1 /* System trusted keyring for trusted public keys 2 * 3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public Licence 8 * as published by the Free Software Foundation; either version 9 * 2 of the Licence, or (at your option) any later version. 10 */ 11 12 #include <linux/export.h> 13 #include <linux/kernel.h> 14 #include <linux/sched.h> 15 #include <linux/cred.h> 16 #include <linux/err.h> 17 #include <keys/asymmetric-type.h> 18 #include <keys/system_keyring.h> 19 #include <crypto/pkcs7.h> 20 21 struct key *system_trusted_keyring; 22 EXPORT_SYMBOL_GPL(system_trusted_keyring); 23 24 extern __initconst const u8 system_certificate_list[]; 25 extern __initconst const unsigned long system_certificate_list_size; 26 27 /* 28 * Load the compiled-in keys 29 */ 30 static __init int system_trusted_keyring_init(void) 31 { 32 pr_notice("Initialise system trusted keyring\n"); 33 34 system_trusted_keyring = 35 keyring_alloc(".system_keyring", 36 KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 37 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 38 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), 39 KEY_ALLOC_NOT_IN_QUOTA, NULL); 40 if (IS_ERR(system_trusted_keyring)) 41 panic("Can't allocate system trusted keyring\n"); 42 43 set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); 44 return 0; 45 } 46 47 /* 48 * Must be initialised before we try and load the keys into the keyring. 49 */ 50 device_initcall(system_trusted_keyring_init); 51 52 /* 53 * Load the compiled-in list of X.509 certificates. 54 */ 55 static __init int load_system_certificate_list(void) 56 { 57 key_ref_t key; 58 const u8 *p, *end; 59 size_t plen; 60 61 pr_notice("Loading compiled-in X.509 certificates\n"); 62 63 p = system_certificate_list; 64 end = p + system_certificate_list_size; 65 while (p < end) { 66 /* Each cert begins with an ASN.1 SEQUENCE tag and must be more 67 * than 256 bytes in size. 68 */ 69 if (end - p < 4) 70 goto dodgy_cert; 71 if (p[0] != 0x30 && 72 p[1] != 0x82) 73 goto dodgy_cert; 74 plen = (p[2] << 8) | p[3]; 75 plen += 4; 76 if (plen > end - p) 77 goto dodgy_cert; 78 79 key = key_create_or_update(make_key_ref(system_trusted_keyring, 1), 80 "asymmetric", 81 NULL, 82 p, 83 plen, 84 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 85 KEY_USR_VIEW | KEY_USR_READ), 86 KEY_ALLOC_NOT_IN_QUOTA | 87 KEY_ALLOC_TRUSTED); 88 if (IS_ERR(key)) { 89 pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", 90 PTR_ERR(key)); 91 } else { 92 set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags); 93 pr_notice("Loaded X.509 cert '%s'\n", 94 key_ref_to_ptr(key)->description); 95 key_ref_put(key); 96 } 97 p += plen; 98 } 99 100 return 0; 101 102 dodgy_cert: 103 pr_err("Problem parsing in-kernel X.509 certificate list\n"); 104 return 0; 105 } 106 late_initcall(load_system_certificate_list); 107 108 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 109 110 /** 111 * Verify a PKCS#7-based signature on system data. 112 * @data: The data to be verified. 113 * @len: Size of @data. 114 * @raw_pkcs7: The PKCS#7 message that is the signature. 115 * @pkcs7_len: The size of @raw_pkcs7. 116 * @usage: The use to which the key is being put. 117 */ 118 int system_verify_data(const void *data, unsigned long len, 119 const void *raw_pkcs7, size_t pkcs7_len, 120 enum key_being_used_for usage) 121 { 122 struct pkcs7_message *pkcs7; 123 bool trusted; 124 int ret; 125 126 pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); 127 if (IS_ERR(pkcs7)) 128 return PTR_ERR(pkcs7); 129 130 /* The data should be detached - so we need to supply it. */ 131 if (pkcs7_supply_detached_data(pkcs7, data, len) < 0) { 132 pr_err("PKCS#7 signature with non-detached data\n"); 133 ret = -EBADMSG; 134 goto error; 135 } 136 137 ret = pkcs7_verify(pkcs7, usage); 138 if (ret < 0) 139 goto error; 140 141 ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); 142 if (ret < 0) 143 goto error; 144 145 if (!trusted) { 146 pr_err("PKCS#7 signature not signed with a trusted key\n"); 147 ret = -ENOKEY; 148 } 149 150 error: 151 pkcs7_free_message(pkcs7); 152 pr_devel("<==%s() = %d\n", __func__, ret); 153 return ret; 154 } 155 EXPORT_SYMBOL_GPL(system_verify_data); 156 157 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ 158