diff options
author | Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com> | 2015-11-24 16:18:05 -0500 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2016-02-26 15:30:20 +0000 |
commit | c4c36105958576fee87d2c75f4b69b6e5bbde772 (patch) | |
tree | f4a8451b1471c4f87fab76f8aa613c5dc402ad8c /certs | |
parent | 5d06ee20b662a78417245714fc576cba90e6374f (diff) | |
download | linux-stable-c4c36105958576fee87d2c75f4b69b6e5bbde772.tar.gz linux-stable-c4c36105958576fee87d2c75f4b69b6e5bbde772.tar.bz2 linux-stable-c4c36105958576fee87d2c75f4b69b6e5bbde772.zip |
KEYS: Reserve an extra certificate symbol for inserting without recompiling
Place a system_extra_cert buffer of configurable size, right after the
system_certificate_list, so that inserted keys can be readily processed by
the existing mechanism. Added script takes a key file and a kernel image
and inserts its contents to the reserved area. The
system_certificate_list_size is also adjusted accordingly.
Call the script as:
scripts/insert-sys-cert -b <vmlinux> -c <certfile>
If vmlinux has no symbol table, supply System.map file with -s flag.
Subsequent runs replace the previously inserted key, instead of appending
the new one.
Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'certs')
-rw-r--r-- | certs/Kconfig | 16 | ||||
-rw-r--r-- | certs/system_certificates.S | 12 |
2 files changed, 28 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index b030b9c7ed34..f0f8a4433685 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS form of DER-encoded *.x509 files in the top-level build directory, those are no longer used. You will need to set this option instead. +config SYSTEM_EXTRA_CERTIFICATE + bool "Reserve area for inserting a certificate without recompiling" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, space for an extra certificate will be reserved in the kernel + image. This allows introducing a trusted certificate to the default + system keyring without recompiling the kernel. + +config SYSTEM_EXTRA_CERTIFICATE_SIZE + int "Number of bytes to reserve for the extra certificate" + depends on SYSTEM_EXTRA_CERTIFICATE + default 4096 + help + This is the number of bytes reserved in the kernel image for a + certificate to be inserted. + endmenu diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 9216e8c81764..f82e1b22eac4 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -13,6 +13,18 @@ __cert_list_start: .incbin "certs/x509_certificate_list" __cert_list_end: +#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE + .globl VMLINUX_SYMBOL(system_extra_cert) + .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE +VMLINUX_SYMBOL(system_extra_cert): + .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0 + + .globl VMLINUX_SYMBOL(system_extra_cert_used) +VMLINUX_SYMBOL(system_extra_cert_used): + .int 0 + +#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */ + .align 8 .globl VMLINUX_SYMBOL(system_certificate_list_size) VMLINUX_SYMBOL(system_certificate_list_size): |