| Message ID | 1570497267-13672-7-git-send-email-nayna@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | powerpc: Enabling IMA arch specific secure boot policies | expand |
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote: > The existing is_hash_blacklisted() function returns -EKEYREJECTED > error code for both the blacklisted keys and binaries. > > This patch adds a wrapper function is_binary_blacklisted() to check > against binary hashes and returns -EPERM. > > Signed-off-by: Nayna Jain <nayna@linux.ibm.com> This patch description describes what you're doing, not the motivation. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > --- > certs/blacklist.c | 9 +++++++++ > include/keys/system_keyring.h | 6 ++++++ > 2 files changed, 15 insertions(+) > > diff --git a/certs/blacklist.c b/certs/blacklist.c > index ec00bf337eb6..6514f9ebc943 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) > } > EXPORT_SYMBOL_GPL(is_hash_blacklisted); > > +int is_binary_blacklisted(const u8 *hash, size_t hash_len) > +{ > + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) > + return -EPERM; > + > + return 0; > +} > +EXPORT_SYMBOL_GPL(is_binary_blacklisted); > + > /* > * Initialise the blacklist > */ > diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h > index c1a96fdf598b..fb8b07daa9d1 100644 > --- a/include/keys/system_keyring.h > +++ b/include/keys/system_keyring.h > @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( > extern int mark_hash_blacklisted(const char *hash); > extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, > const char *type); > +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); > #else > static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, > const char *type) > { > return 0; > } > + > +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) > +{ > + return 0; > +} > #endif > > #ifdef CONFIG_IMA_BLACKLIST_KEYRING
diff --git a/certs/blacklist.c b/certs/blacklist.c index ec00bf337eb6..6514f9ebc943 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) } EXPORT_SYMBOL_GPL(is_hash_blacklisted); +int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + return -EPERM; + + return 0; +} +EXPORT_SYMBOL_GPL(is_binary_blacklisted); + /* * Initialise the blacklist */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fdf598b..fb8b07daa9d1 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type); +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) { return 0; } + +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + return 0; +} #endif #ifdef CONFIG_IMA_BLACKLIST_KEYRING
The existing is_hash_blacklisted() function returns -EKEYREJECTED error code for both the blacklisted keys and binaries. This patch adds a wrapper function is_binary_blacklisted() to check against binary hashes and returns -EPERM. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> --- certs/blacklist.c | 9 +++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 15 insertions(+)