1. 11 Apr, 2016 9 commits
    • David Howells's avatar
      certs: Add a secondary system keyring that can be added to dynamically · d3bfe841
      David Howells authored
      Add a secondary system keyring that can be added to by root whilst the
      system is running - provided the key being added is vouched for by a key
      built into the kernel or already added to the secondary keyring.
      
      Rename .system_keyring to .builtin_trusted_keys to distinguish it more
      obviously from the new keyring (called .secondary_trusted_keys).
      
      The new keyring needs to be enabled with CONFIG_SECONDARY_TRUSTED_KEYRING.
      
      If the secondary keyring is enabled, a link is created from that to
      .builtin_trusted_keys so that the the latter will automatically be searched
      too if the secondary keyring is searched.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d3bfe841
    • David Howells's avatar
      KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED · 77f68bac
      David Howells authored
      Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED as they're no longer
      meaningful.  Also we can drop the trusted flag from the preparse structure.
      
      Given this, we no longer need to pass the key flags through to
      restrict_link().
      
      Further, we can now get rid of keyring_restrict_trusted_only() also.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      77f68bac
    • David Howells's avatar
      KEYS: Move the point of trust determination to __key_link() · a511e1af
      David Howells authored
      Move the point at which a key is determined to be trustworthy to
      __key_link() so that we use the contents of the keyring being linked in to
      to determine whether the key being linked in is trusted or not.
      
      What is 'trusted' then becomes a matter of what's in the keyring.
      
      Currently, the test is done when the key is parsed, but given that at that
      point we can only sensibly refer to the contents of the system trusted
      keyring, we can only use that as the basis for working out the
      trustworthiness of a new key.
      
      With this change, a trusted keyring is a set of keys that once the
      trusted-only flag is set cannot be added to except by verification through
      one of the contained keys.
      
      Further, adding a key into a trusted keyring, whilst it might grant
      trustworthiness in the context of that keyring, does not automatically
      grant trustworthiness in the context of a second keyring to which it could
      be secondarily linked.
      
      To accomplish this, the authentication data associated with the key source
      must now be retained.  For an X.509 cert, this means the contents of the
      AuthorityKeyIdentifier and the signature data.
      
      
      If system keyrings are disabled then restrict_link_by_builtin_trusted()
      resolves to restrict_link_reject().  The integrity digital signature code
      still works correctly with this as it was previously using
      KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
      is no system keyring against which trust can be determined.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a511e1af
    • David Howells's avatar
      KEYS: Make the system trusted keyring depend on the asymmetric key type · 99716b7c
      David Howells authored
      Make the system trusted keyring depend on the asymmetric key type as
      there's not a lot of point having it if you can't then load asymmetric keys
      onto it.
      
      This requires the ASYMMETRIC_KEY_TYPE to be made a bool, not a tristate, as
      the Kconfig language doesn't then correctly force ASYMMETRIC_KEY_TYPE to
      'y' rather than 'm' if SYSTEM_TRUSTED_KEYRING is 'y'.
      
      Making SYSTEM_TRUSTED_KEYRING *select* ASYMMETRIC_KEY_TYPE instead doesn't
      work as the Kconfig interpreter then wrongly complains about dependency
      loops.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      99716b7c
    • David Howells's avatar
      X.509: Move the trust validation code out to its own file · cfb664ff
      David Howells authored
      Move the X.509 trust validation code out to its own file so that it can be
      generalised.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cfb664ff
    • David Howells's avatar
      X.509: Use verify_signature() if we have a struct key * to use · 5f7f5c81
      David Howells authored
      We should call verify_signature() rather than directly calling
      public_key_verify_signature() if we have a struct key to use as we
      shouldn't be poking around in the private data of the key struct as that's
      subtype dependent.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      5f7f5c81
    • David Howells's avatar
      KEYS: Generalise x509_request_asymmetric_key() · 9eb02989
      David Howells authored
      Generalise x509_request_asymmetric_key().  It doesn't really have any
      dependencies on X.509 features as it uses generalised IDs and the
      public_key structs that contain data extracted from X.509.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      9eb02989
    • David Howells's avatar
      KEYS: Move x509_request_asymmetric_key() to asymmetric_type.c · 983023f2
      David Howells authored
      Move x509_request_asymmetric_key() to asymmetric_type.c so that it can be
      generalised.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      983023f2
    • David Howells's avatar
      KEYS: Add a facility to restrict new links into a keyring · 5ac7eace
      David Howells authored
      Add a facility whereby proposed new links to be added to a keyring can be
      vetted, permitting them to be rejected if necessary.  This can be used to
      block public keys from which the signature cannot be verified or for which
      the signature verification fails.  It could also be used to provide
      blacklisting.
      
