On Fri, 2017-09-15 at 12:18 +0200, Johannes Berg wrote:
>
> +config CFG80211_REQUIRE_SIGNED_REGDB
> + bool "require regdb signature" if
> CFG80211_CERTIFICATION_ONUS
> + default y
> + select SYSTEM_DATA_VERIFICATION
Note that this will not be easy to backport, however, the code only
needs relatively self-contained functionality, namely this:
> + builtin_regdb_keys =
> + keyring_alloc(".builtin_regdb_keys",
> + KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> + KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
> + KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
> + key = key_create_or_update(make_key_ref(builtin_regdb_keys,
> 1),
> + "asymmetric",
> + NULL,
> + p,
> + plen,
> + ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> + KEY_USR_VIEW | KEY_USR_READ),
> + KEY_ALLOC_NOT_IN_QUOTA |
> + KEY_ALLOC_BUILT_IN |
> + KEY_ALLOC_BYPASS_RESTRICTION);
> + if (verify_pkcs7_signature(db->data, db->size, sig->data, sig->size,
> + builtin_regdb_keys,
> + VERIFYING_UNSPECIFIED_SIGNATURE, NULL,
> NULL))
so I'm hoping it won't be too difficult, since we don't really need the
ability to manipulate keyrings etc.
johannes
