From: Patrick Uiterwijk <patrick@puiterwijk.org>
To: peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
linux-integrity@vger.kernel.org
Cc: pbrobinson@gmail.com, stefanb@linux.ibm.com, kgold@linux.ibm.com,
Patrick Uiterwijk <patrick@puiterwijk.org>
Subject: [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert
Date: Thu, 25 Feb 2021 21:32:28 +0100 [thread overview]
Message-ID: <20210225203229.363302-3-patrick@puiterwijk.org> (raw)
In-Reply-To: <20210225203229.363302-1-patrick@puiterwijk.org>
Allows passing flags for key_create_or_update via
integrity_load_cert.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
security/integrity/digsig.c | 11 ++++++-----
security/integrity/integrity.h | 6 ++++--
security/integrity/platform_certs/platform_keyring.c | 2 +-
3 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 250fb0836156..93203c767b57 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -144,7 +144,7 @@ int __init integrity_init_keyring(const unsigned int id)
}
static int __init integrity_add_key(const unsigned int id, const void *data,
- off_t size, key_perm_t perm)
+ off_t size, key_perm_t perm, unsigned long flags)
{
key_ref_t key;
int rc = 0;
@@ -154,7 +154,7 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
NULL, data, size, perm,
- KEY_ALLOC_NOT_IN_QUOTA);
+ flags | KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(key)) {
rc = PTR_ERR(key);
pr_err("Problem loading X.509 certificate %d\n", rc);
@@ -186,18 +186,19 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
pr_info("Loading X.509 certificate: %s\n", path);
- rc = integrity_add_key(id, (const void *)data, size, perm);
+ rc = integrity_add_key(id, (const void *)data, size, perm, 0);
vfree(data);
return rc;
}
int __init integrity_load_cert(const unsigned int id, const char *source,
- const void *data, size_t len, key_perm_t perm)
+ const void *data, size_t len, key_perm_t perm,
+ unsigned long flags)
{
if (!data)
return -EINVAL;
pr_info("Loading X.509 certificate: %s\n", source);
- return integrity_add_key(id, data, len, perm);
+ return integrity_add_key(id, data, len, perm, flags);
}
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 547425c20e11..1194ff71a1c1 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -166,7 +166,8 @@ int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
int __init integrity_init_keyring(const unsigned int id);
int __init integrity_load_x509(const unsigned int id, const char *path);
int __init integrity_load_cert(const unsigned int id, const char *source,
- const void *data, size_t len, key_perm_t perm);
+ const void *data, size_t len, key_perm_t perm,
+ unsigned long flags);
#else
static inline int integrity_digsig_verify(const unsigned int id,
@@ -190,7 +191,8 @@ static inline int integrity_init_keyring(const unsigned int id)
static inline int __init integrity_load_cert(const unsigned int id,
const char *source,
const void *data, size_t len,
- key_perm_t perm)
+ key_perm_t perm,
+ unsigned long flags)
{
return 0;
}
diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c
index bcafd7387729..131462c826b5 100644
--- a/security/integrity/platform_certs/platform_keyring.c
+++ b/security/integrity/platform_certs/platform_keyring.c
@@ -32,7 +32,7 @@ void __init add_to_platform_keyring(const char *source, const void *data,
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
- perm);
+ perm, 0);
if (rc)
pr_info("Error adding keys to platform keyring %s\n", source);
}
--
2.29.2
next prev parent reply other threads:[~2021-02-25 20:36 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:32 [PATCH 0/3] Load keys from TPM2 NV Index on IMA keyring Patrick Uiterwijk
2021-02-25 20:32 ` [PATCH 1/3] tpm: Add support for reading a TPM NV Index Patrick Uiterwijk
2021-02-25 21:50 ` Stefan Berger
2021-02-26 1:09 ` Jarkko Sakkinen
2021-02-25 20:32 ` Patrick Uiterwijk [this message]
2021-02-26 21:04 ` [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert Stefan Berger
2021-02-25 20:32 ` [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring Patrick Uiterwijk
2021-02-26 21:47 ` Stefan Berger
2021-02-26 21:51 ` Stefan Berger
2021-02-25 21:50 ` [PATCH 0/3] Load keys from TPM2 NV Index on " James Bottomley
2021-02-26 21:45 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210225203229.363302-3-patrick@puiterwijk.org \
--to=patrick@puiterwijk.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pbrobinson@gmail.com \
--cc=peterhuewe@gmx.de \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).