      This affects operations like add_key(), KEYCTL_LINK and KEYCTL_INSTANTIATE.
      
      To this end:
      
       (1) A function pointer is added to the key struct that, if set, points to
           the vetting function.  This is called as:
      
      	int (*restrict_link)(struct key *keyring,
      			     const struct key_type *key_type,
      			     unsigned long key_flags,
      			     const union key_payload *key_payload),
      
           where 'keyring' will be the keyring being added to, key_type and
           key_payload will describe the key being added and key_flags[*] can be
           AND'ed with KEY_FLAG_TRUSTED.
      
           [*] This parameter will be removed in a later patch when
           	 KEY_FLAG_TRUSTED is removed.
      
           The function should return 0 to allow the link to take place or an
           error (typically -ENOKEY, -ENOPKG or -EKEYREJECTED) to reject the
           link.
      
           The pointer should not be set directly, but rather should be set
           through keyring_alloc().
      
           Note that if called during add_key(), preparse is called before this
           method, but a key isn't actually allocated until after this function
           is called.
      
       (2) KEY_ALLOC_BYPASS_RESTRICTION is added.  This can be passed to
           key_create_or_update() or key_instantiate_and_link() to bypass the
           restriction check.
      
       (3) KEY_FLAG_TRUSTED_ONLY is removed.  The entire contents of a keyring
           with this restriction emplaced can be considered 'trustworthy' by
           virtue of being in the keyring when that keyring is consulted.
      
       (4) key_alloc() and keyring_alloc() take an extra argument that will be
           used to set restrict_link in the new key.  This ensures that the
           pointer is set before the key is published, thus preventing a window
           of unrestrictedness.  Normally this argument will be NULL.
      
       (5) As a temporary affair, keyring_restrict_trusted_only() is added.  It
           should be passed to keyring_alloc() as the extra argument instead of
           setting KEY_FLAG_TRUSTED_ONLY on a keyring.  This will be replaced in
           a later patch with functions that look in the appropriate places for
           authoritative keys.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      5ac7eace
  2. 06 Apr, 2016 9 commits
    • David Howells's avatar
      PKCS#7: Make trust determination dependent on contents of trust keyring · bda850cd
      David Howells authored
      Make the determination of the trustworthiness of a key dependent on whether
      a key that can verify it is present in the supplied ring of trusted keys
      rather than whether or not the verifying key has KEY_FLAG_TRUSTED set.
      
      verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust
      chain cannot be verified.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      bda850cd
    • David Howells's avatar
      KEYS: Generalise system_verify_data() to provide access to internal content · e68503bd
      David Howells authored
      Generalise system_verify_data() to provide access to internal content
      through a callback.  This allows all the PKCS#7 stuff to be hidden inside
      this function and removed from the PE file parser and the PKCS#7 test key.
      
      If external content is not required, NULL should be passed as data to the
      function.  If the callback is not required, that can be set to NULL.
      
      The function is now called verify_pkcs7_signature() to contrast with
      verify_pefile_signature() and the definitions of both have been moved into
      linux/verification.h along with the key_being_used_for enum.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      e68503bd
    • David Howells's avatar
      X.509: Fix self-signed determination · ad3043fd
      David Howells authored
      There's a bug in the code determining whether a certificate is self-signed
      or not: if they have neither AKID nor SKID then we just assume that the
      cert is self-signed, which may not be true.
      
      Fix this by checking that the raw subject name matches the raw issuer name
      and that the public key algorithm for the key and signature are both the
      same in addition to requiring that the AKID bits match.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      ad3043fd
    • David Howells's avatar
      X.509: Extract signature digest and make self-signed cert checks earlier · 6c2dc5ae
      David Howells authored
      Extract the signature digest for an X.509 certificate earlier, at the end
      of x509_cert_parse() rather than leaving it to the callers thereof since it
      has to be called anyway.
      
