diff options
| author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-11-05 10:01:13 -0500 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.vnet.ibm.com> | 2014-11-17 23:11:59 -0500 |
| commit | 65d543b2335ede80e5e66bc4f559f62db5f469bd (patch) | |
| tree | 846bf4fd2bcb05ec85e27bcf70b817476ab4bba0 | |
| parent | e3c4abbfa97ed0b7aed36f18b32911ccf76d52c2 (diff) | |
integrity: provide a function to load x509 certificate from the kernel
Provide the function to load x509 certificates from the kernel into the
integrity kernel keyring.
Changes in v2:
* configuration option removed
* function declared as '__init'
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
| -rw-r--r-- | security/integrity/digsig.c | 36 | ||||
| -rw-r--r-- | security/integrity/integrity.h | 2 |
2 files changed, 37 insertions, 1 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 4f643d1b34dd..5e3bd72b299a 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | 14 | ||
| 15 | #include <linux/err.h> | 15 | #include <linux/err.h> |
| 16 | #include <linux/sched.h> | 16 | #include <linux/sched.h> |
| 17 | #include <linux/rbtree.h> | 17 | #include <linux/slab.h> |
| 18 | #include <linux/cred.h> | 18 | #include <linux/cred.h> |
| 19 | #include <linux/key-type.h> | 19 | #include <linux/key-type.h> |
| 20 | #include <linux/digsig.h> | 20 | #include <linux/digsig.h> |
| @@ -84,3 +84,37 @@ int __init integrity_init_keyring(const unsigned int id) | |||
| 84 | } | 84 | } |
| 85 | return err; | 85 | return err; |
| 86 | } | 86 | } |
| 87 | |||
| 88 | int __init integrity_load_x509(const unsigned int id, char *path) | ||
| 89 | { | ||
| 90 | key_ref_t key; | ||
| 91 | char *data; | ||
| 92 | int rc; | ||
| 93 | |||
| 94 | if (!keyring[id]) | ||
| 95 | return -EINVAL; | ||
| 96 | |||
| 97 | rc = integrity_read_file(path, &data); | ||
| 98 | if (rc < 0) | ||
| 99 | return rc; | ||
| 100 | |||
| 101 | key = key_create_or_update(make_key_ref(keyring[id], 1), | ||
| 102 | "asymmetric", | ||
| 103 | NULL, | ||
| 104 | data, | ||
| 105 | rc, | ||
| 106 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | ||
| 107 | KEY_USR_VIEW | KEY_USR_READ), | ||
| 108 | KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); | ||
| 109 | if (IS_ERR(key)) { | ||
| 110 | rc = PTR_ERR(key); | ||
| 111 | pr_err("Problem loading X.509 certificate (%d): %s\n", | ||
| 112 | rc, path); | ||
| 113 | } else { | ||
| 114 | pr_notice("Loaded X.509 cert '%s': %s\n", | ||
| 115 | key_ref_to_ptr(key)->description, path); | ||
| 116 | key_ref_put(key); | ||
| 117 | } | ||
| 118 | kfree(data); | ||
| 119 | return 0; | ||
| 120 | } | ||
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 20d220481025..1057abbd31cd 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h | |||
| @@ -134,6 +134,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, | |||
| 134 | const char *digest, int digestlen); | 134 | const char *digest, int digestlen); |
| 135 | 135 | ||
| 136 | int __init integrity_init_keyring(const unsigned int id); | 136 | int __init integrity_init_keyring(const unsigned int id); |
| 137 | int __init integrity_load_x509(const unsigned int id, char *path); | ||
| 137 | #else | 138 | #else |
| 138 | 139 | ||
| 139 | static inline int integrity_digsig_verify(const unsigned int id, | 140 | static inline int integrity_digsig_verify(const unsigned int id, |
| @@ -147,6 +148,7 @@ static inline int integrity_init_keyring(const unsigned int id) | |||
| 147 | { | 148 | { |
| 148 | return 0; | 149 | return 0; |
| 149 | } | 150 | } |
| 151 | |||
| 150 | #endif /* CONFIG_INTEGRITY_SIGNATURE */ | 152 | #endif /* CONFIG_INTEGRITY_SIGNATURE */ |
| 151 | 153 | ||
| 152 | #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS | 154 | #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS |