[PATCH 032/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYMMETRIC_KEY_TYPE crypto
Jay Wang
wanjay at amazon.com
Wed Feb 11 18:46:08 PST 2026
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYMMETRIC_KEY_TYPE-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay at amazon.com>
---
certs/system_keyring.c | 1 +
crypto/asymmetric_keys/Makefile | 2 +-
crypto/asymmetric_keys/asymmetric_type.c | 4 +--
crypto/asymmetric_keys/restrict.c | 3 +-
crypto/fips140/fips140-api.c | 44 ++++++++++++++++++++++++
include/crypto/public_key.h | 29 +++++++++-------
include/keys/asymmetric-parser.h | 8 +++--
include/keys/asymmetric-type.h | 32 +++++++++--------
8 files changed, 90 insertions(+), 33 deletions(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..a53261dc5629 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -50,6 +50,7 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring,
return restrict_link_by_signature(dest_keyring, type, payload,
builtin_trusted_keys);
}
+EXPORT_SYMBOL_GPL(restrict_link_by_builtin_trusted);
/**
* restrict_link_by_digsig_builtin - Restrict digitalSignature key additions by the built-in keyring
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index bc65d3b98dcb..252536153d73 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -3,7 +3,7 @@
# Makefile for asymmetric cryptographic keys
#
-obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
+crypto-objs-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := \
asymmetric_type.o \
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 2326743310b1..9afc58536cf6 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -677,5 +677,5 @@ static void __exit asymmetric_key_cleanup(void)
unregister_key_type(&key_type_asymmetric);
}
-module_init(asymmetric_key_init);
-module_exit(asymmetric_key_cleanup);
+crypto_module_init(asymmetric_key_init);
+crypto_module_exit(asymmetric_key_cleanup);
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 86292965f493..5d6ecf9eadbc 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -114,7 +114,7 @@ int restrict_link_by_signature(struct key *dest_keyring,
key_put(key);
return ret;
}
-
+EXPORT_SYMBOL_GPL(restrict_link_by_signature);
/**
* restrict_link_by_ca - Restrict additions to a ring of CA keys
* @dest_keyring: Keyring being linked to.
@@ -198,6 +198,7 @@ int restrict_link_by_digsig(struct key *dest_keyring,
return restrict_link_by_signature(dest_keyring, type, payload,
trust_keyring);
}
+EXPORT_SYMBOL_GPL(restrict_link_by_digsig);
static bool match_either_id(const struct asymmetric_key_id **pair,
const struct asymmetric_key_id *single)
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 20afa1c21cf0..100f50ad7b43 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -413,3 +413,47 @@ DEFINE_CRYPTO_API_STUB(crypto_unregister_rngs);
DEFINE_CRYPTO_API_STUB(crypto_del_default_rng);
#endif
+/*
+ * crypto/asymmetric_keys/asymmetric_type.c
+ */
+#if IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+
+#include <keys/asymmetric-parser.h>
+
+DEFINE_CRYPTO_API_STUB(register_asymmetric_key_parser);
+DEFINE_CRYPTO_API_STUB(unregister_asymmetric_key_parser);
+
+#include <keys/asymmetric-type.h>
+
+DEFINE_CRYPTO_API_STUB(asymmetric_key_id_same);
+DEFINE_CRYPTO_API_STUB(asymmetric_key_id_partial);
+DEFINE_CRYPTO_API_STUB(asymmetric_key_generate_id);
+DEFINE_CRYPTO_API_STUB(find_asymmetric_key);
+
+#undef key_type_asymmetric
+DEFINE_CRYPTO_VAR_STUB(key_type_asymmetric);
+
+#endif
+/*
+ * crypto/asymmetric_keys/signature.c
+ */
+#if IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+
+#include <crypto/public_key.h>
+
+DEFINE_CRYPTO_API_STUB(public_key_signature_free);
+DEFINE_CRYPTO_API_STUB(query_asymmetric_key);
+DEFINE_CRYPTO_API_STUB(verify_signature);
+
+#endif
+/*
+ * crypto/asymmetric_keys/restrict.c
+ */
+#if IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+
+#include <crypto/public_key.h>
+
+DEFINE_CRYPTO_API_STUB(restrict_link_by_signature);
+DEFINE_CRYPTO_API_STUB(restrict_link_by_digsig);
+
+#endif
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 4c5199b20338..be789854fdcb 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -10,6 +10,7 @@
#ifndef _LINUX_PUBLIC_KEY_H
#define _LINUX_PUBLIC_KEY_H
+#include <crypto/api.h>
#include <linux/errno.h>
#include <linux/keyctl.h>
#include <linux/oid_registry.h>
@@ -53,7 +54,9 @@ struct public_key_signature {
const char *encoding;
};
-extern void public_key_signature_free(struct public_key_signature *sig);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, public_key_signature_free, void,
+ (struct public_key_signature *sig),
+ (sig));
extern struct asymmetric_key_subtype public_key_subtype;
@@ -61,10 +64,9 @@ struct key;
struct key_type;
union key_payload;
-extern int restrict_link_by_signature(struct key *dest_keyring,
- const struct key_type *type,
- const union key_payload *payload,
- struct key *trust_keyring);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, restrict_link_by_signature, int,
