Hi all, Today's linux-next merge of the keys tree got a conflict in: certs/system_keyring.c between commit: df73a4001959 ("ima: enable loading of build time generated key on .ima keyring") from the integrity tree and commit: 9536390dcc8c ("certs: Move load_system_certificate_list to a common function") from the keys tree. I fixed it up (I think - see below) and can carry the fix as necessary. This is now fixed as far as linux-next is concerned, but any non trivial conflicts should be mentioned to your upstream maintainer when your tree is submitted for merging. You may also want to consider cooperating with the maintainer of the conflicting tree to minimise any particularly complex conflicts. -- Cheers, Stephen Rothwell diff --cc certs/system_keyring.c index bb122bf4cc17,0c9a4795e847..000000000000 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@@ -133,85 -133,15 +134,34 @@@ static __init int system_trusted_keyrin */ device_initcall(system_trusted_keyring_init); - static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring) - { - key_ref_t key; - size_t plen; - - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(keyring, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - - dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; - } - +__init int load_module_cert(struct key *keyring) +{ - const u8 *p, *end; - + if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG)) + return 0; + + pr_notice("Loading compiled-in module X.509 certificates\n"); + - p = system_certificate_list; - end = p + module_cert_size; - - return load_cert(p, end, keyring); ++ return load_certificate_list(system_certificate_list, module_cert_size, ++ keyring); +} + /* * Load the compiled-in list of X.509 certificates. */ static __init int load_system_certificate_list(void) { - const u8 *p, *end; ++ const u8 *p; + pr_notice("Loading compiled-in X.509 certificates\n"); - return load_certificate_list(system_certificate_list, system_certificate_list_size, +#ifdef CONFIG_MODULE_SIG + p = system_certificate_list; +#else + p = system_certificate_list + module_cert_size; +#endif + - end = p + system_certificate_list_size; - return load_cert(p, end, builtin_trusted_keys); ++ return load_certificate_list(p, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list);
Attachment:
pgpo5yDYVBrP8.pgp
Description: OpenPGP digital signature