diff options
| author | Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> | 2015-11-24 16:18:05 -0500 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2016-02-26 10:30:20 -0500 |
| commit | c4c36105958576fee87d2c75f4b69b6e5bbde772 (patch) | |
| tree | f4a8451b1471c4f87fab76f8aa613c5dc402ad8c /certs | |
| parent | 5d06ee20b662a78417245714fc576cba90e6374f (diff) | |
KEYS: Reserve an extra certificate symbol for inserting without recompiling
Place a system_extra_cert buffer of configurable size, right after the
system_certificate_list, so that inserted keys can be readily processed by
the existing mechanism. Added script takes a key file and a kernel image
and inserts its contents to the reserved area. The
system_certificate_list_size is also adjusted accordingly.
Call the script as:
scripts/insert-sys-cert -b <vmlinux> -c <certfile>
If vmlinux has no symbol table, supply System.map file with -s flag.
Subsequent runs replace the previously inserted key, instead of appending
the new one.
Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/Kconfig | 16 | ||||
| -rw-r--r-- | certs/system_certificates.S | 12 |
2 files changed, 28 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index b030b9c7ed34..f0f8a4433685 100644 --- a/certs/Kconfig +++ b/certs/Kconfig | |||
| @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS | |||
| 39 | form of DER-encoded *.x509 files in the top-level build directory, | 39 | form of DER-encoded *.x509 files in the top-level build directory, |
| 40 | those are no longer used. You will need to set this option instead. | 40 | those are no longer used. You will need to set this option instead. |
| 41 | 41 | ||
| 42 | config SYSTEM_EXTRA_CERTIFICATE | ||
| 43 | bool "Reserve area for inserting a certificate without recompiling" | ||
| 44 | depends on SYSTEM_TRUSTED_KEYRING | ||
| 45 | help | ||
| 46 | If set, space for an extra certificate will be reserved in the kernel | ||
| 47 | image. This allows introducing a trusted certificate to the default | ||
| 48 | system keyring without recompiling the kernel. | ||
| 49 | |||
| 50 | config SYSTEM_EXTRA_CERTIFICATE_SIZE | ||
| 51 | int "Number of bytes to reserve for the extra certificate" | ||
| 52 | depends on SYSTEM_EXTRA_CERTIFICATE | ||
| 53 | default 4096 | ||
| 54 | help | ||
| 55 | This is the number of bytes reserved in the kernel image for a | ||
| 56 | certificate to be inserted. | ||
| 57 | |||
| 42 | endmenu | 58 | endmenu |
diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 9216e8c81764..f82e1b22eac4 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S | |||
| @@ -13,6 +13,18 @@ __cert_list_start: | |||
| 13 | .incbin "certs/x509_certificate_list" | 13 | .incbin "certs/x509_certificate_list" |
| 14 | __cert_list_end: | 14 | __cert_list_end: |
| 15 | 15 | ||
| 16 | #ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE | ||
| 17 | .globl VMLINUX_SYMBOL(system_extra_cert) | ||
| 18 | .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE | ||
| 19 | VMLINUX_SYMBOL(system_extra_cert): | ||
| 20 | .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0 | ||
| 21 | |||
| 22 | .globl VMLINUX_SYMBOL(system_extra_cert_used) | ||
| 23 | VMLINUX_SYMBOL(system_extra_cert_used): | ||
| 24 | .int 0 | ||
| 25 | |||
| 26 | #endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */ | ||
| 27 | |||
| 16 | .align 8 | 28 | .align 8 |
| 17 | .globl VMLINUX_SYMBOL(system_certificate_list_size) | 29 | .globl VMLINUX_SYMBOL(system_certificate_list_size) |
| 18 | VMLINUX_SYMBOL(system_certificate_list_size): | 30 | VMLINUX_SYMBOL(system_certificate_list_size): |