linux-next: manual merge of the keys tree with the integrity tree

From: Stephen Rothwell
Date: Mon Apr 12 2021 - 03:09:07 EST


Hi all,

FIXME: Add owner of second tree to To:
Add author(s)/SOB of conflicting commits.

Today's linux-next merge of the keys tree got a conflict in:

certs/system_keyring.c

between commit:

6cbdfb3d91ba ("ima: enable loading of build time generated key on .ima keyring")

from the integrity tree and commit:

9536390dcc8c ("certs: Move load_system_certificate_list to a common function")

from the keys tree.

I fixed it up (see below) and can carry the fix as necessary. This
is now fixed as far as linux-next is concerned, but any non trivial
conflicts should be mentioned to your upstream maintainer when your tree
is submitted for merging. You may also want to consider cooperating
with the maintainer of the conflicting tree to minimise any particularly
complex conflicts.

--
Cheers,
Stephen Rothwell

diff --cc certs/system_keyring.c
index 2b3ad375ecc1,0c9a4795e847..000000000000
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@@ -133,88 -133,15 +134,36 @@@ static __init int system_trusted_keyrin
*/
device_initcall(system_trusted_keyring_init);

- static __init int load_cert(const u8 *p, const u8 *end, struct key *keyring)
- {
- key_ref_t key;
- size_t plen;
-
- while (p < end) {
- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
- * than 256 bytes in size.
- */
- if (end - p < 4)
- goto dodgy_cert;
- if (p[0] != 0x30 &&
- p[1] != 0x82)
- goto dodgy_cert;
- plen = (p[2] << 8) | p[3];
- plen += 4;
- if (plen > end - p)
- goto dodgy_cert;
-
- key = key_create_or_update(make_key_ref(keyring, 1),
- "asymmetric",
- NULL,
- p,
- plen,
- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
- KEY_USR_VIEW | KEY_USR_READ),
- KEY_ALLOC_NOT_IN_QUOTA |
- KEY_ALLOC_BUILT_IN |
- KEY_ALLOC_BYPASS_RESTRICTION);
- if (IS_ERR(key)) {
- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
- PTR_ERR(key));
- } else {
- pr_notice("Loaded X.509 cert '%s'\n",
- key_ref_to_ptr(key)->description);
- key_ref_put(key);
- }
- p += plen;
- }
-
- return 0;
-
- dodgy_cert:
- pr_err("Problem parsing in-kernel X.509 certificate list\n");
- return 0;
- }
-
+__init int load_module_cert(struct key *keyring)
+{
- const u8 *p, *end;
-
+ if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
+ return 0;
+
+ pr_notice("Loading compiled-in module X.509 certificates\n");
+
- p = system_certificate_list;
- end = p + module_cert_size;
-
- return load_cert(p, end, keyring);
++ return load_certificate_list(system_certificate_list, module_cert_size,
++ keyring);
+}
+
/*
* Load the compiled-in list of X.509 certificates.
*/
static __init int load_system_certificate_list(void)
{
- const u8 *p, *end;
++ const u8 *p;
+ unsigned long size;
+
pr_notice("Loading compiled-in X.509 certificates\n");

- return load_certificate_list(system_certificate_list, system_certificate_list_size,
- builtin_trusted_keys);
+#ifdef CONFIG_MODULE_SIG
+ p = system_certificate_list;
+ size = system_certificate_list_size;
+#else
+ p = system_certificate_list + module_cert_size;
+ size = system_certificate_list_size - module_cert_size;
+#endif
+
- end = p + size;
- return load_cert(p, end, builtin_trusted_keys);
++ return load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);

Attachment: pgpV4t8Kw7xoo.pgp
Description: OpenPGP digital signature