2022-03-11 19:10:22

by Mickaël Salaün

[permalink] [raw]
Subject: [PATCH v1 0/2] Remove panic() from keyring init calls

As suggested by Jarkko [1], let's remove the panic() calls from the
keyring initializations. This series applies on top of commit
c9e54f38976a ("integrity: Only use machine keyring when
uefi_check_trust_mok_keys is true"), which also includes 50c486fe3108
("certs: Allow root user to append signed hashes to the blacklist
keyring").

[1] https://lore.kernel.org/r/[email protected]
[2] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1

Regards,

Mickaël Salaün (2):
certs: Remove panic() calls from blacklist_init()
certs: Remove panic() calls from system_trusted_keyring_init()

certs/blacklist.c | 27 +++++++++++++++++++++------
certs/system_keyring.c | 26 ++++++++++++++++++++------
2 files changed, 41 insertions(+), 12 deletions(-)


base-commit: c9e54f38976a1c0ec69c0a6208b3fd55fceb01d1
--
2.35.1


2022-03-11 21:03:11

by Mickaël Salaün

[permalink] [raw]
Subject: [PATCH v1 1/2] certs: Remove panic() calls from blacklist_init()

From: Mickaël Salaün <[email protected]>

Replace panic() calls from device_initcall(blacklist_init) with proper
error handling using -ENODEV.

Suggested-by: Jarkko Sakkinen <[email protected]> [1]
Link: https://lore.kernel.org/r/[email protected] [1]
Signed-off-by: Mickaël Salaün <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
---
certs/blacklist.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 486ce0dd8e9c..ea7a77f156da 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -313,12 +313,16 @@ static int __init blacklist_init(void)
const char *const *bl;
struct key_restriction *restriction;

- if (register_key_type(&key_type_blacklist) < 0)
- panic("Can't allocate system blacklist key type\n");
+ if (register_key_type(&key_type_blacklist) < 0) {
+ pr_err("Can't allocate system blacklist key type\n");
+ return -ENODEV;
+ }

restriction = kzalloc(sizeof(*restriction), GFP_KERNEL);
- if (!restriction)
- panic("Can't allocate blacklist keyring restriction\n");
+ if (!restriction) {
+ pr_err("Can't allocate blacklist keyring restriction\n");
+ goto err_restriction;
+ }
restriction->check = restrict_link_for_blacklist;

blacklist_keyring =
@@ -333,13 +337,24 @@ static int __init blacklist_init(void)
, KEY_ALLOC_NOT_IN_QUOTA |
KEY_ALLOC_SET_KEEP,
restriction, NULL);
- if (IS_ERR(blacklist_keyring))
- panic("Can't allocate system blacklist keyring\n");
+ if (IS_ERR(blacklist_keyring)) {
+ pr_err("Can't allocate system blacklist keyring\n");
+ goto err_keyring;
+ }

for (bl = blacklist_hashes; *bl; bl++)
if (mark_raw_hash_blacklisted(*bl) < 0)
pr_err("- blacklisting failed\n");
return 0;
+
+
+err_keyring:
+ kfree(restriction);
+
+err_restriction:
+ unregister_key_type(&key_type_blacklist);
+
+ return -ENODEV;
}

/*
--
2.35.1