KEYS: Reserve an extra certificate symbol for inserting without recompiling

Place a system_extra_cert buffer of configurable size, right after the system_certificate_list, so that inserted keys can be readily processed by the existing mechanism. Added script takes a key file and a kernel image and inserts its contents to the reserved area. The system_certificate_list_size is also adjusted accordingly. Call the script as: scripts/insert-sys-cert -b <vmlinux> -c <certfile> If vmlinux has no symbol table, supply System.map file with -s flag. Subsequent runs replace the previously inserted key, instead of appending the new one. Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
author: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> 2015-11-24 16:18:05 -0500
committer: David Howells <dhowells@redhat.com> 2016-02-26 10:30:20 -0500
commit: c4c36105958576fee87d2c75f4b69b6e5bbde772 (patch)
tree: f4a8451b1471c4f87fab76f8aa613c5dc402ad8c /certs/Kconfig
parent: 5d06ee20b662a78417245714fc576cba90e6374f (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index b030b9c7ed34..f0f8a4433685 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS
          form of DER-encoded *.x509 files in the top-level build directory,
          those are no longer used. You will need to set this option instead.
+config SYSTEM_EXTRA_CERTIFICATE
+        bool "Reserve area for inserting a certificate without recompiling"
+        depends on SYSTEM_TRUSTED_KEYRING
+        help
+          If set, space for an extra certificate will be reserved in the kernel
+          image. This allows introducing a trusted certificate to the default
+          system keyring without recompiling the kernel.
+config SYSTEM_EXTRA_CERTIFICATE_SIZE
+        int "Number of bytes to reserve for the extra certificate"
+        depends on SYSTEM_EXTRA_CERTIFICATE
+        default 4096
+        help
+          This is the number of bytes reserved in the kernel image for a
+          certificate to be inserted.
 endmenu
author	Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>	2015-11-24 16:18:05 -0500
committer	David Howells <dhowells@redhat.com>	2016-02-26 10:30:20 -0500
commit	c4c36105958576fee87d2c75f4b69b6e5bbde772 (patch)
tree	f4a8451b1471c4f87fab76f8aa613c5dc402ad8c /certs/Kconfig
parent	5d06ee20b662a78417245714fc576cba90e6374f (diff)

diff --git a/certs/Kconfig b/certs/Kconfig index b030b9c7ed34..f0f8a4433685 100644 --- a/certs/Kconfig +++ b/certs/Kconfig
@@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS
39	form of DER-encoded *.x509 files in the top-level build directory,	39	form of DER-encoded *.x509 files in the top-level build directory,
40	those are no longer used. You will need to set this option instead.	40	those are no longer used. You will need to set this option instead.
41		41
		42	config SYSTEM_EXTRA_CERTIFICATE
		43	bool "Reserve area for inserting a certificate without recompiling"
		44	depends on SYSTEM_TRUSTED_KEYRING
		45	help
		46	If set, space for an extra certificate will be reserved in the kernel
		47	image. This allows introducing a trusted certificate to the default
		48	system keyring without recompiling the kernel.
		49
		50	config SYSTEM_EXTRA_CERTIFICATE_SIZE
		51	int "Number of bytes to reserve for the extra certificate"
		52	depends on SYSTEM_EXTRA_CERTIFICATE
		53	default 4096
		54	help
		55	This is the number of bytes reserved in the kernel image for a
		56	certificate to be inserted.
		57
42	endmenu	58	endmenu