xref: /openbmc/linux/certs/system_keyring.c (revision eb3fcf00)
1 /* System trusted keyring for trusted public keys
2  *
3  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public Licence
8  * as published by the Free Software Foundation; either version
9  * 2 of the Licence, or (at your option) any later version.
10  */
11 
12 #include <linux/export.h>
13 #include <linux/kernel.h>
14 #include <linux/sched.h>
15 #include <linux/cred.h>
16 #include <linux/err.h>
17 #include <keys/asymmetric-type.h>
18 #include <keys/system_keyring.h>
19 #include <crypto/pkcs7.h>
20 
21 struct key *system_trusted_keyring;
22 EXPORT_SYMBOL_GPL(system_trusted_keyring);
23 
24 extern __initconst const u8 system_certificate_list[];
25 extern __initconst const unsigned long system_certificate_list_size;
26 
27 /*
28  * Load the compiled-in keys
29  */
30 static __init int system_trusted_keyring_init(void)
31 {
32 	pr_notice("Initialise system trusted keyring\n");
33 
34 	system_trusted_keyring =
35 		keyring_alloc(".system_keyring",
36 			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
37 			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
38 			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
39 			      KEY_ALLOC_NOT_IN_QUOTA, NULL);
40 	if (IS_ERR(system_trusted_keyring))
41 		panic("Can't allocate system trusted keyring\n");
42 
43 	set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
44 	return 0;
45 }
46 
47 /*
48  * Must be initialised before we try and load the keys into the keyring.
49  */
50 device_initcall(system_trusted_keyring_init);
51 
52 /*
53  * Load the compiled-in list of X.509 certificates.
54  */
55 static __init int load_system_certificate_list(void)
56 {
57 	key_ref_t key;
58 	const u8 *p, *end;
59 	size_t plen;
60 
61 	pr_notice("Loading compiled-in X.509 certificates\n");
62 
63 	p = system_certificate_list;
64 	end = p + system_certificate_list_size;
65 	while (p < end) {
66 		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
67 		 * than 256 bytes in size.
68 		 */
69 		if (end - p < 4)
70 			goto dodgy_cert;
71 		if (p[0] != 0x30 &&
72 		    p[1] != 0x82)
73 			goto dodgy_cert;
74 		plen = (p[2] << 8) | p[3];
75 		plen += 4;
76 		if (plen > end - p)
77 			goto dodgy_cert;
78 
79 		key = key_create_or_update(make_key_ref(system_trusted_keyring, 1),
80 					   "asymmetric",
81 					   NULL,
82 					   p,
83 					   plen,
84 					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
85 					   KEY_USR_VIEW | KEY_USR_READ),
86 					   KEY_ALLOC_NOT_IN_QUOTA |
87 					   KEY_ALLOC_TRUSTED);
88 		if (IS_ERR(key)) {
89 			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
90 			       PTR_ERR(key));
91 		} else {
92 			set_bit(KEY_FLAG_BUILTIN, &key_ref_to_ptr(key)->flags);
93 			pr_notice("Loaded X.509 cert '%s'\n",
94 				  key_ref_to_ptr(key)->description);
95 			key_ref_put(key);
96 		}
97 		p += plen;
98 	}
99 
100 	return 0;
101 
102 dodgy_cert:
103 	pr_err("Problem parsing in-kernel X.509 certificate list\n");
104 	return 0;
105 }
106 late_initcall(load_system_certificate_list);
107 
108 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
109 
110 /**
111  * Verify a PKCS#7-based signature on system data.
112  * @data: The data to be verified.
113  * @len: Size of @data.
114  * @raw_pkcs7: The PKCS#7 message that is the signature.
115  * @pkcs7_len: The size of @raw_pkcs7.
116  * @usage: The use to which the key is being put.
117  */
118 int system_verify_data(const void *data, unsigned long len,
119 		       const void *raw_pkcs7, size_t pkcs7_len,
120 		       enum key_being_used_for usage)
121 {
122 	struct pkcs7_message *pkcs7;
123 	bool trusted;
124 	int ret;
125 
126 	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
127 	if (IS_ERR(pkcs7))
128 		return PTR_ERR(pkcs7);
129 
130 	/* The data should be detached - so we need to supply it. */
131 	if (pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
132 		pr_err("PKCS#7 signature with non-detached data\n");
133 		ret = -EBADMSG;
134 		goto error;
135 	}
136 
137 	ret = pkcs7_verify(pkcs7, usage);
138 	if (ret < 0)
139 		goto error;
140 
141 	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
142 	if (ret < 0)
143 		goto error;
144 
145 	if (!trusted) {
146 		pr_err("PKCS#7 signature not signed with a trusted key\n");
147 		ret = -ENOKEY;
148 	}
149 
150 error:
151 	pkcs7_free_message(pkcs7);
152 	pr_devel("<==%s() = %d\n", __func__, ret);
153 	return ret;
154 }
155 EXPORT_SYMBOL_GPL(system_verify_data);
156 
157 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
158