diff mbox series

[v7,06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca

Message ID 20211116001545.2639333-7-eric.snowberg@oracle.com (mailing list archive)
State New
Headers show
Series Enroll kernel keys thru MOK | expand

Commit Message

Eric Snowberg Nov. 16, 2021, 12:15 a.m. UTC 
Set the restriction check for INTEGRITY_KEYRING_MACHINE keys to
restrict_link_by_ca.  This will only allow CA keys into the machine
keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
v1: Initial version
v2: Added !IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING check so mok
    keyring gets created even when it isn't enabled
v3: Rename restrict_link_by_system_trusted_or_ca to restrict_link_by_ca
v4: removed unnecessary restriction->check set
v5: Rename to machine keyring
v6: split line over 80 char (suggested by Mimi)
v7: Unmodified from v6
---
 security/integrity/digsig.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

kernel test robot Nov. 23, 2021, 2:09 a.m. UTC | #1 
Hi Eric,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on fa55b7dcdc43c1aa1ba12bca9d2dd4318c2a0dbf]

url:    https://github.com/0day-ci/linux/commits/Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20211116-082323
base:   fa55b7dcdc43c1aa1ba12bca9d2dd4318c2a0dbf
config: arm-randconfig-c002-20211118 (attached as .config)
compiler: arm-linux-gnueabi-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/37da84e92e00618ed2df4af65f5c07b16d6a04c0
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20211116-082323
        git checkout 37da84e92e00618ed2df4af65f5c07b16d6a04c0
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=arm SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   arm-linux-gnueabi-ld: security/integrity/digsig.o: in function `integrity_init_keyring':
>> digsig.c:(.init.text+0xdc): undefined reference to `restrict_link_by_ca'
>> arm-linux-gnueabi-ld: digsig.c:(.init.text+0xe0): undefined reference to `restrict_link_by_ca'

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 910fe29a5037..e7dfc55a7c55 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -132,14 +132,18 @@  int __init integrity_init_keyring(const unsigned int id)
 		goto out;
 	}
 
-	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
+	if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING) &&
+	    id != INTEGRITY_KEYRING_MACHINE)
 		return 0;
 
 	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
 	if (!restriction)
 		return -ENOMEM;
 
-	restriction->check = restrict_link_to_ima;
+	if (id == INTEGRITY_KEYRING_MACHINE)
+		restriction->check = restrict_link_by_ca;
+	else
+		restriction->check = restrict_link_to_ima;
 
 	/*
 	 * No additional keys shall be allowed to load into the machine