Commit | Line | Data |
---|---|---|
8607c501 DK |
1 | /* |
2 | * Copyright (C) 2011 Intel Corporation | |
3 | * | |
4 | * Author: | |
5 | * Dmitry Kasatkin <dmitry.kasatkin@intel.com> | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation, version 2 of the License. | |
10 | * | |
11 | */ | |
12 | ||
13 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt | |
14 | ||
15 | #include <linux/err.h> | |
7d2ce232 | 16 | #include <linux/sched.h> |
65d543b2 | 17 | #include <linux/slab.h> |
7d2ce232 | 18 | #include <linux/cred.h> |
8607c501 DK |
19 | #include <linux/key-type.h> |
20 | #include <linux/digsig.h> | |
a511e1af DH |
21 | #include <crypto/public_key.h> |
22 | #include <keys/system_keyring.h> | |
8607c501 DK |
23 | |
24 | #include "integrity.h" | |
25 | ||
26 | static struct key *keyring[INTEGRITY_KEYRING_MAX]; | |
27 | ||
28 | static const char *keyring_name[INTEGRITY_KEYRING_MAX] = { | |
f4dc3778 | 29 | #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING |
8607c501 | 30 | "_evm", |
8607c501 | 31 | "_ima", |
7d2ce232 | 32 | #else |
f4dc3778 | 33 | ".evm", |
7d2ce232 MZ |
34 | ".ima", |
35 | #endif | |
f4dc3778 | 36 | "_module", |
8607c501 DK |
37 | }; |
38 | ||
f4dc3778 DK |
39 | #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING |
40 | static bool init_keyring __initdata = true; | |
41 | #else | |
42 | static bool init_keyring __initdata; | |
43 | #endif | |
44 | ||
a511e1af DH |
45 | #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING |
46 | /* | |
47 | * Restrict the addition of keys into the IMA keyring. | |
48 | * | |
49 | * Any key that needs to go in .ima keyring must be signed by CA in | |
50 | * either .system or .ima_mok keyrings. | |
51 | */ | |
52 | static int restrict_link_by_ima_mok(struct key *keyring, | |
53 | const struct key_type *type, | |
54 | unsigned long flags, | |
55 | const union key_payload *payload) | |
56 | { | |
57 | int ret; | |
58 | ||
59 | ret = restrict_link_by_builtin_trusted(keyring, type, flags, payload); | |
60 | if (ret != -ENOKEY) | |
61 | return ret; | |
62 | ||
63 | return restrict_link_by_signature(get_ima_mok_keyring(), | |
64 | type, payload); | |
65 | } | |
66 | #else | |
67 | /* | |
68 | * If there's no system trusted keyring, then keys cannot be loaded into | |
69 | * .ima_mok and added keys cannot be marked trusted. | |
70 | */ | |
71 | #define restrict_link_by_ima_mok restrict_link_reject | |
72 | #endif | |
73 | ||
8607c501 | 74 | int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, |
089bc8e9 | 75 | const char *digest, int digestlen) |
8607c501 DK |
76 | { |
77 | if (id >= INTEGRITY_KEYRING_MAX) | |
78 | return -EINVAL; | |
79 | ||
80 | if (!keyring[id]) { | |
81 | keyring[id] = | |
34ef7bd3 | 82 | request_key(&key_type_keyring, keyring_name[id], NULL); |
8607c501 DK |
83 | if (IS_ERR(keyring[id])) { |
84 | int err = PTR_ERR(keyring[id]); | |
85 | pr_err("no %s keyring: %d\n", keyring_name[id], err); | |
86 | keyring[id] = NULL; | |
87 | return err; | |
88 | } | |
89 | } | |
90 | ||
b1aaab22 | 91 | switch (sig[1]) { |
e0751257 | 92 | case 1: |
b1aaab22 DK |
93 | /* v1 API expect signature without xattr type */ |
94 | return digsig_verify(keyring[id], sig + 1, siglen - 1, | |
e0751257 DK |
95 | digest, digestlen); |
96 | case 2: | |
97 | return asymmetric_verify(keyring[id], sig, siglen, | |
98 | digest, digestlen); | |
99 | } | |
100 | ||
101 | return -EOPNOTSUPP; | |
8607c501 | 102 | } |
7d2ce232 | 103 | |
d16a8585 | 104 | int __init integrity_init_keyring(const unsigned int id) |
7d2ce232 MZ |
105 | { |
106 | const struct cred *cred = current_cred(); | |
107 | int err = 0; | |
108 | ||
f4dc3778 DK |
109 | if (!init_keyring) |
110 | return 0; | |
111 | ||
7d2ce232 MZ |
112 | keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), |
113 | KGIDT_INIT(0), cred, | |
114 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
115 | KEY_USR_VIEW | KEY_USR_READ | | |
116 | KEY_USR_WRITE | KEY_USR_SEARCH), | |
5ac7eace | 117 | KEY_ALLOC_NOT_IN_QUOTA, |
a511e1af | 118 | restrict_link_by_ima_mok, NULL); |
5ac7eace | 119 | if (IS_ERR(keyring[id])) { |
7d2ce232 MZ |
120 | err = PTR_ERR(keyring[id]); |
121 | pr_info("Can't allocate %s keyring (%d)\n", | |
122 | keyring_name[id], err); | |
123 | keyring[id] = NULL; | |
124 | } | |
125 | return err; | |
126 | } | |
65d543b2 | 127 | |
9d03a721 | 128 | int __init integrity_load_x509(const unsigned int id, const char *path) |
65d543b2 DK |
129 | { |
130 | key_ref_t key; | |
131 | char *data; | |
132 | int rc; | |
133 | ||
134 | if (!keyring[id]) | |
135 | return -EINVAL; | |
136 | ||
137 | rc = integrity_read_file(path, &data); | |
138 | if (rc < 0) | |
139 | return rc; | |
140 | ||
141 | key = key_create_or_update(make_key_ref(keyring[id], 1), | |
142 | "asymmetric", | |
143 | NULL, | |
144 | data, | |
145 | rc, | |
146 | ((KEY_POS_ALL & ~KEY_POS_SETATTR) | | |
147 | KEY_USR_VIEW | KEY_USR_READ), | |
72e1eed8 | 148 | KEY_ALLOC_NOT_IN_QUOTA); |
65d543b2 DK |
149 | if (IS_ERR(key)) { |
150 | rc = PTR_ERR(key); | |
151 | pr_err("Problem loading X.509 certificate (%d): %s\n", | |
152 | rc, path); | |
153 | } else { | |
154 | pr_notice("Loaded X.509 cert '%s': %s\n", | |
155 | key_ref_to_ptr(key)->description, path); | |
156 | key_ref_put(key); | |
157 | } | |
158 | kfree(data); | |
159 | return 0; | |
160 | } |