      Further, immediately after that, check the signature on self-signed
      certificates, also rather in the callers of x509_cert_parse().
      
      We note in the x509_certificate struct the following bits of information:
      
       (1) Whether the signature is self-signed (even if we can't check the
           signature due to missing crypto).
      
       (2) Whether the key held in the certificate needs unsupported crypto to be
           used.  We may get a PKCS#7 message with X.509 certs that we can't make
           use of - we just ignore them and give ENOPKG at the end it we couldn't
           verify anything if at least one of these unusable certs are in the
           chain of trust.
      
       (3) Whether the signature held in the certificate needs unsupported crypto
           to be checked.  We can still use the key held in this certificate,
           even if we can't check the signature on it - if it is held in the
           system trusted keyring, for instance.  We just can't add it to a ring
           of trusted keys or follow it further up the chain of trust.
      
      Making these checks earlier allows x509_check_signature() to be removed and
      replaced with direct calls to public_key_verify_signature().
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      6c2dc5ae
    • David Howells's avatar
      PKCS#7: Make the signature a pointer rather than embedding it · 566a117a
      David Howells authored
      Point to the public_key_signature struct from the pkcs7_signed_info struct
      rather than embedding it.  This makes the code consistent with the X.509
      signature handling and makes it possible to have a common cleanup function.
      
      We also save a copy of the digest in the signature without sharing the
      memory with the crypto layer metadata.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      566a117a
    • David Howells's avatar
      X.509: Retain the key verification data · 77d0910d
      David Howells authored
      Retain the key verification data (ie. the struct public_key_signature)
      including the digest and the key identifiers.
      
      Note that this means that we need to take a separate copy of the digest in
      x509_get_sig_params() rather than lumping it in with the crypto layer data.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      77d0910d
    • David Howells's avatar
      KEYS: Add identifier pointers to public_key_signature struct · a022ec02
      David Howells authored
      Add key identifier pointers to public_key_signature struct so that they can
      be used to retain the identifier of the key to be used to verify the
      signature in both PKCS#7 and X.509.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      a022ec02
    • David Howells's avatar
      KEYS: Allow authentication data to be stored in an asymmetric key · 3b764563
      David Howells authored
      Allow authentication data to be stored in an asymmetric key in the 4th
      element of the key payload and provide a way for it to be destroyed.
      
      For the public key subtype, this will be a public_key_signature struct.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      3b764563
    • David Howells's avatar
      X.509: Whitespace cleanup · 864e7a81
      David Howells authored
      Clean up some whitespace.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      864e7a81
  3. 03 Apr, 2016 5 commits
    • Linus Torvalds's avatar
      Linux 4.6-rc2 · 9735a227
      Linus Torvalds authored
      9735a227
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4c3b73c6
      Linus Torvalds authored
      Pull perf fixes from Ingo Molnar:
       "Misc kernel side fixes:
      
         - fix event leak
         - fix AMD PMU driver bug
         - fix core event handling bug
         - fix build bug on certain randconfigs
      
        Plus misc tooling fixes"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/amd/ibs: Fix pmu::stop() nesting
        perf/core: Don't leak event in the syscall error path
        perf/core: Fix time tracking bug with multiplexing
        perf jit: genelf makes assumptions about endian
        perf hists: Fix determination of a callchain node's childlessness
        perf tools: Add missing initialization of perf_sample.cpumode in synthesized samples
        perf tools: Fix build break on powerpc
        perf/x86: Move events_sysfs_show() outside CPU_SUP_INTEL
        perf bench: Fix detached tarball building due to missing 'perf bench memcpy' headers
        perf tests: Fix tarpkg build test error output redirection
      4c3b73c6
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7b367f5d
      Linus Torvalds authored
      Pull core kernel fixes from Ingo Molnar:
       "This contains the nohz/atomic cleanup/fix for the fetch_or() ugliness
        you noted during the original nohz pull request, plus there's also
        misc fixes:
      
