xref: /openbmc/linux/certs/blacklist.c (revision 36de991e)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* System hash blacklist.
3  *
4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) "blacklist: "fmt
9 #include <linux/module.h>
10 #include <linux/slab.h>
11 #include <linux/key.h>
12 #include <linux/key-type.h>
13 #include <linux/sched.h>
14 #include <linux/ctype.h>
15 #include <linux/err.h>
16 #include <linux/seq_file.h>
17 #include <linux/uidgid.h>
18 #include <keys/system_keyring.h>
19 #include "blacklist.h"
20 #include "common.h"
21 
22 static struct key *blacklist_keyring;
23 
24 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
25 extern __initconst const u8 revocation_certificate_list[];
26 extern __initconst const unsigned long revocation_certificate_list_size;
27 #endif
28 
29 /*
30  * The description must be a type prefix, a colon and then an even number of
31  * hex digits.  The hash is kept in the description.
32  */
33 static int blacklist_vet_description(const char *desc)
34 {
35 	int n = 0;
36 
37 	if (*desc == ':')
38 		return -EINVAL;
39 	for (; *desc; desc++)
40 		if (*desc == ':')
41 			goto found_colon;
42 	return -EINVAL;
43 
44 found_colon:
45 	desc++;
46 	for (; *desc; desc++) {
47 		if (!isxdigit(*desc) || isupper(*desc))
48 			return -EINVAL;
49 		n++;
50 	}
51 
52 	if (n == 0 || n & 1)
53 		return -EINVAL;
54 	return 0;
55 }
56 
57 /*
58  * The hash to be blacklisted is expected to be in the description.  There will
59  * be no payload.
60  */
61 static int blacklist_preparse(struct key_preparsed_payload *prep)
62 {
63 	if (prep->datalen > 0)
64 		return -EINVAL;
65 	return 0;
66 }
67 
68 static void blacklist_free_preparse(struct key_preparsed_payload *prep)
69 {
70 }
71 
72 static void blacklist_describe(const struct key *key, struct seq_file *m)
73 {
74 	seq_puts(m, key->description);
75 }
76 
77 static struct key_type key_type_blacklist = {
78 	.name			= "blacklist",
79 	.vet_description	= blacklist_vet_description,
80 	.preparse		= blacklist_preparse,
81 	.free_preparse		= blacklist_free_preparse,
82 	.instantiate		= generic_key_instantiate,
83 	.describe		= blacklist_describe,
84 };
85 
86 /**
87  * mark_hash_blacklisted - Add a hash to the system blacklist
88  * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
89  */
90 int mark_hash_blacklisted(const char *hash)
91 {
92 	key_ref_t key;
93 
94 	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
95 				   "blacklist",
96 				   hash,
97 				   NULL,
98 				   0,
99 				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
100 				    KEY_USR_VIEW),
101 				   KEY_ALLOC_NOT_IN_QUOTA |
102 				   KEY_ALLOC_BUILT_IN);
103 	if (IS_ERR(key)) {
104 		pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
105 		return PTR_ERR(key);
106 	}
107 	return 0;
108 }
109 
110 /**
111  * is_hash_blacklisted - Determine if a hash is blacklisted
112  * @hash: The hash to be checked as a binary blob
113  * @hash_len: The length of the binary hash
114  * @type: Type of hash
115  */
116 int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
117 {
118 	key_ref_t kref;
119 	size_t type_len = strlen(type);
120 	char *buffer, *p;
121 	int ret = 0;
122 
123 	buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
124 	if (!buffer)
125 		return -ENOMEM;
126 	p = memcpy(buffer, type, type_len);
127 	p += type_len;
128 	*p++ = ':';
129 	bin2hex(p, hash, hash_len);
130 	p += hash_len * 2;
131 	*p = 0;
132 
133 	kref = keyring_search(make_key_ref(blacklist_keyring, true),
134 			      &key_type_blacklist, buffer, false);
135 	if (!IS_ERR(kref)) {
136 		key_ref_put(kref);
137 		ret = -EKEYREJECTED;
138 	}
139 
140 	kfree(buffer);
141 	return ret;
142 }
143 EXPORT_SYMBOL_GPL(is_hash_blacklisted);
144 
145 int is_binary_blacklisted(const u8 *hash, size_t hash_len)
146 {
147 	if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
148 		return -EPERM;
149 
150 	return 0;
151 }
152 EXPORT_SYMBOL_GPL(is_binary_blacklisted);
153 
154 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
155 /**
156  * add_key_to_revocation_list - Add a revocation certificate to the blacklist
157  * @data: The data blob containing the certificate
158  * @size: The size of data blob
159  */
160 int add_key_to_revocation_list(const char *data, size_t size)
161 {
162 	key_ref_t key;
163 
164 	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
165 				   "asymmetric",
166 				   NULL,
167 				   data,
168 				   size,
169 				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
170 				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
171 
172 	if (IS_ERR(key)) {
173 		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
174 		return PTR_ERR(key);
175 	}
176 
177 	return 0;
178 }
179 
180 /**
181  * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
182  * @pkcs7: The PKCS#7 message to check
183  */
184 int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
185 {
186 	int ret;
187 
188 	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
189 
190 	if (ret == 0)
191 		return -EKEYREJECTED;
192 
193 	return -ENOKEY;
194 }
195 #endif
196 
197 /*
198  * Initialise the blacklist
199  */
200 static int __init blacklist_init(void)
201 {
202 	const char *const *bl;
203 
204 	if (register_key_type(&key_type_blacklist) < 0)
205 		panic("Can't allocate system blacklist key type\n");
206 
207 	blacklist_keyring =
208 		keyring_alloc(".blacklist",
209 			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
210 			      (KEY_POS_ALL & ~KEY_POS_SETATTR) |
211 			      KEY_USR_VIEW | KEY_USR_READ |
212 			      KEY_USR_SEARCH,
213 			      KEY_ALLOC_NOT_IN_QUOTA |
214 			      KEY_ALLOC_SET_KEEP,
215 			      NULL, NULL);
216 	if (IS_ERR(blacklist_keyring))
217 		panic("Can't allocate system blacklist keyring\n");
218 
219 	for (bl = blacklist_hashes; *bl; bl++)
220 		if (mark_hash_blacklisted(*bl) < 0)
221 			pr_err("- blacklisting failed\n");
222 	return 0;
223 }
224 
225 /*
226  * Must be initialised before we try and load the keys into the keyring.
227  */
228 device_initcall(blacklist_init);
229 
230 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
231 /*
232  * Load the compiled-in list of revocation X.509 certificates.
233  */
234 static __init int load_revocation_certificate_list(void)
235 {
236 	if (revocation_certificate_list_size)
237 		pr_notice("Loading compiled-in revocation X.509 certificates\n");
238 
239 	return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
240 				     blacklist_keyring);
241 }
242 late_initcall(load_revocation_certificate_list);
243 #endif
244