Provide API to load x509 certificates from the kernel into the integrity kernel keyrings.
Signed-off-by: Dmitry Kasatkin <[email protected]> --- security/integrity/Kconfig | 4 ++++ security/integrity/digsig.c | 37 +++++++++++++++++++++++++++++++++++++ security/integrity/integrity.h | 9 +++++++++ 3 files changed, 50 insertions(+) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 1f000c4..63766fb 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -53,6 +53,10 @@ config INTEGRITY_AUDIT config INTEGRITY_FILE_READ def_bool n +config INTEGRITY_LOAD_X509 + select INTEGRITY_FILE_READ + def_bool n + source security/integrity/ima/Kconfig source security/integrity/evm/Kconfig diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 85d6662..63f66cc 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -104,6 +104,43 @@ out: } #endif +#ifdef CONFIG_INTEGRITY_LOAD_X509 +int integrity_load_x509(const unsigned int id, char *path) +{ + key_ref_t key; + char *data; + int rc; + + if (!keyring[id]) + return -EINVAL; + + rc = integrity_read_file(path, &data); + if (rc < 0) + return rc; + + key = key_create_or_update(make_key_ref(keyring[id], 1), + "asymmetric", + NULL, + data, + rc, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_TRUSTED); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate (%d): %s\n", + rc, path); + } else { + pr_notice("Loaded X.509 cert '%s': %s\n", + key_ref_to_ptr(key)->description, path); + key_ref_put(key); + } + kfree(data); + return 0; +} +#endif + int integrity_init_keyring(const unsigned int id) { const struct cred *cred = current_cred(); diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index f77de68..a4de3e3 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -158,6 +158,15 @@ static inline int asymmetric_verify(struct key *keyring, const char *sig, } #endif +#ifdef CONFIG_INTEGRITY_LOAD_X509 +int integrity_load_x509(const unsigned int id, char *path); +#else +static inline int integrity_load_x509(const unsigned int id, char *path) +{ + return 0; +} +#endif + #ifdef CONFIG_INTEGRITY_AUDIT /* declarations */ void integrity_audit_msg(int audit_msgno, struct inode *inode, -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
