Support building the X.509 certificates into the CMA certificate store.
This allows certificates to be built into the kernel which can be used
to authenticate PCIe devices via SPDM.
Signed-off-by: Alistair Francis <alistair@xxxxxxxxxxxxx>
---
drivers/pci/cma.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index 59558714f143..381d8f32a5a7 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -24,6 +24,10 @@
/* Keyring that userspace can poke certs into */
static struct key *pci_cma_keyring;
+extern __initconst const u8 system_certificate_list[];
+extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
+
/*
* The spdm_requester.c library calls pci_cma_validate() to check requirements
* for Leaf Certificates per PCIe r6.1 sec 6.31.3.
@@ -222,8 +226,31 @@ void pci_cma_destroy(struct pci_dev *pdev)
spdm_destroy(pdev->spdm_state);
}
+/*
+ * Load the compiled-in list of X.509 certificates.
+ */
+static int load_system_certificate_list(void)
+{
+ const u8 *p;
+ unsigned long size;
+
+ pr_notice("Loading compiled-in X.509 certificates for CMA\n");
+
+#ifdef CONFIG_MODULE_SIG
+ p = system_certificate_list;
+ size = system_certificate_list_size;
+#else
+ p = system_certificate_list + module_cert_size;
+ size = system_certificate_list_size - module_cert_size;
+#endif
+
+ return x509_load_certificate_list(p, size, pci_cma_keyring);
+}
+
__init static int pci_cma_keyring_init(void)
{
+ int rc;
+
pci_cma_keyring = keyring_alloc(".cma", KUIDT_INIT(0), KGIDT_INIT(0),
current_cred(),
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
@@ -236,6 +263,10 @@ __init static int pci_cma_keyring_init(void)
return PTR_ERR(pci_cma_keyring);
}
+ rc = load_system_certificate_list();
+ if (rc)
+ return rc;
+
return 0;
}
arch_initcall(pci_cma_keyring_init);
--
2.48.1
