digsig.c 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (C) 2011 Intel Corporation
  4. *
  5. * Author:
  6. * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
  7. */
  8. #include <linux/err.h>
  9. #include <linux/sched.h>
  10. #include <linux/slab.h>
  11. #include <linux/cred.h>
  12. #include <linux/kernel_read_file.h>
  13. #include <linux/key-type.h>
  14. #include <linux/digsig.h>
  15. #include <linux/vmalloc.h>
  16. #include <crypto/public_key.h>
  17. #include <keys/system_keyring.h>
  18. #include "integrity.h"
  19. static struct key *keyring[INTEGRITY_KEYRING_MAX];
  20. static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
  21. #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
  22. "_evm",
  23. "_ima",
  24. #else
  25. ".evm",
  26. ".ima",
  27. #endif
  28. ".platform",
  29. ".machine",
  30. };
  31. #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  32. #define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary
  33. #else
  34. #define restrict_link_to_ima restrict_link_by_digsig_builtin
  35. #endif
  36. static struct key *integrity_keyring_from_id(const unsigned int id)
  37. {
  38. if (id >= INTEGRITY_KEYRING_MAX)
  39. return ERR_PTR(-EINVAL);
  40. if (!keyring[id]) {
  41. keyring[id] =
  42. request_key(&key_type_keyring, keyring_name[id], NULL);
  43. if (IS_ERR(keyring[id])) {
  44. int err = PTR_ERR(keyring[id]);
  45. pr_err("no %s keyring: %d\n", keyring_name[id], err);
  46. keyring[id] = NULL;
  47. return ERR_PTR(err);
  48. }
  49. }
  50. return keyring[id];
  51. }
  52. int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
  53. const char *digest, int digestlen)
  54. {
  55. struct key *keyring;
  56. if (siglen < 2)
  57. return -EINVAL;
  58. keyring = integrity_keyring_from_id(id);
  59. if (IS_ERR(keyring))
  60. return PTR_ERR(keyring);
  61. switch (sig[1]) {
  62. case 1:
  63. /* v1 API expect signature without xattr type */
  64. return digsig_verify(keyring, sig + 1, siglen - 1, digest,
  65. digestlen);
  66. case 2: /* regular file data hash based signature */
  67. case 3: /* struct ima_file_id data based signature */
  68. return asymmetric_verify(keyring, sig, siglen, digest,
  69. digestlen);
  70. }
  71. return -EOPNOTSUPP;
  72. }
  73. int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
  74. {
  75. struct key *keyring;
  76. keyring = integrity_keyring_from_id(id);
  77. if (IS_ERR(keyring))
  78. return PTR_ERR(keyring);
  79. return ima_modsig_verify(keyring, modsig);
  80. }
  81. static int __init __integrity_init_keyring(const unsigned int id,
  82. key_perm_t perm,
  83. struct key_restriction *restriction)
  84. {
  85. const struct cred *cred = current_cred();
  86. int err = 0;
  87. keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
  88. KGIDT_INIT(0), cred, perm,
  89. KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
  90. if (IS_ERR(keyring[id])) {
  91. err = PTR_ERR(keyring[id]);
  92. pr_info("Can't allocate %s keyring (%d)\n",
  93. keyring_name[id], err);
  94. keyring[id] = NULL;
  95. } else {
  96. if (id == INTEGRITY_KEYRING_PLATFORM)
  97. set_platform_trusted_keys(keyring[id]);
  98. if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled())
  99. set_machine_trusted_keys(keyring[id]);
  100. if (id == INTEGRITY_KEYRING_IMA)
  101. load_module_cert(keyring[id]);
  102. }
  103. return err;
  104. }
  105. int __init integrity_init_keyring(const unsigned int id)
  106. {
  107. struct key_restriction *restriction;
  108. key_perm_t perm;
  109. int ret;
  110. perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
  111. | KEY_USR_READ | KEY_USR_SEARCH;
  112. if (id == INTEGRITY_KEYRING_PLATFORM ||
  113. (id == INTEGRITY_KEYRING_MACHINE &&
  114. !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) {
  115. restriction = NULL;
  116. goto out;
  117. }
  118. if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
  119. return 0;
  120. restriction = kzalloc_obj(struct key_restriction);
  121. if (!restriction)
  122. return -ENOMEM;
  123. if (id == INTEGRITY_KEYRING_MACHINE)
  124. restriction->check = restrict_link_by_ca;
  125. else
  126. restriction->check = restrict_link_to_ima;
  127. /*
  128. * MOK keys can only be added through a read-only runtime services
  129. * UEFI variable during boot. No additional keys shall be allowed to
  130. * load into the machine keyring following init from userspace.
  131. */
  132. if (id != INTEGRITY_KEYRING_MACHINE)
  133. perm |= KEY_USR_WRITE;
  134. out:
  135. ret = __integrity_init_keyring(id, perm, restriction);
  136. if (ret)
  137. kfree(restriction);
  138. return ret;
  139. }
  140. static int __init integrity_add_key(const unsigned int id, const void *data,
  141. off_t size, key_perm_t perm)
  142. {
  143. key_ref_t key;
  144. int rc = 0;
  145. if (!keyring[id])
  146. return -EINVAL;
  147. key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
  148. NULL, data, size, perm,
  149. KEY_ALLOC_NOT_IN_QUOTA);
  150. if (IS_ERR(key)) {
  151. rc = PTR_ERR(key);
  152. if (id != INTEGRITY_KEYRING_MACHINE)
  153. pr_err("Problem loading X.509 certificate %d\n", rc);
  154. } else {
  155. pr_notice("Loaded X.509 cert '%s'\n",
  156. key_ref_to_ptr(key)->description);
  157. key_ref_put(key);
  158. }
  159. return rc;
  160. }
  161. int __init integrity_load_x509(const unsigned int id, const char *path)
  162. {
  163. void *data = NULL;
  164. size_t size;
  165. int rc;
  166. key_perm_t perm;
  167. rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
  168. READING_X509_CERTIFICATE);
  169. if (rc < 0) {
  170. pr_err("Unable to open file: %s (%d)", path, rc);
  171. return rc;
  172. }
  173. size = rc;
  174. perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
  175. pr_info("Loading X.509 certificate: %s\n", path);
  176. rc = integrity_add_key(id, (const void *)data, size, perm);
  177. vfree(data);
  178. return rc;
  179. }
  180. int __init integrity_load_cert(const unsigned int id, const char *source,
  181. const void *data, size_t len, key_perm_t perm)
  182. {
  183. if (!data)
  184. return -EINVAL;
  185. pr_info("Loading X.509 certificate: %s\n", source);
  186. return integrity_add_key(id, data, len, perm);
  187. }