Re: [PATCH] cert: Add kconfig dependency for validate_trust

Wed, 24 Feb 2021 02:55:23 -0800 

How about these changes?

I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.

I've also added kerneldoc comments and moved the functions so that they're not
in the middle of the blacklist-specific stuff.

I'm not sure uefi_revocation_list_x509() needs conditionalising as the
optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
doesn't disable inlining).

David
---
diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..76e469b56a77 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
          wrapper to incorporate the list into the kernel.  Each <hash> should
          be a string of hex digits.
 
+config SYSTEM_REVOCATION_LIST
+       bool "Provide system-wide ring of revocation certificates"
+       depends on SYSTEM_BLACKLIST_KEYRING
+       depends on PKCS7_MESSAGE_PARSER=y
+       help
+         If set, this allows revocation certificates to be stored in the
+         blacklist keyring and implements a hook whereby a PKCS#7 message can
+         be checked to see if it matches such a certificate.
+
 endmenu
diff --git a/certs/blacklist.c b/certs/blacklist.c
index e9f5fc632f0d..2b8644123d5f 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
        return 0;
 }
 
-int add_key_to_revocation_list(const char *data, size_t size)
-{
-       key_ref_t key;
-
-       key = key_create_or_update(make_key_ref(blacklist_keyring, true),
-                                  "asymmetric",
-                                  NULL,
-                                  data,
-                                  size,
-                                  ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 
KEY_USR_VIEW),
-                                  KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
-
-       if (IS_ERR(key)) {
-               pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
-               return PTR_ERR(key);
-       }
-
-       return 0;
-}
-
-int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
-{
-       int ret;
-
-       ret = validate_trust(pkcs7, blacklist_keyring);
-
-       if (ret == 0)
-               return -EKEYREJECTED;
-
-       return -ENOKEY;
-}
-
 /**
  * is_hash_blacklisted - Determine if a hash is blacklisted
  * @hash: The hash to be checked as a binary blob
@@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 }
 EXPORT_SYMBOL_GPL(is_binary_blacklisted);
 
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+/**
+ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
+ * @data: The data blob containing the certificate
+ * @size: The size of data blob
+ */
+int add_key_to_revocation_list(const char *data, size_t size)
+{
+       key_ref_t key;
+
+       key = key_create_or_update(make_key_ref(blacklist_keyring, true),
+                                  "asymmetric",
+                                  NULL,
+                                  data,
+                                  size,
+                                  ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 
KEY_USR_VIEW),
+                                  KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
+
+       if (IS_ERR(key)) {
+               pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
+               return PTR_ERR(key);
+       }
+
+       return 0;
+}
+
+/**
+ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is 
revoked
+ * @pkcs7: The PKCS#7 message to check
+ */
+int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+{
+       int ret;
+
+       ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+
+       if (ret == 0)
+               return -EKEYREJECTED;
+
+       return -ENOKEY;
+}
+#endif
+
 /*
  * Initialise the blacklist
  */
diff --git a/certs/blacklist.h b/certs/blacklist.h
index 420bb7c86e07..51b320cf8574 100644
--- a/certs/blacklist.h
+++ b/certs/blacklist.h
@@ -3,13 +3,3 @@
 #include <crypto/pkcs7.h>
 
 extern const char __initconst *const blacklist_hashes[];
-
-#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
-#define validate_trust pkcs7_validate_trust
-#else
-static inline int validate_trust(struct pkcs7_message *pkcs7,
-                                struct key *trust_keyring)
-{
-       return -ENOKEY;
-}
-#endif
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 61f98739e8b1..875e002a4180 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 extern struct pkcs7_message *pkcs7;
 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 extern int mark_hash_blacklisted(const char *hash);
-extern int add_key_to_revocation_list(const char *data, size_t size);
 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
                               const char *type);
 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
-extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
 #else
 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
                                      const char *type)
@@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, 
size_t hash_len)
 {
        return 0;
 }
+#endif
+
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+extern int add_key_to_revocation_list(const char *data, size_t size);
+extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
+#else
 static inline int add_key_to_revocation_list(const char *data, size_t size)
 {
        return 0;

Reply via email to