dm-verity-verify-sig.c 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (C) 2019 Microsoft Corporation.
  4. *
  5. * Author: Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
  6. *
  7. */
  8. #include <linux/device-mapper.h>
  9. #include <linux/verification.h>
  10. #include <linux/key.h>
  11. #include <keys/user-type.h>
  12. #include <linux/module.h>
  13. #include "dm-verity.h"
  14. #include "dm-verity-verify-sig.h"
  15. #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
  16. static struct key *dm_verity_keyring;
  17. static bool dm_verity_keyring_unsealed __ro_after_init;
  18. module_param_named(keyring_unsealed, dm_verity_keyring_unsealed, bool, 0444);
  19. MODULE_PARM_DESC(keyring_unsealed, "Leave the dm-verity keyring unsealed");
  20. static bool require_signatures;
  21. module_param(require_signatures, bool, 0444);
  22. MODULE_PARM_DESC(require_signatures,
  23. "Verify the roothash of dm-verity hash tree");
  24. #define DM_VERITY_IS_SIG_FORCE_ENABLED() \
  25. (require_signatures != false)
  26. bool verity_verify_is_sig_opt_arg(const char *arg_name)
  27. {
  28. return (!strcasecmp(arg_name,
  29. DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY));
  30. }
  31. static int verity_verify_get_sig_from_key(const char *key_desc,
  32. struct dm_verity_sig_opts *sig_opts)
  33. {
  34. struct key *key;
  35. const struct user_key_payload *ukp;
  36. int ret = 0;
  37. key = request_key(&key_type_user,
  38. key_desc, NULL);
  39. if (IS_ERR(key))
  40. return PTR_ERR(key);
  41. down_read(&key->sem);
  42. ukp = user_key_payload_locked(key);
  43. if (!ukp) {
  44. ret = -EKEYREVOKED;
  45. goto end;
  46. }
  47. sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
  48. if (!sig_opts->sig) {
  49. ret = -ENOMEM;
  50. goto end;
  51. }
  52. sig_opts->sig_size = ukp->datalen;
  53. memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
  54. end:
  55. up_read(&key->sem);
  56. key_put(key);
  57. return ret;
  58. }
  59. int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
  60. struct dm_verity *v,
  61. struct dm_verity_sig_opts *sig_opts,
  62. unsigned int *argc,
  63. const char *arg_name)
  64. {
  65. struct dm_target *ti = v->ti;
  66. int ret;
  67. const char *sig_key = NULL;
  68. if (v->signature_key_desc) {
  69. ti->error = DM_VERITY_VERIFY_ERR("root_hash_sig_key_desc already specified");
  70. return -EINVAL;
  71. }
  72. if (!*argc) {
  73. ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
  74. return -EINVAL;
  75. }
  76. sig_key = dm_shift_arg(as);
  77. (*argc)--;
  78. ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
  79. if (ret < 0) {
  80. ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
  81. return ret;
  82. }
  83. v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
  84. if (!v->signature_key_desc) {
  85. ti->error = DM_VERITY_VERIFY_ERR("Could not allocate memory for signature key");
  86. return -ENOMEM;
  87. }
  88. return 0;
  89. }
  90. /*
  91. * verify_verify_roothash - Verify the root hash of the verity hash device
  92. * using builtin trusted keys.
  93. *
  94. * @root_hash: For verity, the roothash/data to be verified.
  95. * @root_hash_len: Size of the roothash/data to be verified.
  96. * @sig_data: The trusted signature that verifies the roothash/data.
  97. * @sig_len: Size of the signature.
  98. *
  99. */
  100. int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
  101. const void *sig_data, size_t sig_len)
  102. {
  103. int ret;
  104. if (!root_hash || root_hash_len == 0)
  105. return -EINVAL;
  106. if (!sig_data || sig_len == 0) {
  107. if (DM_VERITY_IS_SIG_FORCE_ENABLED())
  108. return -ENOKEY;
  109. else
  110. return 0;
  111. }
  112. ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
  113. sig_len,
  114. #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
  115. VERIFY_USE_SECONDARY_KEYRING,
  116. #else
  117. NULL,
  118. #endif
  119. VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
  120. #ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
  121. if (ret == -ENOKEY || ret == -EKEYREJECTED)
  122. ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
  123. sig_len,
  124. VERIFY_USE_PLATFORM_KEYRING,
  125. VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
  126. #endif
  127. if (ret != -ENOKEY && ret != -EKEYREJECTED)
  128. return ret;
  129. if (dm_verity_keyring->keys.nr_leaves_on_tree &&
  130. dm_verity_keyring->restrict_link)
  131. ret = verify_pkcs7_signature(root_hash, root_hash_len,
  132. sig_data, sig_len,
  133. dm_verity_keyring,
  134. VERIFYING_UNSPECIFIED_SIGNATURE,
  135. NULL, NULL);
  136. return ret;
  137. }
  138. void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
  139. {
  140. kfree(sig_opts->sig);
  141. sig_opts->sig = NULL;
  142. sig_opts->sig_size = 0;
  143. }
  144. int __init dm_verity_verify_sig_init(void)
  145. {
  146. dm_verity_keyring = keyring_alloc(".dm-verity",
  147. GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
  148. current_cred(),
  149. KEY_POS_SEARCH |
  150. KEY_USR_VIEW | KEY_USR_READ |
  151. KEY_USR_WRITE | KEY_USR_SEARCH |
  152. KEY_USR_SETATTR,
  153. KEY_ALLOC_NOT_IN_QUOTA,
  154. NULL, NULL);
  155. if (IS_ERR(dm_verity_keyring))
  156. panic("dm-verity can't allocate keyring\n");
  157. if (!dm_verity_keyring_unsealed &&
  158. keyring_restrict(make_key_ref(dm_verity_keyring, true), NULL, NULL))
  159. panic("dm-verity can't seal keyring\n");
  160. return 0;
  161. }
  162. void dm_verity_verify_sig_exit(void)
  163. {
  164. key_revoke(dm_verity_keyring);
  165. key_put(dm_verity_keyring);
  166. }