1
linux/security/integrity/platform_certs/platform_keyring.c
Linus Torvalds 028db3e290 Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
This reverts merge 0f75ef6a9c (and thus
effectively commits

   7a1ade8475 ("keys: Provide KEYCTL_GRANT_PERMISSION")
   2e12256b9a ("keys: Replace uid/gid/perm permissions checking with an ACL")

that the merge brought in).

It turns out that it breaks booting with an encrypted volume, and Eric
biggers reports that it also breaks the fscrypt tests [1] and loading of
in-kernel X.509 certificates [2].

The root cause of all the breakage is likely the same, but David Howells
is off email so rather than try to work it out it's getting reverted in
order to not impact the rest of the merge window.

 [1] https://lore.kernel.org/lkml/20190710011559.GA7973@sol.localdomain/
 [2] https://lore.kernel.org/lkml/20190710013225.GB7973@sol.localdomain/

Link: https://lore.kernel.org/lkml/CAHk-=wjxoeMJfeBahnWH=9zShKp2bsVy527vo3_y8HfOdhwAAw@mail.gmail.com/
Reported-by: Eric Biggers <ebiggers@kernel.org>
Cc: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-10 18:43:43 -07:00

59 lines
1.3 KiB
C

// SPDX-License-Identifier: GPL-2.0+
/*
* Platform keyring for firmware/platform keys
*
* Copyright IBM Corporation, 2018
* Author(s): Nayna Jain <nayna@linux.ibm.com>
*/
#include <linux/export.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/slab.h>
#include "../integrity.h"
/**
* add_to_platform_keyring - Add to platform keyring without validation.
* @source: Source of key
* @data: The blob holding the key
* @len: The length of the data blob
*
* Add a key to the platform keyring without checking its trust chain. This
* is available only during kernel initialisation.
*/
void __init add_to_platform_keyring(const char *source, const void *data,
size_t len)
{
key_perm_t perm;
int rc;
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
rc = integrity_load_cert(INTEGRITY_KEYRING_PLATFORM, source, data, len,
perm);
if (rc)
pr_info("Error adding keys to platform keyring %s\n", source);
}
/*
* Create the trusted keyrings.
*/
static __init int platform_keyring_init(void)
{
int rc;
rc = integrity_init_keyring(INTEGRITY_KEYRING_PLATFORM);
if (rc)
return rc;
pr_notice("Platform Keyring initialized\n");
return 0;
}
/*
* Must be initialised before we try and load the keys into the keyring.
*/
device_initcall(platform_keyring_init);