TechPanelGM/kernel_xiaomi_sm8250
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

KEYS: Reserve an extra certificate symbol for inserting without recompiling

Browse Source 
Place a system_extra_cert buffer of configurable size, right after the
system_certificate_list, so that inserted keys can be readily processed by
the existing mechanism. Added script takes a key file and a kernel image
and inserts its contents to the reserved area. The
system_certificate_list_size is also adjusted accordingly.

Call the script as:

    scripts/insert-sys-cert -b <vmlinux> -c <certfile>

If vmlinux has no symbol table, supply System.map file with -s flag.
Subsequent runs replace the previously inserted key, instead of appending
the new one.

Signed-off-by: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mehmet Kayaalp
2015-11-24 16:18:05 -05:00
committed by David Howells
parent 5d06ee20b6
commit c4c3610595
5 changed files with 440 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
certs/Kconfig
View File

@@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS
form of DER-encoded *.x509 files in the top-level build directory,
those are no longer used. You will need to set this option instead.
config SYSTEM_EXTRA_CERTIFICATE
bool "Reserve area for inserting a certificate without recompiling"
depends on SYSTEM_TRUSTED_KEYRING
help
If set, space for an extra certificate will be reserved in the kernel
image. This allows introducing a trusted certificate to the default
system keyring without recompiling the kernel.
config SYSTEM_EXTRA_CERTIFICATE_SIZE
int "Number of bytes to reserve for the extra certificate"
depends on SYSTEM_EXTRA_CERTIFICATE
default 4096
help
This is the number of bytes reserved in the kernel image for a
certificate to be inserted.
endmenu

12
certs/system_certificates.S
View File

@@ -13,6 +13,18 @@ __cert_list_start:
.incbin "certs/x509_certificate_list"
__cert_list_end:
#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE
.globl VMLINUX_SYMBOL(system_extra_cert)
.size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE
VMLINUX_SYMBOL(system_extra_cert):
.fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0
.globl VMLINUX_SYMBOL(system_extra_cert_used)
VMLINUX_SYMBOL(system_extra_cert_used):
.int 0
#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */
.align 8
.globl VMLINUX_SYMBOL(system_certificate_list_size)
VMLINUX_SYMBOL(system_certificate_list_size):