diff options
Diffstat (limited to 'freed-ora/tags/f26/4.12.11-300.fc26.gnu/KEYS-Add-a-system-blacklist-keyring.patch')
-rw-r--r-- | freed-ora/tags/f26/4.12.11-300.fc26.gnu/KEYS-Add-a-system-blacklist-keyring.patch | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/freed-ora/tags/f26/4.12.11-300.fc26.gnu/KEYS-Add-a-system-blacklist-keyring.patch b/freed-ora/tags/f26/4.12.11-300.fc26.gnu/KEYS-Add-a-system-blacklist-keyring.patch new file mode 100644 index 000000000..262c960b8 --- /dev/null +++ b/freed-ora/tags/f26/4.12.11-300.fc26.gnu/KEYS-Add-a-system-blacklist-keyring.patch @@ -0,0 +1,102 @@ +From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Fri, 26 Oct 2012 12:36:24 -0400 +Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring + +This adds an additional keyring that is used to store certificates that +are blacklisted. This keyring is searched first when loading signed modules +and if the module's certificate is found, it will refuse to load. This is +useful in cases where third party certificates are used for module signing. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + certs/system_keyring.c | 22 ++++++++++++++++++++++ + include/keys/system_keyring.h | 4 ++++ + init/Kconfig | 9 +++++++++ + 3 files changed, 35 insertions(+) + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 50979d6dcecd..787eeead2f57 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++struct key *system_blacklist_keyring; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void) + if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0) + panic("Can't link trusted keyrings\n"); + #endif ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", ++ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), ++ KEY_ALLOC_NOT_IN_QUOTA, ++ NULL, NULL); ++ if (IS_ERR(system_blacklist_keyring)) ++ panic("Can't allocate system blacklist keyring\n"); ++#endif + + return 0; + } +@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len, + trusted_keys = builtin_trusted_keys; + #endif + } ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring); ++ if (!ret) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key is in the blacklist\n"); ++ ret = -EKEYREJECTED; ++ goto error; ++ } ++#endif + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { + if (ret == -ENOKEY) +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index fbd4647767e9..5bc291a3d261 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted + #endif + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++extern struct key *system_blacklist_keyring; ++#endif ++ + #ifdef CONFIG_IMA_BLACKLIST_KEYRING + extern struct key *ima_blacklist_keyring; + +diff --git a/init/Kconfig b/init/Kconfig +index 34407f15e6d3..461ad575a608 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION + module verification, kexec image verification and firmware blob + verification. + ++config SYSTEM_BLACKLIST_KEYRING ++ bool "Provide system-wide ring of blacklisted keys" ++ depends on KEYS ++ help ++ Provide a system keyring to which blacklisted keys can be added. ++ Keys in the keyring are considered entirely untrusted. Keys in this ++ keyring are used by the module signature checking to reject loading ++ of modules signed with a blacklisted key. ++ + config PROFILING + bool "Profiling support" + help +-- +2.9.3 + |