Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-21 19:41:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comments to certificate management files

Browse Source 
Add comments to various files in the `certs` directory to explain their purpose and functionality.

* **`certs/blacklist_hashes.c`**
  - Add a comment at the top explaining the purpose of the `blacklist_hashes` array.
  - Add a comment above the `blacklist_hashes` array definition explaining its usage.

* **`certs/blacklist.c`**
  - Add a comment at the top explaining the purpose of the blacklist functionality.
  - Add comments above the `blacklist_vet_description`, `blacklist_key_instantiate`, `mark_raw_hash_blacklisted`, and `is_hash_blacklisted` functions explaining their purposes.

* **`certs/blacklist.h`**
  - Add a comment at the top explaining the purpose of the `blacklist_hashes` array.

* **`certs/check-blacklist-hashes.awk`**
  - Add a comment at the top explaining the purpose of the script.

* **`certs/extract-cert.c`**
  - Add a comment at the top explaining the purpose of the program.

* **`certs/Kconfig`**
  - Add a comment at the top explaining the purpose of the configuration options.

* **`certs/Makefile`**
  - Add a comment at the top explaining the purpose of the build process.

* **`certs/revocation_certificates.S`**
  - Add a comment at the top explaining the purpose of the revocation certificates.

* **`certs/system_certificates.S`**
  - Add a comment at the top explaining the purpose of the system certificates.

* **`certs/system_keyring.c`**
  - Add a comment at the top explaining the purpose of the system keyring.

---

For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/torvalds/linux?shareId=XXXX-XXXX-XXXX-XXXX).
This commit is contained in:
RaiseYI 2024-10-30 01:45:06 +08:00
parent e42b1a9a25
commit 37ce1ea208
10 changed files with 40 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
certs/Kconfig
View File

@ -1,4 +1,5 @@
# SPDX-License-Identifier: GPL-2.0 # SPDX-License-Identifier: GPL-2.0
# This file defines configuration options related to certificates, such as module signing keys, system trusted keyring, and system blacklist keyring.
menu "Certificates for signature checking" menu "Certificates for signature checking"
config MODULE_SIG_KEY config MODULE_SIG_KEY

1
certs/Makefile
View File

@ -2,6 +2,7 @@
# #
# Makefile for the linux kernel signature checking certificates. # Makefile for the linux kernel signature checking certificates.
# #
# This Makefile defines the build process for the certificate-related files, including generating keys, extracting certificates, and building the blacklist hashes.
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o blacklist_hashes.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o blacklist_hashes.o

11
certs/blacklist.c
View File

@ -1,8 +1,10 @@
// SPDX-License-Identifier: GPL-2.0-or-later // SPDX-License-Identifier: GPL-2.0-or-later
/* System hash blacklist. /* System hash blacklist.
* *
* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
*
* This file implements the system hash blacklist functionality, including functions to mark hashes as blacklisted, check if a hash is blacklisted, and manage the blacklist keyring.
*/ */
#define pr_fmt(fmt) "blacklist: "fmt #define pr_fmt(fmt) "blacklist: "fmt
@ -43,6 +45,8 @@ extern __initconst const unsigned long revocation_certificate_list_size;
* The description must be a type prefix, a colon and then an even number of * The description must be a type prefix, a colon and then an even number of
* hex digits. The hash is kept in the description. * hex digits. The hash is kept in the description.
*/ */
/* This function vets the description of a blacklist key to ensure it follows the correct format. */
static int blacklist_vet_description(const char *desc) static int blacklist_vet_description(const char *desc)
{ {
int i, prefix_len, tbs_step = 0, bin_step = 0; int i, prefix_len, tbs_step = 0, bin_step = 0;
@ -83,6 +87,7 @@ found_colon:
return 0; return 0;
} }
/* This function instantiates a blacklist key, setting its permissions and verifying its signature if necessary. */
static int blacklist_key_instantiate(struct key *key, static int blacklist_key_instantiate(struct key *key,
struct key_preparsed_payload *prep) struct key_preparsed_payload *prep)
{ {
@ -178,6 +183,8 @@ static char *get_raw_hash(const u8 *hash, size_t hash_len,
/** /**
* mark_raw_hash_blacklisted - Add a hash to the system blacklist * mark_raw_hash_blacklisted - Add a hash to the system blacklist
* @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783") * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
*
* This function adds a raw hash to the system blacklist keyring.
*/ */
static int mark_raw_hash_blacklisted(const char *hash) static int mark_raw_hash_blacklisted(const char *hash)
{ {
@ -220,6 +227,8 @@ int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
* @hash: The hash to be checked as a binary blob * @hash: The hash to be checked as a binary blob
* @hash_len: The length of the binary hash * @hash_len: The length of the binary hash
* @hash_type: Type of hash * @hash_type: Type of hash
*
* This function checks if a given hash is present in the system blacklist.
*/ */
int is_hash_blacklisted(const u8 *hash, size_t hash_len, int is_hash_blacklisted(const u8 *hash, size_t hash_len,
enum blacklist_hash_type hash_type) enum blacklist_hash_type hash_type)

