| digsig.c (8be98d2f2a0a262f8bf8a0bc1fdf522b3c7aab17) | digsig.c (d19967764ba876f5c82dabaa28f983b21eb642a2) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 7 */ 8 --- 16 unchanged lines hidden (view full) --- 25#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 26 "_evm", 27 "_ima", 28#else 29 ".evm", 30 ".ima", 31#endif 32 ".platform", | 1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 7 */ 8 --- 16 unchanged lines hidden (view full) --- 25#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 26 "_evm", 27 "_ima", 28#else 29 ".evm", 30 ".ima", 31#endif 32 ".platform", |
| 33 ".machine", |
|
| 33}; 34 35#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 36#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted 37#else 38#define restrict_link_to_ima restrict_link_by_builtin_trusted 39#endif 40 --- 80 unchanged lines hidden (view full) --- 121int __init integrity_init_keyring(const unsigned int id) 122{ 123 struct key_restriction *restriction; 124 key_perm_t perm; 125 126 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 127 | KEY_USR_READ | KEY_USR_SEARCH; 128 | 34}; 35 36#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 37#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted 38#else 39#define restrict_link_to_ima restrict_link_by_builtin_trusted 40#endif 41 --- 80 unchanged lines hidden (view full) --- 122int __init integrity_init_keyring(const unsigned int id) 123{ 124 struct key_restriction *restriction; 125 key_perm_t perm; 126 127 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 128 | KEY_USR_READ | KEY_USR_SEARCH; 129 |
| 129 if (id == INTEGRITY_KEYRING_PLATFORM) { | 130 if (id == INTEGRITY_KEYRING_PLATFORM || 131 id == INTEGRITY_KEYRING_MACHINE) { |
| 130 restriction = NULL; 131 goto out; 132 } 133 134 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 135 return 0; 136 137 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 138 if (!restriction) 139 return -ENOMEM; 140 141 restriction->check = restrict_link_to_ima; | 132 restriction = NULL; 133 goto out; 134 } 135 136 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 137 return 0; 138 139 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 140 if (!restriction) 141 return -ENOMEM; 142 143 restriction->check = restrict_link_to_ima; |
| 142 perm |= KEY_USR_WRITE; | |
| 143 | 144 |
| 145 /* 146 * MOK keys can only be added through a read-only runtime services 147 * UEFI variable during boot. No additional keys shall be allowed to 148 * load into the machine keyring following init from userspace. 149 */ 150 if (id != INTEGRITY_KEYRING_MACHINE) 151 perm |= KEY_USR_WRITE; 152 |
|
| 144out: 145 return __integrity_init_keyring(id, perm, restriction); 146} 147 148static int __init integrity_add_key(const unsigned int id, const void *data, 149 off_t size, key_perm_t perm) 150{ 151 key_ref_t key; --- 54 unchanged lines hidden --- | 153out: 154 return __integrity_init_keyring(id, perm, restriction); 155} 156 157static int __init integrity_add_key(const unsigned int id, const void *data, 158 off_t size, key_perm_t perm) 159{ 160 key_ref_t key; --- 54 unchanged lines hidden --- |