ima: enable loading of build time generated key on .ima keyring

The kernel currently only loads the kernel module signing key onto the builtin trusted keyring. Load the module signing key onto the IMA keyring as well. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Acked-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Nayna Jain <nayna@linux.ibm.com> 2021-04-09 10:35:07 -0400
committer: Mimi Zohar <zohar@linux.ibm.com> 2021-04-09 10:40:20 -0400
commit: 6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0 (patch)
tree: 05c396347eaa59a17fe6819603f6eacc1cd546f9 /certs/system_certificates.S
parent: 0165f4ca223b04bb032095753fadd28816dc435f (diff)
download: linux-6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0.tar.gz
1 files changed, 12 insertions, 1 deletions
diff --git a/certs/system_certificates.S b/certs/system_certificates.S
index 8f29058adf93c..dcad27ea85274 100644
--- a/certs/system_certificates.S
+++ b/certs/system_certificates.S
@@ -8,9 +8,11 @@
 	.globl system_certificate_list
 system_certificate_list:
 __cert_list_start:
-#ifdef CONFIG_MODULE_SIG
+__module_cert_start:
+#if defined(CONFIG_MODULE_SIG) || defined(CONFIG_IMA_APPRAISE_MODSIG)
 	.incbin "certs/signing_key.x509"
 #endif
+__module_cert_end:
 	.incbin "certs/x509_certificate_list"
 __cert_list_end:
 
@@ -35,3 +37,12 @@ system_certificate_list_size:
 #else
 	.long __cert_list_end - __cert_list_start
 #endif
+
+	.align 8
+	.globl module_cert_size
+module_cert_size:
+#ifdef CONFIG_64BIT
+	.quad __module_cert_end - __module_cert_start
+#else
+	.long __module_cert_end - __module_cert_start
+#endif
author	Nayna Jain <nayna@linux.ibm.com>	2021-04-09 10:35:07 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2021-04-09 10:40:20 -0400
commit	6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0 (patch)
tree	05c396347eaa59a17fe6819603f6eacc1cd546f9 /certs/system_certificates.S
parent	0165f4ca223b04bb032095753fadd28816dc435f (diff)
download	linux-6cbdfb3d91bab122033bd2ecae8c259cb6e4f7d0.tar.gz