mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-22 18:44:44 +08:00
919dc32095
If an fsverity builtin signature is given for a file but the
".fs-verity" keyring is empty, there's no real reason to run the PKCS#7
parser. Skip this to avoid the PKCS#7 attack surface when builtin
signature support is configured into the kernel but is not being used.
This is a hardening improvement, not a fix per se, but I've added
Fixes and Cc stable to get it out to more users.
Fixes:
|
||
---|---|---|
.. | ||
enable.c | ||
fsverity_private.h | ||
hash_algs.c | ||
init.c | ||
Kconfig | ||
Makefile | ||
measure.c | ||
open.c | ||
read_metadata.c | ||
signature.c | ||
verify.c |