[PATCH 04/16] integrity: Allow digital signature verification with a given keyring ptr

[Vivek Goyal]

Currently digital signature verification code assumes that it can be
used only with 3 keyrings. IMA, EVM and MODULE keyring. Provide another
variant where one can pass in a pointer to keyring (struct key *), and
integrity code can try to find key in that keyring and verify signature.

This will be useful at two places.

- elf binary loader can use system keyring and call into integrity
  subsystem for signature verification.
- In later patches I am extending keyctl() to allow signature of
  a user buffer against specified keyring. That logic can make use
  of this code too.

Signed-off-by: Vivek Goyal <vgo...@redhat.com>
---
 security/integrity/digsig.c    | 26 ++++++++++++++++----------
 security/integrity/integrity.h |  9 +++++++++
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 160fec7..f1259bd 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -44,6 +44,20 @@ int integrity_get_digsig_size(char *sig)
        return -EBADMSG;
 }
 
+int integrity_digsig_verify_keyring(struct key *keyring, const char *sig,
+                       int siglen, const char *digest, int digestlen)
+{
+       switch (sig[0]) {
+       case 1:
+               return digsig_verify(keyring, sig, siglen,
+                                    digest, digestlen);
+       case 2:
+               return asymmetric_verify(keyring, sig, siglen,
+                                        digest, digestlen);
+       }
+       return -EOPNOTSUPP;
+}
+
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
                                        const char *digest, int digestlen)
 {
@@ -61,14 +75,6 @@ int integrity_digsig_verify(const unsigned int id, const 
char *sig, int siglen,
                }
        }
 
-       switch (sig[0]) {
-       case 1:
-               return digsig_verify(keyring[id], sig, siglen,
-                                    digest, digestlen);
-       case 2:
-               return asymmetric_verify(keyring[id], sig, siglen,
-                                        digest, digestlen);
-       }
-
-       return -EOPNOTSUPP;
+       return integrity_digsig_verify_keyring(keyring[id], sig, siglen,
+                                               digest, digestlen);
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 4246417..130eb3b 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -101,6 +101,8 @@ struct integrity_iint_cache *integrity_iint_find(struct 
inode *inode);
 
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
                                        const char *digest, int digestlen);
+int integrity_digsig_verify_keyring(struct key *keyring, const char *sig,
+                       int siglen, const char *digest, int digestlen);
 extern int integrity_get_digsig_size(char *sig);
 
 #else
@@ -112,6 +114,13 @@ static inline int integrity_digsig_verify(const unsigned 
int id,
        return -EOPNOTSUPP;
 }
 
+static inline int integrity_digsig_verify_keyring(struct key *keyring,
+                       const char *sig, int siglen, const char *digest,
+                       int digestlen)
+{
+       return -EOPNOTSUPP;
+}
+
 static inline int integrity_get_digsig_size(char *sig) { return -EOPNOTSUPP; }
 
 #endif /* CONFIG_INTEGRITY_SIGNATURE */
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/