digsig.c 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139
  1. /*
  2. * Copyright (C) 2011 Intel Corporation
  3. *
  4. * Author:
  5. * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
  6. *
  7. * This program is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation, version 2 of the License.
  10. *
  11. */
  12. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  13. #include <linux/err.h>
  14. #include <linux/sched.h>
  15. #include <linux/slab.h>
  16. #include <linux/cred.h>
  17. #include <linux/key-type.h>
  18. #include <linux/digsig.h>
  19. #include <linux/vmalloc.h>
  20. #include <crypto/public_key.h>
  21. #include <keys/system_keyring.h>
  22. #include "integrity.h"
  23. static struct key *keyring[INTEGRITY_KEYRING_MAX];
  24. static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
  25. #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
  26. "_evm",
  27. "_ima",
  28. #else
  29. ".evm",
  30. ".ima",
  31. #endif
  32. "_module",
  33. };
  34. #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
  35. static bool init_keyring __initdata = true;
  36. #else
  37. static bool init_keyring __initdata;
  38. #endif
  39. #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  40. #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
  41. #else
  42. #define restrict_link_to_ima restrict_link_by_builtin_trusted
  43. #endif
  44. int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
  45. const char *digest, int digestlen)
  46. {
  47. if (id >= INTEGRITY_KEYRING_MAX)
  48. return -EINVAL;
  49. if (!keyring[id]) {
  50. keyring[id] =
  51. request_key(&key_type_keyring, keyring_name[id], NULL);
  52. if (IS_ERR(keyring[id])) {
  53. int err = PTR_ERR(keyring[id]);
  54. pr_err("no %s keyring: %d\n", keyring_name[id], err);
  55. keyring[id] = NULL;
  56. return err;
  57. }
  58. }
  59. switch (sig[1]) {
  60. case 1:
  61. /* v1 API expect signature without xattr type */
  62. return digsig_verify(keyring[id], sig + 1, siglen - 1,
  63. digest, digestlen);
  64. case 2:
  65. return asymmetric_verify(keyring[id], sig, siglen,
  66. digest, digestlen);
  67. }
  68. return -EOPNOTSUPP;
  69. }
  70. int __init integrity_init_keyring(const unsigned int id)
  71. {
  72. const struct cred *cred = current_cred();
  73. int err = 0;
  74. if (!init_keyring)
  75. return 0;
  76. keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
  77. KGIDT_INIT(0), cred,
  78. ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
  79. KEY_USR_VIEW | KEY_USR_READ |
  80. KEY_USR_WRITE | KEY_USR_SEARCH),
  81. KEY_ALLOC_NOT_IN_QUOTA,
  82. restrict_link_to_ima, NULL);
  83. if (IS_ERR(keyring[id])) {
  84. err = PTR_ERR(keyring[id]);
  85. pr_info("Can't allocate %s keyring (%d)\n",
  86. keyring_name[id], err);
  87. keyring[id] = NULL;
  88. }
  89. return err;
  90. }
  91. int __init integrity_load_x509(const unsigned int id, const char *path)
  92. {
  93. key_ref_t key;
  94. char *data;
  95. int rc;
  96. if (!keyring[id])
  97. return -EINVAL;
  98. rc = integrity_read_file(path, &data);
  99. if (rc < 0)
  100. return rc;
  101. key = key_create_or_update(make_key_ref(keyring[id], 1),
  102. "asymmetric",
  103. NULL,
  104. data,
  105. rc,
  106. ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
  107. KEY_USR_VIEW | KEY_USR_READ),
  108. KEY_ALLOC_NOT_IN_QUOTA);
  109. if (IS_ERR(key)) {
  110. rc = PTR_ERR(key);
  111. pr_err("Problem loading X.509 certificate (%d): %s\n",
  112. rc, path);
  113. } else {
  114. pr_notice("Loaded X.509 cert '%s': %s\n",
  115. key_ref_to_ptr(key)->description, path);
  116. key_ref_put(key);
  117. }
  118. kfree(data);
  119. return 0;
  120. }