1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 7 */ 8 9 #include <linux/err.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/cred.h> 13 #include <linux/kernel_read_file.h> 14 #include <linux/key-type.h> 15 #include <linux/digsig.h> 16 #include <linux/vmalloc.h> 17 #include <crypto/public_key.h> 18 #include <keys/system_keyring.h> 19 20 #include "integrity.h" 21 22 static struct key *keyring[INTEGRITY_KEYRING_MAX]; 23 24 static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { 25 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 26 "_evm", 27 "_ima", 28 #else 29 ".evm", 30 ".ima", 31 #endif 32 ".platform", 33 }; 34 35 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 36 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted 37 #else 38 #define restrict_link_to_ima restrict_link_by_builtin_trusted 39 #endif 40 41 static struct key *integrity_keyring_from_id(const unsigned int id) 42 { 43 if (id >= INTEGRITY_KEYRING_MAX) 44 return ERR_PTR(-EINVAL); 45 46 if (!keyring[id]) { 47 keyring[id] = 48 request_key(&key_type_keyring, keyring_name[id], NULL); 49 if (IS_ERR(keyring[id])) { 50 int err = PTR_ERR(keyring[id]); 51 pr_err("no %s keyring: %d\n", keyring_name[id], err); 52 keyring[id] = NULL; 53 return ERR_PTR(err); 54 } 55 } 56 57 return keyring[id]; 58 } 59 60 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 61 const char *digest, int digestlen) 62 { 63 struct key *keyring; 64 65 if (siglen < 2) 66 return -EINVAL; 67 68 keyring = integrity_keyring_from_id(id); 69 if (IS_ERR(keyring)) 70 return PTR_ERR(keyring); 71 72 switch (sig[1]) { 73 case 1: 74 /* v1 API expect signature without xattr type */ 75 return digsig_verify(keyring, sig + 1, siglen - 1, digest, 76 digestlen); 77 case 2: 78 return asymmetric_verify(keyring, sig, siglen, digest, 79 digestlen); 80 } 81 82 return -EOPNOTSUPP; 83 } 84 85 int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig) 86 { 87 struct key *keyring; 88 89 keyring = integrity_keyring_from_id(id); 90 if (IS_ERR(keyring)) 91 return PTR_ERR(keyring); 92 93 return ima_modsig_verify(keyring, modsig); 94 } 95 96 static int __init __integrity_init_keyring(const unsigned int id, 97 key_perm_t perm, 98 struct key_restriction *restriction) 99 { 100 const struct cred *cred = current_cred(); 101 int err = 0; 102 103 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 104 KGIDT_INIT(0), cred, perm, 105 KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL); 106 if (IS_ERR(keyring[id])) { 107 err = PTR_ERR(keyring[id]); 108 pr_info("Can't allocate %s keyring (%d)\n", 109 keyring_name[id], err); 110 keyring[id] = NULL; 111 } else { 112 if (id == INTEGRITY_KEYRING_PLATFORM) 113 set_platform_trusted_keys(keyring[id]); 114 } 115 116 return err; 117 } 118 119 int __init integrity_init_keyring(const unsigned int id) 120 { 121 struct key_restriction *restriction; 122 key_perm_t perm; 123 124 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 125 | KEY_USR_READ | KEY_USR_SEARCH; 126 127 if (id == INTEGRITY_KEYRING_PLATFORM) { 128 restriction = NULL; 129 goto out; 130 } 131 132 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 133 return 0; 134 135 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 136 if (!restriction) 137 return -ENOMEM; 138 139 restriction->check = restrict_link_to_ima; 140 perm |= KEY_USR_WRITE; 141 142 out: 143 return __integrity_init_keyring(id, perm, restriction); 144 } 145 146 static int __init integrity_add_key(const unsigned int id, const void *data, 147 off_t size, key_perm_t perm) 148 { 149 key_ref_t key; 150 int rc = 0; 151 152 if (!keyring[id]) 153 return -EINVAL; 154 155 key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric", 156 NULL, data, size, perm, 157 KEY_ALLOC_NOT_IN_QUOTA); 158 if (IS_ERR(key)) { 159 rc = PTR_ERR(key); 160 pr_err("Problem loading X.509 certificate %d\n", rc); 161 } else { 162 pr_notice("Loaded X.509 cert '%s'\n", 163 key_ref_to_ptr(key)->description); 164 key_ref_put(key); 165 } 166 167 return rc; 168 169 } 170 171 int __init integrity_load_x509(const unsigned int id, const char *path) 172 { 173 void *data = NULL; 174 size_t size; 175 int rc; 176 key_perm_t perm; 177 178 rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL, 179 READING_X509_CERTIFICATE); 180 if (rc < 0) { 181 pr_err("Unable to open file: %s (%d)", path, rc); 182 return rc; 183 } 184 size = rc; 185 186 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ; 187 188 pr_info("Loading X.509 certificate: %s\n", path); 189 rc = integrity_add_key(id, (const void *)data, size, perm); 190 191 vfree(data); 192 return rc; 193 } 194 195 int __init integrity_load_cert(const unsigned int id, const char *source, 196 const void *data, size_t len, key_perm_t perm) 197 { 198 if (!data) 199 return -EINVAL; 200 201 pr_info("Loading X.509 certificate: %s\n", source); 202 return integrity_add_key(id, data, len, perm); 203 } 204