028db3e290
This reverts merge 0f75ef6a9cff49ff612f7ce0578bced9d0b38325 (and thus effectively commits 7a1ade847596 ("keys: Provide KEYCTL_GRANT_PERMISSION") 2e12256b9a76 ("keys: Replace uid/gid/perm permissions checking with an ACL") that the merge brought in). It turns out that it breaks booting with an encrypted volume, and Eric biggers reports that it also breaks the fscrypt tests [1] and loading of in-kernel X.509 certificates [2]. The root cause of all the breakage is likely the same, but David Howells is off email so rather than try to work it out it's getting reverted in order to not impact the rest of the merge window. [1] https://lore.kernel.org/lkml/20190710011559.GA7973@sol.localdomain/ [2] https://lore.kernel.org/lkml/20190710013225.GB7973@sol.localdomain/ Link: https://lore.kernel.org/lkml/CAHk-=wjxoeMJfeBahnWH=9zShKp2bsVy527vo3_y8HfOdhwAAw@mail.gmail.com/ Reported-by: Eric Biggers <ebiggers@kernel.org> Cc: David Howells <dhowells@redhat.com> Cc: James Morris <jmorris@namei.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
59 lines
1.3 KiB
C
59 lines
1.3 KiB
C
// SPDX-License-Identifier: GPL-2.0+
|
|
/*
|
|
* Platform keyring for firmware/platform keys
|
|
*
|
|
* Copyright IBM Corporation, 2018
|
|
* Author(s): Nayna Jain <nayna@linux.ibm.com>
|
|
*/
|
|
|
|
#include <linux/export.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/err.h>
|
|
#include <linux/slab.h>
|
|
#include "../integrity.h"
|
|
|
|
/**
|
|
* add_to_platform_keyring - Add to platform keyring without validation.
|
|
* @source: Source of key
|
|
* @data: The blob holding the key
|
|
* @len: The length of the data blob
|
|
*
|
|
* Add a key to the platform keyring without checking its trust chain. This
|
|
* is available only during kernel initialisation.
|
|
*/
|
|
void __init add_to_platform_keyring(const char *source, const void *data,
|
|
size_t len)
|
|
{
|
|
key_perm_t perm;
|
|
int rc;
|
|
|
|
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
|
|
|
|
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
|
|
perm);
|
|
if (rc)
|
|
pr_info("Error adding keys to platform keyring %s\n", source);
|
|
}
|
|
|
|
/*
|
|
* Create the trusted keyrings.
|
|
*/
|
|
static __init int platform_keyring_init(void)
|
|
{
|
|
int rc;
|
|
|
|
rc = integrity_init_keyring(INTEGRITY_KEYRING_PLATFORM);
|
|
if (rc)
|
|
return rc;
|
|
|
|
pr_notice("Platform Keyring initialized\n");
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Must be initialised before we try and load the keys into the keyring.
|
|
*/
|
|
device_initcall(platform_keyring_init);
|