projects / deliverable / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| 8607c501 DK |
1 | /* |
| 2 | * Copyright (C) 2011 Intel Corporation | |
| 3 | * | |
| 4 | * Author: | |
| 5 | * Dmitry Kasatkin <dmitry.kasatkin@intel.com> | |
| 6 | * | |
| 7 | * This program is free software; you can redistribute it and/or modify | |
| 8 | * it under the terms of the GNU General Public License as published by | |
| 9 | * the Free Software Foundation, version 2 of the License. | |
| 10 | * | |
| 11 | */ | |
| 12 | ||
| 13 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
| 14 | ||
| 15 | #include <linux/err.h> | |
| 7d2ce232 | 16 | #include <linux/sched.h> |
| 65d543b2 | 17 | #include <linux/slab.h> |
| 7d2ce232 | 18 | #include <linux/cred.h> |
| 8607c501 DK |
19 | #include <linux/key-type.h> |
| 20 | #include <linux/digsig.h> | |
| a511e1af DH |
21 | #include <crypto/public_key.h> |
| 22 | #include <keys/system_keyring.h> | |
| 8607c501 DK |
23 | |
| 24 | #include "integrity.h" | |
| 25 | ||
| 26 | static struct key *keyring[INTEGRITY_KEYRING_MAX]; | |
| 27 | ||
| 28 | static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { | |
| f4dc3778 | 29 | #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING |
| 8607c501 | 30 | "_evm", |
| 8607c501 | 31 | "_ima", |
| 7d2ce232 | 32 | #else |
| f4dc3778 | 33 | ".evm", |
| 7d2ce232 MZ |
34 | ".ima", |
| 35 | #endif | |
| f4dc3778 | 36 | "_module", |
| 8607c501 DK |
37 | }; |
| 38 | ||
| f4dc3778 DK |
39 | #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING |
| 40 | static bool init_keyring __initdata = true; | |
| 41 | #else | |
| 42 | static bool init_keyring __initdata; | |
| 43 | #endif | |
| 44 | ||
| a511e1af DH |
45 | #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING |
| 46 | /* | |
| 47 | * Restrict the addition of keys into the IMA keyring. | |
| 48 | * | |
| 49 | * Any key that needs to go in .ima keyring must be signed by CA in | |
| 50 | * either .system or .ima_mok keyrings. | |
| 51 | */ | |
| 52 | static int restrict_link_by_ima_mok(struct key *keyring, | |
| 53 | const struct key_type *type, | |
| 54 | unsigned long flags, | |
| 55 | const union key_payload *payload) | |
| 56 | { | |
| 57 | int ret; | |
| 58 | ||
| 59 | ret = restrict_link_by_builtin_trusted(keyring, type, flags, payload); | |
| 60 | if (ret != -ENOKEY) | |
| 61 | return ret; | |
| 62 | ||
| 63 | return restrict_link_by_signature(get_ima_mok_keyring(), | |
| 64 | type, payload); | |
| 65 | } | |
| 66 | #else | |
| 67 | /* | |
| 68 | * If there's no system trusted keyring, then keys cannot be loaded into | |
| 69 | * .ima_mok and added keys cannot be marked trusted. | |
| 70 | */ | |
| 71 | #define restrict_link_by_ima_mok restrict_link_reject | |
| 72 | #endif | |
| 73 | ||
| 8607c501 | 74 | int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, |
| 089bc8e9 | 75 | const char *digest, int digestlen) |
| 8607c501 DK |
76 | { |
| 77 | if (id >= INTEGRITY_KEYRING_MAX) | |
| 78 | return -EINVAL; | |
| 79 | ||
| 80 | if (!keyring[id]) { | |
| 81 | keyring[id] = | |
| 34ef7bd3 | 82 | request_key(&key_type_keyring, keyring_name[id], NULL); |
| 8607c501 DK |
83 | if (IS_ERR(keyring[id])) { |
| 84 | int err = PTR_ERR(keyring[id]); | |
| 85 | pr_err("no %s keyring: %d\n", keyring_name[id], err); | |
| 86 | keyring[id] = NULL; | |
| 87 | return err; | |
| 88 | } | |
| 89 | } | |
| 90 | ||
| b1aaab22 | 91 | switch (sig[1]) { |
| e0751257 | 92 | case 1: |
| b1aaab22 DK |
93 | /* v1 API expect signature without xattr type */ |
| 94 | return digsig_verify(keyring[id], sig + 1, siglen - 1, | |
| e0751257 DK |
95 | digest, digestlen); |
| 96 | case 2: | |
| 97 | return asymmetric_verify(keyring[id], sig, siglen, | |
| 98 | digest, digestlen); | |
| 99 | } | |
| 100 | ||
| 101 | return -EOPNOTSUPP; | |
| 8607c501 | 102 | } |
| 7d2ce232 | 103 | |
| d16a8585 | 104 | int __init integrity_init_keyring(const unsigned int id) |
| 7d2ce232 MZ |
105 | { |
| 106 | const struct cred *cred = current_cred(); | |
| 107 | int err = 0; | |
| 108 | ||
| f4dc3778 DK |
109 | if (!init_keyring) |
| 110 | return 0; | |
| 111 | ||
| 7d2ce232 MZ |
112 | keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), |
| 113 | KGIDT_INIT(0), cred, | |
| 114 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
| 115 | KEY_USR_VIEW | KEY_USR_READ | | |
| 116 | KEY_USR_WRITE | KEY_USR_SEARCH), | |
| 5ac7eace | 117 | KEY_ALLOC_NOT_IN_QUOTA, |
| a511e1af | 118 | restrict_link_by_ima_mok, NULL); |
| 5ac7eace | 119 | if (IS_ERR(keyring[id])) { |
| 7d2ce232 MZ |
120 | err = PTR_ERR(keyring[id]); |
| 121 | pr_info("Can't allocate %s keyring (%d)\n", | |
| 122 | keyring_name[id], err); | |
| 123 | keyring[id] = NULL; | |
| 124 | } | |
| 125 | return err; | |
| 126 | } | |
| 65d543b2 | 127 | |
| 9d03a721 | 128 | int __init integrity_load_x509(const unsigned int id, const char *path) |
| 65d543b2 DK |
129 | { |
| 130 | key_ref_t key; | |
| 131 | char *data; | |
| 132 | int rc; | |
| 133 | ||
| 134 | if (!keyring[id]) | |
| 135 | return -EINVAL; | |
| 136 | ||
| 137 | rc = integrity_read_file(path, &data); | |
| 138 | if (rc < 0) | |
| 139 | return rc; | |
| 140 | ||
| 141 | key = key_create_or_update(make_key_ref(keyring[id], 1), | |
| 142 | "asymmetric", | |
| 143 | NULL, | |
| 144 | data, | |
| 145 | rc, | |
| 146 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
| 147 | KEY_USR_VIEW | KEY_USR_READ), | |
| 72e1eed8 | 148 | KEY_ALLOC_NOT_IN_QUOTA); |
| 65d543b2 DK |
149 | if (IS_ERR(key)) { |
| 150 | rc = PTR_ERR(key); | |
| 151 | pr_err("Problem loading X.509 certificate (%d): %s\n", | |
| 152 | rc, path); | |
| 153 | } else { | |
| 154 | pr_notice("Loaded X.509 cert '%s': %s\n", | |
| 155 | key_ref_to_ptr(key)->description, path); | |
| 156 | key_ref_put(key); | |
| 157 | } | |
| 158 | kfree(data); | |
| 159 | return 0; | |
| 160 | } |