5
certs/blacklist.h
View File

@ -1,5 +1,10 @@
/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <crypto/pkcs7.h> #include <crypto/pkcs7.h>
/* The `blacklist_hashes` array stores hashes of blacklisted certificates.
* These hashes are used to prevent the usage of certificates that are deemed untrusted or compromised.
*/
extern const char __initconst *const blacklist_hashes[]; extern const char __initconst *const blacklist_hashes[];

8
certs/blacklist_hashes.c
View File

@ -1,6 +1,12 @@
// SPDX-License-Identifier: GPL-2.0 // SPDX-License-Identifier: GPL-2.0
// The `blacklist_hashes` array stores hashes of blacklisted certificates.
// These hashes are used to prevent the usage of certificates that are deemed untrusted or compromised.
#include "blacklist.h" #include "blacklist.h"
// The `blacklist_hashes` array is populated with hashes from the `blacklist_hash_list` file.
// Each entry in the array represents a hash of a blacklisted certificate.
const char __initconst *const blacklist_hashes[] = { const char __initconst *const blacklist_hashes[] = {
#include "blacklist_hash_list" #include "blacklist_hash_list"
}; };

8
certs/check-blacklist-hashes.awk Executable file → Normal file
View File

@ -5,10 +5,10 @@
# #
# Author: Mickaël Salaün <mic@linux.microsoft.com> # Author: Mickaël Salaün <mic@linux.microsoft.com>
# #
# Check that a CONFIG_SYSTEM_BLACKLIST_HASH_LIST file contains a valid array of # This script checks the validity of the CONFIG_SYSTEM_BLACKLIST_HASH_LIST file,
# hash strings. Such string must start with a prefix ("tbs" or "bin"), then a # ensuring that it contains valid hash strings. Such strings must start with a
# colon (":"), and finally an even number of hexadecimal lowercase characters # prefix ("tbs" or "bin"), then a colon (":"), and finally an even number of
# (up to 128). # hexadecimal lowercase characters (up to 128).
BEGIN { BEGIN {
RS = "," RS = ","

5
certs/extract-cert.c
View File

@ -10,7 +10,12 @@
* modify it under the terms of the GNU Lesser General Public License * modify it under the terms of the GNU Lesser General Public License
* as published by the Free Software Foundation; either version 2.1 * as published by the Free Software Foundation; either version 2.1
* of the licence, or (at your option) any later version. * of the licence, or (at your option) any later version.
*
* This program extracts X.509 certificates in DER form from PKCS#11 or PEM.
* It supports both PKCS#11 provider and engine, and can handle certificates
* from various sources, including files and PKCS#11 URIs.
*/ */
#define _GNU_SOURCE #define _GNU_SOURCE
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>

2
certs/revocation_certificates.S
View File

@ -2,6 +2,8 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/init.h> #include <linux/init.h>
/* This file includes the compiled-in list of revocation X.509 certificates. */
__INITRODATA __INITRODATA
.align 8 .align 8

2
certs/system_certificates.S
View File

@ -2,6 +2,8 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/init.h> #include <linux/init.h>
/* This file includes the compiled-in list of X.509 certificates and reserves space for an extra certificate. */
__INITRODATA __INITRODATA
.align 8 .align 8

4
certs/system_keyring.c
View File

@ -1,8 +1,10 @@
// SPDX-License-Identifier: GPL-2.0-or-later // SPDX-License-Identifier: GPL-2.0-or-later
/* System trusted keyring for trusted public keys /* System trusted keyring for trusted public keys
* *
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
*
* This file implements the system trusted keyring, which contains trusted public keys and manages the addition of keys to the keyring.
*/ */
#include <linux/export.h> #include <linux/export.h>