         - fix liblockdep build bug
         - fix uapi header build bug
         - print more lockdep hash collision info to help debug recent reports
           of hash collisions
         - update MAINTAINERS email address"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        MAINTAINERS: Update my email address
        locking/lockdep: Print chain_key collision information
        uapi/linux/stddef.h: Provide __always_inline to userspace headers
        tools/lib/lockdep: Fix unsupported 'basename -s' in run_tests.sh
        locking/atomic, sched: Unexport fetch_or()
        timers/nohz: Convert tick dependency mask to atomic_t
        locking/atomic: Introduce atomic_fetch_or()
      7b367f5d
    • Linus Torvalds's avatar
      v4l2-mc: avoid warning about unused variable · 17084b7e
      Linus Torvalds authored
      Commit 840f5b05 ("media: au0828 disable tuner to demod link in
      au0828_media_device_register()") removed all uses of the 'dtv_demod',
      but left the variable itself around.
      
      Remove it.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      17084b7e
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 30cebb6c
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
       "This lot contains:
      
         - Some fixups for the fallout of the topology consolidation which
           unearthed AMD/Intel inconsistencies
         - Documentation for the x86 topology management
         - Support for AMD advanced power management bits
         - Two simple cleanups removing duplicated code"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cpu: Add advanced power management bits
        x86/thread_info: Merge two !__ASSEMBLY__ sections
        x86/cpufreq: Remove duplicated TDP MSR macro definitions
        x86/Documentation: Start documenting x86 topology
        x86/cpu: Get rid of compute_unit_id
        perf/x86/amd: Cleanup Fam10h NB event constraints
        x86/topology: Fix AMD core count
      30cebb6c
  4. 02 Apr, 2016 8 commits
    • Linus Torvalds's avatar
      Merge tag 'rproc-v4.6-rc1' of git://github.com/andersson/remoteproc · f7eeb8a8
      Linus Torvalds authored
      Pull remoteproc fix from Bjorn Andersson:
       "Fix incorrect error check in the ST remoteproc driver and advertise
        the newly created linux-remoteproc mailing list"
      
      * tag 'rproc-v4.6-rc1' of git://github.com/andersson/remoteproc:
        MAINTAINERS: Add mailing list for remote processor subsystems
        remoteproc: st: fix check of syscon_regmap_lookup_by_phandle() return value
      f7eeb8a8
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · d6c24df0
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "This includes fixes from HCH for -rc1 configfs default_groups
        conversion changes that ended up breaking some iscsi-target
        default_groups, along with Sagi's ib_drain_qp() conversion for
        iser-target to use the common caller now available to RDMA kernel
        consumers in v4.6+ code"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        target: add a new add_wwn_groups fabrics method
        target: initialize the nacl base CIT begfore init_nodeacl
        target: remove ->fabric_cleanup_nodeacl
        iser-target: Use ib_drain_qp
      d6c24df0
    • Linus Torvalds's avatar
      Convert straggling drivers to new six-argument get_user_pages() · cb107161
      Linus Torvalds authored
      Commit d4edcf0d ("mm/gup: Switch all callers of get_user_pages() to
      not pass tsk/mm") switched get_user_pages() callers to the simpler model
      where they no longer pass in the thread and mm pointer.  But since then
      we've merged changes to a few drivers that re-introduce use of the old
      interface.  Let's fix them up.
      
      They continued to work fine (thanks to the truly disgusting macros
      introduced in commit cde70140: "mm/gup: Overload get_user_pages()
      functions"), but cause unnecessary build noise.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cb107161
    • Linus Torvalds's avatar
      Merge tag 'configfs-for-linus-2' of git://git.infradead.org/users/hch/configfs · 264800b5
      Linus Torvalds authored
      Pull configfs fix from Christoph Hellwig:
       "A trivial fix to the recently introduced binary attribute helper
        macros"
      
      * tag 'configfs-for-linus-2' of git://git.infradead.org/users/hch/configfs:
        configfs: fix CONFIGFS_BIN_ATTR_[RW]O definitions
      264800b5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 05cf8077
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Missing device reference in IPSEC input path results in crashes
          during device unregistration.  From Subash Abhinov Kasiviswanathan.
      
