4 年之前 · 72d6f5d982
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -3,7 +3,7 @@
 
				 # Makefile for the linux kernel signature checking certificates.
			
 
				 #
			
 
				 
			
 
				-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
			
 
				+obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
			
 
				 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
			
 
				 ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
			
 
				 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
			
--- a/certs/common.c
+++ b/certs/common.c
@@ -0,0 +1,57 @@
 
				+// SPDX-License-Identifier: GPL-2.0-or-later
			
 
				+
			
 
				+#include <linux/kernel.h>
			
 
				+#include <linux/key.h>
			
 
				+#include "common.h"
			
 
				+
			
 
				+int load_certificate_list(const u8 cert_list[],
			
 
				+			  const unsigned long list_size,
			
 
				+			  const struct key *keyring)
			
 
				+{
			
 
				+	key_ref_t key;
			
 
				+	const u8 *p, *end;
			
 
				+	size_t plen;
			
 
				+
			
 
				+	p = cert_list;
			
 
				+	end = p + list_size;
			
 
				+	while (p < end) {
			
 
				+		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
			
 
				+		 * than 256 bytes in size.
			
 
				+		 */
			
 
				+		if (end - p < 4)
			
 
				+			goto dodgy_cert;
			
 
				+		if (p[0] != 0x30 &&
			
 
				+		    p[1] != 0x82)
			
 
				+			goto dodgy_cert;
			
 
				+		plen = (p[2] << 8) | p[3];
			
 
				+		plen += 4;
			
 
				+		if (plen > end - p)
			
 
				+			goto dodgy_cert;
			
 
				+
			
 
				+		key = key_create_or_update(make_key_ref(keyring, 1),
			
 
				+					   "asymmetric",
			
 
				+					   NULL,
			
 
				+					   p,
			
 
				+					   plen,
			
 
				+					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
			
 
				+					   KEY_USR_VIEW | KEY_USR_READ),
			
 
				+					   KEY_ALLOC_NOT_IN_QUOTA |
			
 
				+					   KEY_ALLOC_BUILT_IN |
			
 
				+					   KEY_ALLOC_BYPASS_RESTRICTION);
			
 
				+		if (IS_ERR(key)) {
			
 
				+			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
			
 
				+			       PTR_ERR(key));
			
 
				+		} else {
			
 
				+			pr_notice("Loaded X.509 cert '%s'\n",
			
 
				+				  key_ref_to_ptr(key)->description);
			
 
				+			key_ref_put(key);
			
 
				+		}
			
 
				+		p += plen;
			
 
				+	}
			
 
				+
			
 
				+	return 0;
			
 
				+
			
 
				+dodgy_cert:
			
 
				+	pr_err("Problem parsing in-kernel X.509 certificate list\n");
			
 
				+	return 0;
			
 
				+}
			
--- a/certs/common.h
+++ b/certs/common.h
@@ -0,0 +1,9 @@
 
				+/* SPDX-License-Identifier: GPL-2.0-or-later */
			
 
				+
			
 
				+#ifndef _CERT_COMMON_H
			
 
				+#define _CERT_COMMON_H
			
 
				+
			
 
				+int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
			
 
				+			  const struct key *keyring);
			
 
				+
			
 
				+#endif
			
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -15,6 +15,7 @@
 
				 #include <keys/asymmetric-type.h>
			
 
				 #include <keys/system_keyring.h>
			
 
				 #include <crypto/pkcs7.h>
			
 
				+#include "common.h"
			
 
				 
			
 
				 static struct key *builtin_trusted_keys;
			
 
				 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
			
@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init);
 
				  */
			
 
				 static __init int load_system_certificate_list(void)
			
 
				 {
			
 
				-	key_ref_t key;
			
 
				-	const u8 *p, *end;
			
 
				-	size_t plen;
			
 
				-
			
 
				 	pr_notice("Loading compiled-in X.509 certificates\n");
			
 
				 
			
 
				-	p = system_certificate_list;
			
 
				-	end = p + system_certificate_list_size;
			
 
				-	while (p < end) {
			
 
				-		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
			
 
				-		 * than 256 bytes in size.
			
 
				-		 */
			
 
				-		if (end - p < 4)
			
 
				-			goto dodgy_cert;
			
 
				-		if (p[0] != 0x30 &&
			
 
				-		    p[1] != 0x82)
			
 
				-			goto dodgy_cert;
			
 
				-		plen = (p[2] << 8) | p[3];
			
 
				-		plen += 4;
			
 
				-		if (plen > end - p)
			
 
				-			goto dodgy_cert;
			
 
				-
			
 
				-		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
			
 
				-					   "asymmetric",
			
 
				-					   NULL,
			
 
				-					   p,
			
 
				-					   plen,
			
 
				-					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
			
 
				-					   KEY_USR_VIEW | KEY_USR_READ),
			
 
				-					   KEY_ALLOC_NOT_IN_QUOTA |
			
 
				-					   KEY_ALLOC_BUILT_IN |
			
 
				-					   KEY_ALLOC_BYPASS_RESTRICTION);
			
 
				-		if (IS_ERR(key)) {
			
 
				-			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
			
 
				-			       PTR_ERR(key));
			
 
				-		} else {
			
 
				-			pr_notice("Loaded X.509 cert '%s'\n",
			
 
				-				  key_ref_to_ptr(key)->description);
			
 
				-			key_ref_put(key);
			
 
				-		}
			
 
				-		p += plen;
			
 
				-	}
			
 
				-
			
 
				-	return 0;
			
 
				-
			
 
				-dodgy_cert:
			
 
				-	pr_err("Problem parsing in-kernel X.509 certificate list\n");
			
 
				-	return 0;
			
 
				+	return load_certificate_list(system_certificate_list, system_certificate_list_size,
			
 
				+				     builtin_trusted_keys);
			
 
				 }
			
 
				 late_initcall(load_system_certificate_list);