[PATCH 4.14 16/89] Replace magic for trusting the secondary keyring with #define

From: Greg Kroah-Hartman
Date: Fri Sep 07 2018 - 17:26:05 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 17/89] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 15/89] mailbox: xgene-slimpro: Fix potential NULL pointer dereference"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 15/89] mailbox: xgene-slimpro: Fix potential NULL pointer dereference"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 17/89] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>

commit 817aef260037f33ee0f44c17fe341323d3aebd6d upstream.

Replace the use of a magic number that indicates that verify_*_signature()
should use the secondary keyring with a symbol.

Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Cc: keyrings@xxxxxxxxxxxxxxx
Cc: linux-security-module@xxxxxxxxxxxxxxx
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
certs/system_keyring.c | 3 ++-
crypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
include/linux/verification.h | 6 ++++++
3 files changed, 9 insertions(+), 2 deletions(-)

--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -15,6 +15,7 @@
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/slab.h>
+#include <linux/verification.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
@@ -230,7 +231,7 @@ int verify_pkcs7_signature(const void *d

if (!trusted_keys) {
trusted_keys = builtin_trusted_keys;
- } else if (trusted_keys == (void *)1UL) {
+ } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
trusted_keys = secondary_trusted_keys;
#else
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_pre

return verify_pkcs7_signature(NULL, 0,
prep->data, prep->datalen,
- (void *)1UL, usage,
+ VERIFY_USE_SECONDARY_KEYRING, usage,
pkcs7_view_content, prep);
}

--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -13,6 +13,12 @@
#define _LINUX_VERIFICATION_H

/*
+ * Indicate that both builtin trusted keys and secondary trusted keys
+ * should be used.
+ */
+#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+
+/*
* The use to which an asymmetric key is being put.
*/
enum key_being_used_for {

Next message: Greg Kroah-Hartman: "[PATCH 4.14 17/89] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 15/89] mailbox: xgene-slimpro: Fix potential NULL pointer dereference"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 15/89] mailbox: xgene-slimpro: Fix potential NULL pointer dereference"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 17/89] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]