From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Paul Moore" <paul@paul-moore.com>,
"James Morris" <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Günther Noack" <gnoack@google.com>,
"Dr. David Alan Gilbert" <linux@treblig.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
James.Bottomley@HansenPartnership.com, dhowells@redhat.com,
"Fan Wu" <wufan@kernel.org>,
"Ryan Foster" <foster.ryan.r@gmail.com>,
"Randy Dunlap" <rdunlap@infradead.org>,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, bpf@vger.kernel.org
Subject: [PATCH v3 1/9] crypto: pkcs7: add flag for validated trust on a signed info block
Date: Wed, 25 Mar 2026 23:06:30 -0700 [thread overview]
Message-ID: <20260326060655.2550595-2-bboscaccy@linux.microsoft.com> (raw)
In-Reply-To: <20260326060655.2550595-1-bboscaccy@linux.microsoft.com>
From: James Bottomley <James.Bottomley@HansenPartnership.com>
Allow consumers of struct pkcs7_message to tell if any of the sinfo
fields has passed a trust validation. Note that this does not happen
in parsing, pkcs7_validate_trust() must be explicitly called or called
via validate_pkcs7_trust(). Since the way to get this trusted pkcs7
object is via verify_pkcs7_message_sig, export that so modules can use
it.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
---
certs/system_keyring.c | 1 +
crypto/asymmetric_keys/pkcs7_parser.h | 1 +
crypto/asymmetric_keys/pkcs7_trust.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index e0761436ec7f4..9bda49295bd02 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -380,6 +380,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
pr_devel("<==%s() = %d\n", __func__, ret);
return ret;
}
+EXPORT_SYMBOL(verify_pkcs7_message_sig);
/**
* verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h
index 6ef9f335bb17f..203062a33def6 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.h
+++ b/crypto/asymmetric_keys/pkcs7_parser.h
@@ -20,6 +20,7 @@ struct pkcs7_signed_info {
unsigned index;
bool unsupported_crypto; /* T if not usable due to missing crypto */
bool blacklisted;
+ bool verified; /* T if this signer has validated trust */
/* Message digest - the digest of the Content Data (or NULL) */
const void *msgdigest;
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index 9a87c34ed1733..78ebfb6373b61 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -127,6 +127,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
for (p = sinfo->signer; p != x509; p = p->signer)
p->verified = true;
}
+ sinfo->verified = true;
kleave(" = 0");
return 0;
}
--
2.53.0
next prev parent reply other threads:[~2026-03-26 6:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 6:06 [PATCH v3 0/9] Reintrodce Hornet LSM Blaise Boscaccy
2026-03-26 6:06 ` Blaise Boscaccy [this message]
2026-03-26 6:06 ` [PATCH v3 2/9] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-03-26 6:06 ` [PATCH v3 3/9] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-03-26 6:06 ` [PATCH v3 4/9] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-03-27 16:46 ` Song Liu
2026-03-27 17:54 ` Blaise Boscaccy
2026-03-27 18:24 ` Song Liu
2026-03-26 6:06 ` [PATCH v3 5/9] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-03-26 6:06 ` [PATCH v3 6/9] security: Hornet LSM Blaise Boscaccy
2026-03-28 2:55 ` kernel test robot
2026-03-26 6:06 ` [PATCH v3 7/9] hornet: Introduce gen_sig Blaise Boscaccy
2026-03-26 6:06 ` [PATCH v3 8/9] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-03-26 6:06 ` [PATCH v3 9/9] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260326060655.2550595-2-bboscaccy@linux.microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=akpm@linux-foundation.org \
--cc=bpf@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=dhowells@redhat.com \
--cc=foster.ryan.r@gmail.com \
--cc=gnoack@google.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=rdunlap@infradead.org \
--cc=serge@hallyn.com \
--cc=wufan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox