From c4c36105958576fee87d2c75f4b69b6e5bbde772 Mon Sep 17 00:00:00 2001 From: Mehmet Kayaalp Date: Tue, 24 Nov 2015 16:18:05 -0500 Subject: KEYS: Reserve an extra certificate symbol for inserting without recompiling Place a system_extra_cert buffer of configurable size, right after the system_certificate_list, so that inserted keys can be readily processed by the existing mechanism. Added script takes a key file and a kernel image and inserts its contents to the reserved area. The system_certificate_list_size is also adjusted accordingly. Call the script as: scripts/insert-sys-cert -b -c If vmlinux has no symbol table, supply System.map file with -s flag. Subsequent runs replace the previously inserted key, instead of appending the new one. Signed-off-by: Mehmet Kayaalp Signed-off-by: David Howells Acked-by: Mimi Zohar --- certs/Kconfig | 16 ++++++++++++++++ certs/system_certificates.S | 12 ++++++++++++ 2 files changed, 28 insertions(+) (limited to 'certs') diff --git a/certs/Kconfig b/certs/Kconfig index b030b9c7ed34..f0f8a4433685 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -39,4 +39,20 @@ config SYSTEM_TRUSTED_KEYS form of DER-encoded *.x509 files in the top-level build directory, those are no longer used. You will need to set this option instead. +config SYSTEM_EXTRA_CERTIFICATE + bool "Reserve area for inserting a certificate without recompiling" + depends on SYSTEM_TRUSTED_KEYRING + help + If set, space for an extra certificate will be reserved in the kernel + image. This allows introducing a trusted certificate to the default + system keyring without recompiling the kernel. + +config SYSTEM_EXTRA_CERTIFICATE_SIZE + int "Number of bytes to reserve for the extra certificate" + depends on SYSTEM_EXTRA_CERTIFICATE + default 4096 + help + This is the number of bytes reserved in the kernel image for a + certificate to be inserted. + endmenu diff --git a/certs/system_certificates.S b/certs/system_certificates.S index 9216e8c81764..f82e1b22eac4 100644 --- a/certs/system_certificates.S +++ b/certs/system_certificates.S @@ -13,6 +13,18 @@ __cert_list_start: .incbin "certs/x509_certificate_list" __cert_list_end: +#ifdef CONFIG_SYSTEM_EXTRA_CERTIFICATE + .globl VMLINUX_SYMBOL(system_extra_cert) + .size system_extra_cert, CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE +VMLINUX_SYMBOL(system_extra_cert): + .fill CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE, 1, 0 + + .globl VMLINUX_SYMBOL(system_extra_cert_used) +VMLINUX_SYMBOL(system_extra_cert_used): + .int 0 + +#endif /* CONFIG_SYSTEM_EXTRA_CERTIFICATE */ + .align 8 .globl VMLINUX_SYMBOL(system_certificate_list_size) VMLINUX_SYMBOL(system_certificate_list_size): -- cgit v1.2.3