Linux-Next Archive on lore.kernel.org
 help / color / Atom feed
* linux-next: manual merge of the keys tree with the integrity tree
@ 2021-04-12  7:08 Stephen Rothwell
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Rothwell @ 2021-04-12  7:08 UTC (permalink / raw)
  To: David Howells
  Cc: Eric Snowberg, Linux Kernel Mailing List,
	Linux Next Mailing List, Mimi Zohar, Nayna Jain


[-- Attachment #1: Type: text/plain, Size: 3585 bytes --]

Hi all,

FIXME: Add owner of second tree to To:
       Add author(s)/SOB of conflicting commits.

Today's linux-next merge of the keys tree got a conflict in:

  certs/system_keyring.c

between commit:

  6cbdfb3d91ba ("ima: enable loading of build time generated key on .ima keyring")

from the integrity tree and commit:

  9536390dcc8c ("certs: Move load_system_certificate_list to a common function")

from the keys tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc certs/system_keyring.c
index 2b3ad375ecc1,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,88 -133,15 +134,36 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- 	key_ref_t key;
- 	size_t plen;
- 
- 	while (p < end) {
- 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- 		 * than 256 bytes in size.
- 		 */
- 		if (end - p < 4)
- 			goto dodgy_cert;
- 		if (p[0] != 0x30 &&
- 		    p[1] != 0x82)
- 			goto dodgy_cert;
- 		plen = (p[2] << 8) | p[3];
- 		plen += 4;
- 		if (plen > end - p)
- 			goto dodgy_cert;
- 
- 		key = key_create_or_update(make_key_ref(keyring, 1),
- 					   "asymmetric",
- 					   NULL,
- 					   p,
- 					   plen,
- 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- 					   KEY_USR_VIEW | KEY_USR_READ),
- 					   KEY_ALLOC_NOT_IN_QUOTA |
- 					   KEY_ALLOC_BUILT_IN |
- 					   KEY_ALLOC_BYPASS_RESTRICTION);
- 		if (IS_ERR(key)) {
- 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- 			       PTR_ERR(key));
- 		} else {
- 			pr_notice("Loaded X.509 cert '%s'\n",
- 				  key_ref_to_ptr(key)->description);
- 			key_ref_put(key);
- 		}
- 		p += plen;
- 	}
- 
- 	return 0;
- 
- dodgy_cert:
- 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
- 	return 0;
- }
- 
 +__init int load_module_cert(struct key *keyring)
 +{
- 	const u8 *p, *end;
- 
 +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
 +		return 0;
 +
 +	pr_notice("Loading compiled-in module X.509 certificates\n");
 +
- 	p = system_certificate_list;
- 	end = p + module_cert_size;
- 
- 	return load_cert(p, end, keyring);
++	return load_certificate_list(system_certificate_list, module_cert_size,
++				     keyring);
 +}
 +
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
- 	const u8 *p, *end;
++	const u8 *p;
 +	unsigned long size;
 +
  	pr_notice("Loading compiled-in X.509 certificates\n");
  
 -	return load_certificate_list(system_certificate_list, system_certificate_list_size,
 -				     builtin_trusted_keys);
 +#ifdef CONFIG_MODULE_SIG
 +	p = system_certificate_list;
 +	size = system_certificate_list_size;
 +#else
 +	p = system_certificate_list + module_cert_size;
 +	size = system_certificate_list_size - module_cert_size;
 +#endif
 +
- 	end = p + size;
- 	return load_cert(p, end, builtin_trusted_keys);
++	return load_certificate_list(p, size, builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);
  

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* linux-next: manual merge of the keys tree with the integrity tree
@ 2021-04-07  4:15 Stephen Rothwell
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Rothwell @ 2021-04-07  4:15 UTC (permalink / raw)
  To: David Howells, Mimi Zohar, Dmitry Kasatkin
  Cc: Eric Snowberg, Linux Kernel Mailing List,
	Linux Next Mailing List, Mimi Zohar, Nayna Jain


[-- Attachment #1: Type: text/plain, Size: 3403 bytes --]

Hi all,

Today's linux-next merge of the keys tree got a conflict in:

  certs/system_keyring.c

between commit:

  df73a4001959 ("ima: enable loading of build time generated key on .ima keyring")

from the integrity tree and commit:

  9536390dcc8c ("certs: Move load_system_certificate_list to a common function")

from the keys tree.

