From 59cc26afc5a95e48342b24d95b388e463b58e779 Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Wed, 3 Mar 2021 08:44:20 +0100
Subject: [PATCH] certs: Introduce search_trusted_key()

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

Introduce search_trusted_key() to extend the key search to the primary or
secondary built-in keyrings.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Tianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 certs/system_keyring.c       | 22 ++++++++++++++++++++++
 include/linux/verification.h |  5 +++++
 2 files changed, 27 insertions(+)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index c5514518ddd8..40f35834cd10 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -326,6 +326,28 @@ int verify_pkcs7_signature(const void *data, size_t len,
 }
 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name)
+{
+	key_ref_t kref;
+
+	if (!trusted_keys) {
+		trusted_keys = builtin_trusted_keys;
+	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+		trusted_keys = secondary_trusted_keys;
+#else
+		trusted_keys = builtin_trusted_keys;
+#endif
+	}
+	kref = keyring_search(make_key_ref(trusted_keys, 1), type, name, true);
+	if (IS_ERR(kref))
+		return ERR_CAST(kref);
+
+	return key_ref_to_ptr(kref);
+}
+EXPORT_SYMBOL_GPL(search_trusted_key);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 
 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
diff --git a/include/linux/verification.h b/include/linux/verification.h
index 911ab7c2b1ab..65f6e5282275 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -8,6 +8,8 @@
 #ifndef _LINUX_VERIFICATION_H
 #define _LINUX_VERIFICATION_H
 
+#include <linux/key.h>
+
 /*
  * Indicate that both builtin trusted keys and secondary trusted keys
  * should be used.
@@ -58,5 +60,8 @@ extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
 				   enum key_being_used_for usage);
 #endif
 
+struct key *search_trusted_key(struct key *trusted_keys, struct key_type *type,
+			       char *name);
+
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 #endif /* _LINUX_VERIFY_PEFILE_H */
-- 
GitLab