From: Stefan Berger <stefanb@linux.ibm.com>
To: Patrick Uiterwijk <patrick@puiterwijk.org>,
peterhuewe@gmx.de, jarkko@kernel.org, jgg@ziepe.ca,
zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
linux-integrity@vger.kernel.org
Cc: pbrobinson@gmail.com, kgold@linux.ibm.com
Subject: Re: [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert
Date: Fri, 26 Feb 2021 16:04:50 -0500 [thread overview]
Message-ID: <69c59b37-a45c-493f-6b86-e324d4dd6f9f@linux.ibm.com> (raw)
In-Reply-To: <20210225203229.363302-3-patrick@puiterwijk.org>
On 2/25/21 3:32 PM, Patrick Uiterwijk wrote:
> Allows passing flags for key_create_or_update via
> integrity_load_cert.
>
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> security/integrity/digsig.c | 11 ++++++-----
> security/integrity/integrity.h | 6 ++++--
> security/integrity/platform_certs/platform_keyring.c | 2 +-
> 3 files changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 250fb0836156..93203c767b57 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -144,7 +144,7 @@ int __init integrity_init_keyring(const unsigned int id)
> }
>
> static int __init integrity_add_key(const unsigned int id, const void *data,
> - off_t size, key_perm_t perm)
> + off_t size, key_perm_t perm, unsigned long flags)
> {
> key_ref_t key;
> int rc = 0;
> @@ -154,7 +154,7 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
>
> key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
> NULL, data, size, perm,
> - KEY_ALLOC_NOT_IN_QUOTA);
> + flags | KEY_ALLOC_NOT_IN_QUOTA);
> if (IS_ERR(key)) {
> rc = PTR_ERR(key);
> pr_err("Problem loading X.509 certificate %d\n", rc);
> @@ -186,18 +186,19 @@ int __init integrity_load_x509(const unsigned int id, const char *path)
> perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
>
> pr_info("Loading X.509 certificate: %s\n", path);
> - rc = integrity_add_key(id, (const void *)data, size, perm);
> + rc = integrity_add_key(id, (const void *)data, size, perm, 0);
>
> vfree(data);
> return rc;
> }
>
> int __init integrity_load_cert(const unsigned int id, const char *source,
> - const void *data, size_t len, key_perm_t perm)
> + const void *data, size_t len, key_perm_t perm,
> + unsigned long flags)
> {
> if (!data)
> return -EINVAL;
>
> pr_info("Loading X.509 certificate: %s\n", source);
> - return integrity_add_key(id, data, len, perm);
> + return integrity_add_key(id, data, len, perm, flags);
> }
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index 547425c20e11..1194ff71a1c1 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -166,7 +166,8 @@ int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
> int __init integrity_init_keyring(const unsigned int id);
> int __init integrity_load_x509(const unsigned int id, const char *path);
> int __init integrity_load_cert(const unsigned int id, const char *source,
> - const void *data, size_t len, key_perm_t perm);
> + const void *data, size_t len, key_perm_t perm,
> + unsigned long flags);
> #else
>
> static inline int integrity_digsig_verify(const unsigned int id,
> @@ -190,7 +191,8 @@ static inline int integrity_init_keyring(const unsigned int id)
> static inline int __init integrity_load_cert(const unsigned int id,
> const char *source,
> const void *data, size_t len,
> - key_perm_t perm)
> + key_perm_t perm,
> + unsigned long flags)
> {
> return 0;
> }
> diff --git a/security/integrity/platform_certs/platform_keyring.c b/security/integrity/platform_certs/platform_keyring.c
> index bcafd7387729..131462c826b5 100644
> --- a/security/integrity/platform_certs/platform_keyring.c
> +++ b/security/integrity/platform_certs/platform_keyring.c
> @@ -32,7 +32,7 @@ void __init add_to_platform_keyring(const char *source, const void *data,
> perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
>
> rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
> - perm);
> + perm, 0);
> if (rc)
> pr_info("Error adding keys to platform keyring %s\n", source);
> }
next prev parent reply other threads:[~2021-02-26 21:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:32 [PATCH 0/3] Load keys from TPM2 NV Index on IMA keyring Patrick Uiterwijk
2021-02-25 20:32 ` [PATCH 1/3] tpm: Add support for reading a TPM NV Index Patrick Uiterwijk
2021-02-25 21:50 ` Stefan Berger
2021-02-26 1:09 ` Jarkko Sakkinen
2021-02-25 20:32 ` [PATCH 2/3] integrity: Allow specifying flags in integrity_load_cert Patrick Uiterwijk
2021-02-26 21:04 ` Stefan Berger [this message]
2021-02-25 20:32 ` [PATCH 3/3] integrity: Load keys from TPM NV onto IMA keyring Patrick Uiterwijk
2021-02-26 21:47 ` Stefan Berger
2021-02-26 21:51 ` Stefan Berger
2021-02-25 21:50 ` [PATCH 0/3] Load keys from TPM2 NV Index on " James Bottomley
2021-02-26 21:45 ` Ken Goldman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69c59b37-a45c-493f-6b86-e324d4dd6f9f@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jarkko@kernel.org \
--cc=jgg@ziepe.ca \
--cc=kgold@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=pbrobinson@gmail.com \
--cc=peterhuewe@gmx.de \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).