keys == TRUST_SECONDARY_KEYRING) { #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING trusted_keys = secondary_trusted_keys; #else diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c index e284d9cb..0783e555 100644 --- a/crypto/asymmetric_keys/pkcs7_key_type.c +++ b/crypto/asymmetric_keys/pkcs7_key_type.c @@ -63,7 +63,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep) return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, - (void *)1UL, usage, + TRUST_SECONDARY_KEYRING, usage, pkcs7_view_content, prep); } diff --git a/include/linux/verification.h b/include/linux/verification.h index a10549a6..5a7f2053 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -12,6 +12,10 @@ #ifndef _LINUX_VERIFICATION_H #define _LINUX_VERIFICATION_H +// Allow both builtin trusted keys and secondary trusted keys +#ifndef TRUST_SECONDARY_KEYRING +#define TRUST_SECONDARY_KEYRING ((struct key *)1UL) + /* * The use to which an asymmetric key is being put. */ -- 2.17.1