+ (struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *trust_keyring),
+ (dest_keyring, type, payload, trust_keyring));
extern int restrict_link_by_key_or_keyring(struct key *dest_keyring,
const struct key_type *type,
@@ -81,10 +83,9 @@ extern int restrict_link_by_ca(struct key *dest_keyring,
const struct key_type *type,
const union key_payload *payload,
struct key *trust_keyring);
-int restrict_link_by_digsig(struct key *dest_keyring,
- const struct key_type *type,
- const union key_payload *payload,
- struct key *trust_keyring);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, restrict_link_by_digsig, int,
+ (struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, struct key *trust_keyring),
+ (dest_keyring, type, payload, trust_keyring));
#else
static inline int restrict_link_by_ca(struct key *dest_keyring,
const struct key_type *type,
@@ -103,11 +104,13 @@ static inline int restrict_link_by_digsig(struct key *dest_keyring,
}
#endif
-extern int query_asymmetric_key(const struct kernel_pkey_params *,
- struct kernel_pkey_query *);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, query_asymmetric_key, int,
+ (const struct kernel_pkey_params *arg1, struct kernel_pkey_query *arg2),
+ (arg1, arg2));
-extern int verify_signature(const struct key *,
- const struct public_key_signature *);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, verify_signature, int,
+ (const struct key *arg1, const struct public_key_signature *arg2),
+ (arg1, arg2));
#if IS_REACHABLE(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE)
int public_key_verify_signature(const struct public_key *pkey,
diff --git a/include/keys/asymmetric-parser.h b/include/keys/asymmetric-parser.h
index 516a3f51179e..13474b17055b 100644
--- a/include/keys/asymmetric-parser.h
+++ b/include/keys/asymmetric-parser.h
@@ -29,7 +29,11 @@ struct asymmetric_key_parser {
int (*parse)(struct key_preparsed_payload *prep);
};
-extern int register_asymmetric_key_parser(struct asymmetric_key_parser *);
-extern void unregister_asymmetric_key_parser(struct asymmetric_key_parser *);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, register_asymmetric_key_parser, int,
+ (struct asymmetric_key_parser *parser),
+ (parser));
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, unregister_asymmetric_key_parser, void,
+ (struct asymmetric_key_parser *parser),
+ (parser));
#endif /* _KEYS_ASYMMETRIC_PARSER_H */
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
index 1b91c8f98688..96e718a550a3 100644
--- a/include/keys/asymmetric-type.h
+++ b/include/keys/asymmetric-type.h
@@ -10,10 +10,15 @@
#ifndef _KEYS_ASYMMETRIC_TYPE_H
#define _KEYS_ASYMMETRIC_TYPE_H
+#include <crypto/api.h>
#include <linux/key-type.h>
#include <linux/verification.h>
-extern struct key_type key_type_asymmetric;
+DECLARE_CRYPTO_VAR(CONFIG_ASYMMETRIC_KEY_TYPE, key_type_asymmetric, struct key_type, );
+
+#if defined(CONFIG_CRYPTO_FIPS140_EXTMOD) && !defined(FIPS_MODULE) && IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+#define key_type_asymmetric (*((struct key_type*)CRYPTO_VAR_NAME(key_type_asymmetric)))
+#endif
/*
* The key payload is four words. The asymmetric-type key uses them as
@@ -56,16 +61,17 @@ struct asymmetric_key_ids {
void *id[3];
};
-extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
- const struct asymmetric_key_id *kid2);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, asymmetric_key_id_same, bool,
+ (const struct asymmetric_key_id *kid1, const struct asymmetric_key_id *kid2),
+ (kid1, kid2));
-extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
- const struct asymmetric_key_id *kid2);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, asymmetric_key_id_partial, bool,
+ (const struct asymmetric_key_id *kid1, const struct asymmetric_key_id *kid2),
+ (kid1, kid2));
-extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
- size_t len_1,
- const void *val_2,
- size_t len_2);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, asymmetric_key_generate_id, struct asymmetric_key_id *,
+ (const void *val_1, size_t len_1, const void *val_2, size_t len_2),
+ (val_1, len_1, val_2, len_2));
static inline
const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
{
@@ -78,11 +84,9 @@ const struct public_key *asymmetric_key_public_key(const struct key *key)
return key->payload.data[asym_crypto];
}
-extern struct key *find_asymmetric_key(struct key *keyring,
- const struct asymmetric_key_id *id_0,
- const struct asymmetric_key_id *id_1,
- const struct asymmetric_key_id *id_2,
- bool partial);
+DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, find_asymmetric_key, struct key *,
+ (struct key *keyring, const struct asymmetric_key_id *id_0, const struct asymmetric_key_id *id_1, const struct asymmetric_key_id *id_2, bool partial),
+ (keyring, id_0, id_1, id_2, partial));
int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size,
const struct key *keyring);
--
2.47.3
More information about the linux-arm-kernel
mailing list