From nobody Thu Apr  2 17:17:47 2026
Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com
 [209.85.210.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 977FC346FAB
	for <linux-kernel@vger.kernel.org>; Wed, 11 Feb 2026 03:32:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770780722; cv=none;
 b=RZCnepp/XMQ7+SuxIZfgBq+dSzEN4FjZiXn4IvyBD87lYsJ72Clv+ShKa4yN5r8o90pzL5xUa8+F6E/mKNwd2lnRBUlMlfWhpwYUiZIcAX5kReIIqGk4B2lo6awFKUiiYvpdw3gWSZZNaot03QCRwk2nSyZV7KY0CNV7GPzzT7c=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770780722; c=relaxed/simple;
	bh=Z69UWGSO1FnIFTybZW2ptY5C1ZsV33yAkveZ4NGbphA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Ur0rxkj+vaSfTCzGfubwSo1tmcH25JyCS97KKQJYH5Pix6kEAxyvdsWyqtBpNtNgNysa8heh2sSsfgsZQLIvGA0kCTTQJd5WC0fTHH4jye9LgZPsPssQfEU3MLkhSqUsRVftipNEREtWG/UDA/fKeDAYyciPcTWDgmVjiruPKeg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=Mr6rQlEl; arc=none smtp.client-ip=209.85.210.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="Mr6rQlEl"
Received: by mail-pf1-f174.google.com with SMTP id
 d2e1a72fcca58-82458495219so1956607b3a.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 10 Feb 2026 19:32:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770780721; x=1771385521;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=5sfIotc7x/caqwXPwf+nk7Gcfnkj95FCCwlgWI7Ef+4=;
        b=Mr6rQlElHo1gqS78wcZTyeup5THY7lSLHcPWChE01TknCEKrn1eCD0Grj9iU2C8rsm
         XvP296reOTZl4ixWbiKtD4aFq8G0opqku07f8rzUTwm/l+1NNuRUTu4yDr+3CGwfxdAu
         vHShWYw3Y9dN+2/YYgVNqn05MAygKBd5aJZXv1M890ZAgERi3wSSoW7nkYAIgnrV8hh+
         A44syj5b1T0miAhEOlNI0fY3i0M/UGdoXe0zXu/SCfIFbLMytLP2qhnkI1tfoloQdo3M
         h4e4WjPbZ0r9sWOy4EzHLeMXXqH7XmKg3Ba5WexPir45XQpAFvhLHSDDP0VmxYeDIObN
         mx1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770780721; x=1771385521;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=5sfIotc7x/caqwXPwf+nk7Gcfnkj95FCCwlgWI7Ef+4=;
        b=HouPl1zpB5cQeGDRNZq1hUJUScyRBYsUfz2ccKCEVfAtgmNTFAg5dlbQXfSCx+5CAk
         8ibsr2IPEFc8ojSN0BysyMmhvIcw+7MEKqIQupW9GHHBYfBO0crPB0An1cNBQbN/NX35
         LUMK7Yoq1ODPXIA2fwIx/fFsZcu5DatbEz7qfKI71+PgqwQq/+cE2wt/C+6gfp8jrW07
         uGWgs1gcnMoxyTa/JF4JC5IM/foo0sXJwc0q0i3FM/v3zA4ax0ZbnI8LjJW5Qk18XBW4
         pDucUtXGkH46wkniukIoY+f6I9JBlmrUIXamZPN7V2Ey9UMDqawmh9UbpeMHAmS1OwJh
         sQ/A==
X-Forwarded-Encrypted: i=1;
 AJvYcCUyqrQFq79rVf0dVjACBC0hz524XCvpKOJAN8javYqDwHEHe7kra3mHCrzHrFBnv8RtE1p7b+qjdMy7lE0=@vger.kernel.org
X-Gm-Message-State: AOJu0YyScNHLBButwzCO6g0enhKDW/b+YTBmuM1H1h3/eKP43kmGnK9z
	hV5BFqDlW/mLbNJ2GDPEuGjz2YF0f6EpxiejG9ya0AvfCd5cVahpteRO
X-Gm-Gg: AZuq6aJMr9zmuHZRQha6eB/um5KK6jqUgvP8PqLLY0GjOeRBvxR+4QLSKimKeFTOBDd
	6ty4Wd4lijzSHVKY77mkTazvQPwQiVlJCGEvYVxhquS+1mLldcJKwtnbHtjoIMSYNShIW3ekkuR
	yyhxylE6Kzn7EVGVSWuDUZCy34CsmMZNndlqseBfwwCbmKjxoW4Rx6NsxcDsG1x5rR9zANQ3Iho
	UVyYm4Mrc2h2rqo6QyrazpEhP8m+cW9E5QchRmacWfQcEkphj4Sr3gMZyrB1jEf+pjyKw8PRkNI
	0F03g8/0Opz5o1wYjJEd9rGbrSYy9IDzwlZrr2DR4xo2IsIIDSXCG4sGX6jYDcA78uz479UnSua
	Y400q/HgEsag4RMFvtUpT6dCL8YVfDxrqpEVuXtGL2vDMkQzVTEB7GpCgAJhmYgyRiBD2N1v0X+
	TuQsrr0vIjHNiPwQlaUHDaJmZ6aDd8l7K+uCcMIoeRNw==
X-Received: by 2002:a05:6a20:2443:b0:394:3001:8b59 with SMTP id
 adf61e73a8af0-39432412df1mr820541637.53.1770780721130;
        Tue, 10 Feb 2026 19:32:01 -0800 (PST)
Received: from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c6e197d63c9sm464856a12.20.2026.02.10.19.31.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Feb 2026 19:32:00 -0800 (PST)
From: alistair23@gmail.com
X-Google-Original-From: alistair.francis@wdc.com
To: bhelgaas@google.com,
	lukas@wunner.de,
	rust-for-linux@vger.kernel.org,
	akpm@linux-foundation.org,
