From: Roberto Sassu <roberto.sassu@xxxxxxxxxx> Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source directory. Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx> --- certs/Kconfig | 11 +++++++++++ certs/Makefile | 7 +++++++ certs/system_certificates.S | 18 ++++++++++++++++++ certs/system_keyring.c | 23 +++++++++++++++++++++++ 4 files changed, 59 insertions(+) diff --git a/certs/Kconfig b/certs/Kconfig index 78307dc25559..9b7ece1e45fa 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -154,4 +154,15 @@ config SYSTEM_BLACKLIST_AUTH_UPDATE keyring. The PKCS#7 signature of the description is set in the key payload. Blacklist keys cannot be removed. +config PGP_PRELOAD_PUBLIC_KEYS + bool "Preload PGP public keys" + depends on SYSTEM_TRUSTED_KEYRING + select PGP_PRELOAD + default n + help + Load at boot time the PGP public keys from a reserved area (populated + with the content of 'certs/pubring.gpg' provided at kernel build + time), and add them to the built-in keyring. Invalid keys are ignored + and the loading continues. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 1094e3860c2a..7a3d68441e09 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -31,6 +31,13 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE $(call if_changed,extract_certs) +ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +ifeq ($(shell ls $(srctree)/certs/pubring.gpg 2> /dev/null), $(srctree)/certs/pubring.gpg) +AFLAGS_system_certificates.o := -DHAVE_PUBRING_GPG +$(obj)/system_certificates.o: $(srctree)/certs/pubring.gpg +endif +endif + targets += x509_certificate_list # If module signing is requested, say by allyesconfig, but a key has not been diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 003e25d4a17e..b3cbf0811e3f 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -44,3 +44,21 @@ module_cert_size: #else .long __module_cert_end - __module_cert_start #endif + + .align 8 + .globl pgp_public_keys +pgp_public_keys: +__pgp_key_list_start: +#ifdef HAVE_PUBRING_GPG + .incbin "certs/pubring.gpg" +#endif +__pgp_key_list_end: + + .align 8 + .globl pgp_public_keys_size +pgp_public_keys_size: +#ifdef CONFIG_64BIT + .quad __pgp_key_list_end - __pgp_key_list_start +#else + .long __pgp_key_list_end - __pgp_key_list_start +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index db0fde36a71b..7b4c1dfa7fb3 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -32,6 +32,10 @@ static struct key *platform_trusted_keys; extern __initconst const u8 system_certificate_list[]; extern __initconst const unsigned long system_certificate_list_size; extern __initconst const unsigned long module_cert_size; +#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS +extern __initconst const u8 pgp_public_keys[]; +extern __initconst const unsigned long pgp_public_keys_size; +#endif /** * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA @@ -268,6 +272,15 @@ __init int load_module_cert(struct key *keyring) if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) return 0; +#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS + pr_notice("Load PGP public keys to keyring %s\n", keyring->description); + + if (preload_pgp_keys(pgp_public_keys, + pgp_public_keys_size, + keyring) < 0) + pr_err("Can't load PGP public keys\n"); +#endif + pr_notice("Loading compiled-in module X.509 certificates\n"); return x509_load_certificate_list(system_certificate_list, @@ -292,6 +305,16 @@ static __init int load_system_certificate_list(void) size = system_certificate_list_size - module_cert_size; #endif +#ifdef CONFIG_PGP_PRELOAD_PUBLIC_KEYS + pr_notice("Load PGP public keys to keyring %s\n", + builtin_trusted_keys->description); + + if (preload_pgp_keys(pgp_public_keys, + pgp_public_keys_size, + builtin_trusted_keys) < 0) + pr_err("Can't load PGP public keys\n"); +#endif + return x509_load_certificate_list(p, size, builtin_trusted_keys); } late_initcall(load_system_certificate_list); -- 2.34.1