       2) Per-queue ISR register writes not being done properly in macb
          driver, from Cyrille Pitchen.
      
       3) Stats accounting bugs in bcmgenet, from Patri Gynther.
      
       4) Lightweight tunnel's TTL and TOS were swapped in netlink dumps, from
          Quentin Armitage.
      
       5) SXGBE driver has off-by-one in probe error paths, from Rasmus
          Villemoes.
      
       6) Fix race in save/swap/delete options in netfilter ipset, from
          Vishwanath Pai.
      
       7) Ageing time of bridge not set properly when not operating over a
          switchdev device.  Fix from Haishuang Yan.
      
       8) Fix GRO regression wrt nested FOU/GUE based tunnels, from Alexander
          Duyck.
      
       9) IPV6 UDP code bumps wrong stats, from Eric Dumazet.
      
      10) FEC driver should only access registers that actually exist on the
          given chipset, fix from Fabio Estevam.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
        net: mvneta: fix changing MTU when using per-cpu processing
        stmmac: fix MDIO settings
        Revert "stmmac: Fix 'eth0: No PHY found' regression"
        stmmac: fix TX normal DESC
        net: mvneta: use cache_line_size() to get cacheline size
        net: mvpp2: use cache_line_size() to get cacheline size
        net: mvpp2: fix maybe-uninitialized warning
        tun, bpf: fix suspicious RCU usage in tun_{attach, detach}_filter
        net: usb: cdc_ncm: adding Telit LE910 V2 mobile broadband card
        rtnl: fix msg size calculation in if_nlmsg_size()
        fec: Do not access unexisting register in Coldfire
        net: mvneta: replace MVNETA_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
        net: mvpp2: replace MVPP2_CPU_D_CACHE_LINE_SIZE with L1_CACHE_BYTES
        net: dsa: mv88e6xxx: Clear the PDOWN bit on setup
        net: dsa: mv88e6xxx: Introduce _mv88e6xxx_phy_page_{read, write}
        bpf: make padding in bpf_tunnel_key explicit
        ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates
        bnxt_en: Fix ethtool -a reporting.
        bnxt_en: Fix typo in bnxt_hwrm_set_pause_common().
        bnxt_en: Implement proper firmware message padding.
        ...
      05cf8077
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · cf78031a
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of const updates for reset ops and a couple fixes to the
        newly introduced IPQ4019 clock driver"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: qcom: ipq4019: add some fixed clocks for ddrppl and fepll
        clk: qcom: ipq4019: switch remaining defines to enums
        clk: qcom: Make reset_control_ops const
        clk: tegra: Make reset_control_ops const
        clk: sunxi: Make reset_control_ops const
        clk: atlas7: Make reset_control_ops const
        clk: rockchip: Make reset_control_ops const
        clk: mmp: Make reset_control_ops const
        clk: mediatek: Make reset_control_ops const
      cf78031a
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 1826907c
      Linus Torvalds authored
      Pull power management and ACPI fix from Rafael J. Wysocki:
       "Just one fix for a nasty boot failure on some systems based on Intel
        Skylake that shipped with broken firmware where enabling
        hardware-coordinated P-states management (HWP) causes a faulty
        interrupt handler in SMM to be invoked and crash the system (Srinivas
        Pandruvada)"
      
      * tag 'pm+acpi-4.6-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / processor: Request native thermal interrupt handling via _OSC
      1826907c
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 4e19fd93
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "11 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        .mailmap: add Christophe Ricard
        Make CONFIG_FHANDLE default y
        mm/page_isolation.c: fix the function comments
        oom, oom_reaper: do not enqueue task if it is on the oom_reaper_list head
        mm/page_isolation: fix tracepoint to mirror check function behavior
        mm/rmap: batched invalidations should use existing api
        x86/mm: TLB_REMOTE_SEND_IPI should count pages
        mm: fix invalid node in alloc_migrate_target()
        include/linux/huge_mm.h: return NULL instead of false for pmd_trans_huge_lock()
        mm, kasan: fix compilation for CONFIG_SLAB
        MAINTAINERS: orangefs mailing list is subscribers-only
      4e19fd93
  5. 01 Apr, 2016 9 commits