	linux-pci@vger.kernel.org,
	Jonathan.Cameron@huawei.com,
	linux-cxl@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: alex.gaynor@gmail.com,
	benno.lossin@proton.me,
	boqun.feng@gmail.com,
	a.hindborg@kernel.org,
	gary@garyguo.net,
	bjorn3_gh@protonmail.com,
	tmgross@umich.edu,
	alistair23@gmail.com,
	ojeda@kernel.org,
	wilfred.mallawa@wdc.com,
	aliceryhl@google.com,
	Alistair Francis <alistair@alistair23.me>
Subject: [RFC v3 19/27] PCI/CMA: Support built in X.509 certificates
Date: Wed, 11 Feb 2026 13:29:26 +1000
Message-ID: <20260211032935.2705841-20-alistair.francis@wdc.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260211032935.2705841-1-alistair.francis@wdc.com>
References: <20260211032935.2705841-1-alistair.francis@wdc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Alistair Francis <alistair@alistair23.me>

Support building the X.509 certificates into the CMA certificate store.
This allows certificates to be built into the kernel which can be used
to authenticate PCIe devices via SPDM.

Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
 certs/system_keyring.c        |  4 ----
 drivers/pci/cma.c             | 28 ++++++++++++++++++++++++++++
 include/keys/system_keyring.h |  4 ++++
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index f3d8ea4f70b4..adfc24139133 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -28,10 +28,6 @@ static struct key *machine_trusted_keys;
 static struct key *platform_trusted_keys;
 #endif
=20
-extern __initconst const u8 system_certificate_list[];
-extern __initconst const unsigned long system_certificate_list_size;
-extern __initconst const unsigned long module_cert_size;
-
 /**
  * restrict_link_by_builtin_trusted - Restrict keyring addition by built-i=
n CA
  * @dest_keyring: Keyring being linked to.
diff --git a/drivers/pci/cma.c b/drivers/pci/cma.c
index f2c435b04b92..8d64008594e2 100644
--- a/drivers/pci/cma.c
+++ b/drivers/pci/cma.c
@@ -10,6 +10,7 @@
=20
 #define dev_fmt(fmt) "CMA: " fmt
=20
+#include <keys/system_keyring.h>
 #include <keys/x509-parser.h>
 #include <linux/asn1_decoder.h>
 #include <linux/oid_registry.h>
@@ -218,8 +219,31 @@ void pci_cma_destroy(struct pci_dev *pdev)
 	spdm_destroy(pdev->spdm_state);
 }
=20
+/*
+ * Load the compiled-in list of X.509 certificates.
+ */
+static int load_system_certificate_list(void)
+{
+	const u8 *p;
+	unsigned long size;
+
+	pr_notice("Loading compiled-in X.509 certificates for CMA\n");
+
+#ifdef CONFIG_MODULE_SIG
+	p =3D system_certificate_list;
+	size =3D system_certificate_list_size;
+#else
+	p =3D system_certificate_list + module_cert_size;
+	size =3D system_certificate_list_size - module_cert_size;
+#endif
+
+	return x509_load_certificate_list(p, size, pci_cma_keyring);
+}
+
 __init static int pci_cma_keyring_init(void)
 {
+	int rc;
+
 	pci_cma_keyring =3D keyring_alloc(".cma", KUIDT_INIT(0), KGIDT_INIT(0),
 					current_cred(),
 					(KEY_POS_ALL & ~KEY_POS_SETATTR) |
@@ -232,6 +256,10 @@ __init static int pci_cma_keyring_init(void)
 		return PTR_ERR(pci_cma_keyring);
 	}
=20
+	rc =3D load_system_certificate_list();
+	if (rc)
+		return rc;
+
 	return 0;
 }
 arch_initcall(pci_cma_keyring_init);
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index a6c2897bcc63..35a33412e175 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -130,4 +130,8 @@ static inline void set_platform_trusted_keys(struct key=
 *keyring)
 }
 #endif
=20
+extern __initconst const u8 system_certificate_list[];
+extern __initconst const unsigned long system_certificate_list_size;
+extern __initconst const unsigned long module_cert_size;
+
 #endif /* _KEYS_SYSTEM_KEYRING_H */
--=20
2.52.0