I fixed it up (I think - see below) and can carry the fix as
necessary. This is now fixed as far as linux-next is concerned, but any
non trivial conflicts should be mentioned to your upstream maintainer
when your tree is submitted for merging.  You may also want to consider
cooperating with the maintainer of the conflicting tree to minimise any
particularly complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc certs/system_keyring.c
index bb122bf4cc17,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,85 -133,15 +134,34 @@@ static __init int system_trusted_keyrin
   */
  device_initcall(system_trusted_keyring_init);
  
- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- 	key_ref_t key;
- 	size_t plen;
- 
- 	while (p < end) {
- 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- 		 * than 256 bytes in size.
- 		 */
- 		if (end - p < 4)
- 			goto dodgy_cert;
- 		if (p[0] != 0x30 &&
- 		    p[1] != 0x82)
- 			goto dodgy_cert;
- 		plen = (p[2] << 8) | p[3];
- 		plen += 4;
- 		if (plen > end - p)
- 			goto dodgy_cert;
- 
- 		key = key_create_or_update(make_key_ref(keyring, 1),
- 					   "asymmetric",
- 					   NULL,
- 					   p,
- 					   plen,
- 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- 					   KEY_USR_VIEW | KEY_USR_READ),
- 					   KEY_ALLOC_NOT_IN_QUOTA |
- 					   KEY_ALLOC_BUILT_IN |
- 					   KEY_ALLOC_BYPASS_RESTRICTION);
- 		if (IS_ERR(key)) {
- 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- 			       PTR_ERR(key));
- 		} else {
- 			pr_notice("Loaded X.509 cert '%s'\n",
- 				  key_ref_to_ptr(key)->description);
- 			key_ref_put(key);
- 		}
- 		p += plen;
- 	}
- 
- 	return 0;
- 
- dodgy_cert:
- 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
- 	return 0;
- }
- 
 +__init int load_module_cert(struct key *keyring)
 +{
- 	const u8 *p, *end;
- 
 +	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
 +		return 0;
 +
 +	pr_notice("Loading compiled-in module X.509 certificates\n");
 +
- 	p = system_certificate_list;
- 	end = p + module_cert_size;
- 
- 	return load_cert(p, end, keyring);
++	return load_certificate_list(system_certificate_list, module_cert_size,
++				     keyring);
 +}
 +
  /*
   * Load the compiled-in list of X.509 certificates.
   */
  static __init int load_system_certificate_list(void)
  {
- 	const u8 *p, *end;
++	const u8 *p;
 +
  	pr_notice("Loading compiled-in X.509 certificates\n");
  
 -	return load_certificate_list(system_certificate_list, system_certificate_list_size,
 +#ifdef CONFIG_MODULE_SIG
 +	p = system_certificate_list;
 +#else
 +	p = system_certificate_list + module_cert_size;
 +#endif
 +
- 	end = p + system_certificate_list_size;
- 	return load_cert(p, end, builtin_trusted_keys);
++	return load_certificate_list(p, system_certificate_list_size,
+ 				     builtin_trusted_keys);
  }
  late_initcall(load_system_certificate_list);
  

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: linux-next: manual merge of the keys tree with the integrity tree
  2019-07-09  0:31   ` Mimi Zohar
@ 2019-07-09  0:42     ` Stephen Rothwell
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Rothwell @ 2019-07-09  0:42 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: David Howells, Mimi Zohar, Dmitry Kasatkin,
	Linux Next Mailing List, Linux Kernel Mailing List


[-- Attachment #1: Type: text/plain, Size: 235 bytes --]

Hi Mimi,

On Mon, 08 Jul 2019 20:31:35 -0400 Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> Thank you for carrying the patch!  I did remember to mention it in the
> pull request.  :)

Excellent!

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: linux-next: manual merge of the keys tree with the integrity tree
  2019-07-09  0:11 ` Stephen Rothwell
@ 2019-07-09  0:31   ` Mimi Zohar
  2019-07-09  0:42     ` Stephen Rothwell
  0 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2019-07-09  0:31 UTC (permalink / raw)
  To: Stephen Rothwell, David Howells, Mimi Zohar, Dmitry Kasatkin
  Cc: Linux Next Mailing List, Linux Kernel Mailing List

Hi Stephen,

On Tue, 2019-07-09 at 10:11 +1000, Stephen Rothwell wrote:
> > diff --cc security/integrity/digsig.c
> > index 868ade3e8970,e432900c00b9..000000000000
> > --- a/security/integrity/digsig.c
> > +++ b/security/integrity/digsig.c
> > @@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
> >   	return -EOPNOTSUPP;
> >   }
> >   
> >  -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
> >  -				    struct key_restriction *restriction)
> >  +static int __init __integrity_init_keyring(const unsigned int id,
> > - 					   key_perm_t perm,
> > ++					   struct key_acl *acl,
> >  +					   struct key_restriction *restriction)
> >   {
> >   	const struct cred *cred = current_cred();
> >   	int err = 0;
> 
> I am still getting this conflict (the commit ids may have changed).
> Just a reminder in case you think Linus may need to know.

