1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 7 */ 8 9 #include <linux/err.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/cred.h> 13 #include <linux/kernel_read_file.h> 14 #include <linux/key-type.h> 15 #include <linux/digsig.h> 16 #include <linux/vmalloc.h> 17 #include <crypto/public_key.h> 18 #include <keys/system_keyring.h> 19 20 #include "integrity.h" 21 22 static struct key *keyring[INTEGRITY_KEYRING_MAX]; 23 24 static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { 25 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 26 "_evm", 27 "_ima", 28 #else 29 ".evm", 30 ".ima", 31 #endif 32 ".platform", 33 ".machine", 34 }; 35 36 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 37 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted 38 #else 39 #define restrict_link_to_ima restrict_link_by_builtin_trusted 40 #endif 41 42 static struct key *integrity_keyring_from_id(const unsigned int id) 43 { 44 if (id >= INTEGRITY_KEYRING_MAX) 45 return ERR_PTR(-EINVAL); 46 47 if (!keyring[id]) { 48 keyring[id] = 49 request_key(&key_type_keyring, keyring_name[id], NULL); 50 if (IS_ERR(keyring[id])) { 51 int err = PTR_ERR(keyring[id]); 52 pr_err("no %s keyring: %d\n", keyring_name[id], err); 53 keyring[id] = NULL; 54 return ERR_PTR(err); 55 } 56 } 57 58 return keyring[id]; 59 } 60 61 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 62 const char *digest, int digestlen) 63 { 64 struct key *keyring; 65 66 if (siglen < 2) 67 return -EINVAL; 68 69 keyring = integrity_keyring_from_id(id); 70 if (IS_ERR(keyring)) 71 return PTR_ERR(keyring); 72 73 switch (sig[1]) { 74 case 1: 75 /* v1 API expect signature without xattr type */ 76 return digsig_verify(keyring, sig + 1, siglen - 1, digest, 77 digestlen); 78 case 2: /* regular file data hash based signature */ 79 case 3: /* struct ima_file_id data based signature */ 80 return asymmetric_verify(keyring, sig, siglen, digest, 81 digestlen); 82 } 83 84 return -EOPNOTSUPP; 85 } 86 87 int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig) 88 { 89 struct key *keyring; 90 91 keyring = integrity_keyring_from_id(id); 92 if (IS_ERR(keyring)) 93 return PTR_ERR(keyring); 94 95 return ima_modsig_verify(keyring, modsig); 96 } 97 98 static int __init __integrity_init_keyring(const unsigned int id, 99 key_perm_t perm, 100 struct key_restriction *restriction) 101 { 102 const struct cred *cred = current_cred(); 103 int err = 0; 104 105 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 106 KGIDT_INIT(0), cred, perm, 107 KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL); 108 if (IS_ERR(keyring[id])) { 109 err = PTR_ERR(keyring[id]); 110 pr_info("Can't allocate %s keyring (%d)\n", 111 keyring_name[id], err); 112 keyring[id] = NULL; 113 } else { 114 if (id == INTEGRITY_KEYRING_PLATFORM) 115 set_platform_trusted_keys(keyring[id]); 116 if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) 117 set_machine_trusted_keys(keyring[id]); 118 if (id == INTEGRITY_KEYRING_IMA) 119 load_module_cert(keyring[id]); 120 } 121 122 return err; 123 } 124 125 int __init integrity_init_keyring(const unsigned int id) 126 { 127 struct key_restriction *restriction; 128 key_perm_t perm; 129 int ret; 130 131 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 132 | KEY_USR_READ | KEY_USR_SEARCH; 133 134 if (id == INTEGRITY_KEYRING_PLATFORM || 135 id == INTEGRITY_KEYRING_MACHINE) { 136 restriction = NULL; 137 goto out; 138 } 139 140 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 141 return 0; 142 143 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 144 if (!restriction) 145 return -ENOMEM; 146 147 restriction->check = restrict_link_to_ima; 148 149 /* 150 * MOK keys can only be added through a read-only runtime services 151 * UEFI variable during boot. No additional keys shall be allowed to 152 * load into the machine keyring following init from userspace. 153 */ 154 if (id != INTEGRITY_KEYRING_MACHINE) 155 perm |= KEY_USR_WRITE; 156 157 out: 158 ret = __integrity_init_keyring(id, perm, restriction); 159 if (ret) 160 kfree(restriction); 161 return ret; 162 } 163 164 static int __init integrity_add_key(const unsigned int id, const void *data, 165 off_t size, key_perm_t perm) 166 { 167 key_ref_t key; 168 int rc = 0; 169 170 if (!keyring[id]) 171 return -EINVAL; 172 173 key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric", 174 NULL, data, size, perm, 175 KEY_ALLOC_NOT_IN_QUOTA); 176 if (IS_ERR(key)) { 177 rc = PTR_ERR(key); 178 pr_err("Problem loading X.509 certificate %d\n", rc); 179 } else { 180 pr_notice("Loaded X.509 cert '%s'\n", 181 key_ref_to_ptr(key)->description); 182 key_ref_put(key); 183 } 184 185 return rc; 186 187 } 188 189 int __init integrity_load_x509(const unsigned int id, const char *path) 190 { 191 void *data = NULL; 192 size_t size; 193 int rc; 194 key_perm_t perm; 195 196 rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL, 197 READING_X509_CERTIFICATE); 198 if (rc < 0) { 199 pr_err("Unable to open file: %s (%d)", path, rc); 200 return rc; 201 } 202 size = rc; 203 204 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ; 205 206 pr_info("Loading X.509 certificate: %s\n", path); 207 rc = integrity_add_key(id, (const void *)data, size, perm); 208 209 vfree(data); 210 return rc; 211 } 212 213 int __init integrity_load_cert(const unsigned int id, const char *source, 214 const void *data, size_t len, key_perm_t perm) 215 { 216 if (!data) 217 return -EINVAL; 218 219 pr_info("Loading X.509 certificate: %s\n", source); 220 return integrity_add_key(id, data, len, perm); 221 } 222