Thank you for carrying the patch!  I did remember to mention it in the
pull request.  :)

Mimi


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: linux-next: manual merge of the keys tree with the integrity tree
  2019-06-26  4:33 Stephen Rothwell
@ 2019-07-09  0:11 ` Stephen Rothwell
  2019-07-09  0:31   ` Mimi Zohar
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Rothwell @ 2019-07-09  0:11 UTC (permalink / raw)
  To: David Howells, Mimi Zohar, Dmitry Kasatkin
  Cc: Linux Next Mailing List, Linux Kernel Mailing List


[-- Attachment #1: Type: text/plain, Size: 1730 bytes --]

Hi all,

On Wed, 26 Jun 2019 14:33:33 +1000 Stephen Rothwell <sfr@canb.auug.org.au> wrote:
> 
> Today's linux-next merge of the keys tree got a conflict in:
> 
>   security/integrity/digsig.c
> 
> between commit:
> 
>   8c655784e2cf ("integrity: Fix __integrity_init_keyring() section mismatch")
> 
> from the integrity tree and commit:
> 
>   79512db59dc8 ("keys: Replace uid/gid/perm permissions checking with an ACL")
> 
> from the keys tree.
> 
> I fixed it up (see below) and can carry the fix as necessary. This
> is now fixed as far as linux-next is concerned, but any non trivial
> conflicts should be mentioned to your upstream maintainer when your tree
> is submitted for merging.  You may also want to consider cooperating
> with the maintainer of the conflicting tree to minimise any particularly
> complex conflicts.
> 
> -- 
> Cheers,
> Stephen Rothwell
> 
> diff --cc security/integrity/digsig.c
> index 868ade3e8970,e432900c00b9..000000000000
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
>   	return -EOPNOTSUPP;
>   }
>   
>  -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
>  -				    struct key_restriction *restriction)
>  +static int __init __integrity_init_keyring(const unsigned int id,
> - 					   key_perm_t perm,
> ++					   struct key_acl *acl,
>  +					   struct key_restriction *restriction)
>   {
>   	const struct cred *cred = current_cred();
>   	int err = 0;

I am still getting this conflict (the commit ids may have changed).
Just a reminder in case you think Linus may need to know.

-- 
Cheers,
Stephen Rothwell

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* linux-next: manual merge of the keys tree with the integrity tree
@ 2019-06-26  4:33 Stephen Rothwell
  2019-07-09  0:11 ` Stephen Rothwell
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Rothwell @ 2019-06-26  4:33 UTC (permalink / raw)
  To: David Howells, Mimi Zohar, Dmitry Kasatkin
  Cc: Linux Next Mailing List, Linux Kernel Mailing List


[-- Attachment #1: Type: text/plain, Size: 1395 bytes --]

Hi all,

Today's linux-next merge of the keys tree got a conflict in:

  security/integrity/digsig.c

between commit:

  8c655784e2cf ("integrity: Fix __integrity_init_keyring() section mismatch")

from the integrity tree and commit:

  79512db59dc8 ("keys: Replace uid/gid/perm permissions checking with an ACL")

from the keys tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging.  You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

-- 
Cheers,
Stephen Rothwell

diff --cc security/integrity/digsig.c
index 868ade3e8970,e432900c00b9..000000000000
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@@ -69,9 -70,8 +70,9 @@@ int integrity_digsig_verify(const unsig
  	return -EOPNOTSUPP;
  }
  
 -static int __integrity_init_keyring(const unsigned int id, struct key_acl *acl,
 -				    struct key_restriction *restriction)
 +static int __init __integrity_init_keyring(const unsigned int id,
- 					   key_perm_t perm,
++					   struct key_acl *acl,
 +					   struct key_restriction *restriction)
  {
  	const struct cred *cred = current_cred();
  	int err = 0;

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-12  7:08 linux-next: manual merge of the keys tree with the integrity tree Stephen Rothwell
  -- strict thread matches above, loose matches on Subject: below --
2021-04-07  4:15 Stephen Rothwell
2019-06-26  4:33 Stephen Rothwell
2019-07-09  0:11 ` Stephen Rothwell
2019-07-09  0:31   ` Mimi Zohar
2019-07-09  0:42     ` Stephen Rothwell

Linux-Next Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-next/0 linux-next/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-next linux-next/ https://lore.kernel.org/linux-next \
		linux-next@vger.kernel.org
	public-inbox-index linux-next

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-next


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git