the-tree/certs/blacklist.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* System hash blacklist.
0003  *
0004  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #define pr_fmt(fmt) "blacklist: "fmt
0009 #include <linux/module.h>
0010 #include <linux/slab.h>
0011 #include <linux/key.h>
0012 #include <linux/key-type.h>
0013 #include <linux/sched.h>
0014 #include <linux/ctype.h>
0015 #include <linux/err.h>
0016 #include <linux/seq_file.h>
0017 #include <linux/uidgid.h>
0018 #include <keys/asymmetric-type.h>
0019 #include <keys/system_keyring.h>
0020 #include "blacklist.h"
0021
0022 /*
0023  * According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(),
0024  * the size of the currently longest supported hash algorithm is 512 bits,
0025  * which translates into 128 hex characters.
0026  */
0027 #define MAX_HASH_LEN    128
0028
0029 #define BLACKLIST_KEY_PERM (KEY_POS_SEARCH | KEY_POS_VIEW | \
0030                 KEY_USR_SEARCH | KEY_USR_VIEW)
0031
0032 static const char tbs_prefix[] = "tbs";
0033 static const char bin_prefix[] = "bin";
0034
0035 static struct key *blacklist_keyring;
0036
0037 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
0038 extern __initconst const u8 revocation_certificate_list[];
0039 extern __initconst const unsigned long revocation_certificate_list_size;
0040 #endif
0041
0042 /*
0043  * The description must be a type prefix, a colon and then an even number of
0044  * hex digits.  The hash is kept in the description.
0045  */
0046 static int blacklist_vet_description(const char *desc)
0047 {
0048     int i, prefix_len, tbs_step = 0, bin_step = 0;
0049
0050     /* The following algorithm only works if prefix lengths match. */
0051     BUILD_BUG_ON(sizeof(tbs_prefix) != sizeof(bin_prefix));
0052     prefix_len = sizeof(tbs_prefix) - 1;
0053     for (i = 0; *desc; desc++, i++) {
0054         if (*desc == ':') {
0055             if (tbs_step == prefix_len)
0056                 goto found_colon;
0057             if (bin_step == prefix_len)
0058                 goto found_colon;
0059             return -EINVAL;
0060         }
0061         if (i >= prefix_len)
0062             return -EINVAL;
0063         if (*desc == tbs_prefix[i])
0064             tbs_step++;
0065         if (*desc == bin_prefix[i])
0066             bin_step++;
0067     }
0068     return -EINVAL;
0069
0070 found_colon:
0071     desc++;
0072     for (i = 0; *desc && i < MAX_HASH_LEN; desc++, i++) {
0073         if (!isxdigit(*desc) || isupper(*desc))
0074             return -EINVAL;
0075     }
0076     if (*desc)
0077         /* The hash is greater than MAX_HASH_LEN. */
0078         return -ENOPKG;
0079
0080     /* Checks for an even number of hexadecimal characters. */
0081     if (i == 0 || i & 1)
0082         return -EINVAL;
0083     return 0;
0084 }
0085
0086 static int blacklist_key_instantiate(struct key *key,
0087         struct key_preparsed_payload *prep)
0088 {
0089 #ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE
0090     int err;
0091 #endif
0092
0093     /* Sets safe default permissions for keys loaded by user space. */
0094     key->perm = BLACKLIST_KEY_PERM;
0095
0096     /*
0097      * Skips the authentication step for builtin hashes, they are not
0098      * signed but still trusted.
0099      */
0100     if (key->flags & (1 << KEY_FLAG_BUILTIN))
0101         goto out;
0102
0103 #ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE
0104     /*
0105      * Verifies the description's PKCS#7 signature against the builtin
0106      * trusted keyring.
0107      */
0108     err = verify_pkcs7_signature(key->description,
0109             strlen(key->description), prep->data, prep->datalen,
0110             NULL, VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
0111     if (err)
0112         return err;
0113 #else
0114     /*
0115      * It should not be possible to come here because the keyring doesn't
0116      * have KEY_USR_WRITE and the only other way to call this function is
0117      * for builtin hashes.
0118      */
0119     WARN_ON_ONCE(1);
0120     return -EPERM;
0121 #endif
0122
0123 out:
0124     return generic_key_instantiate(key, prep);
0125 }
0126
0127 static int blacklist_key_update(struct key *key,
0128         struct key_preparsed_payload *prep)
0129 {
0130     return -EPERM;
0131 }
0132
0133 static void blacklist_describe(const struct key *key, struct seq_file *m)
0134 {
0135     seq_puts(m, key->description);
0136 }
0137
0138 static struct key_type key_type_blacklist = {
0139     .name           = "blacklist",
0140     .vet_description    = blacklist_vet_description,
0141     .instantiate        = blacklist_key_instantiate,
0142     .update         = blacklist_key_update,
0143     .describe       = blacklist_describe,
0144 };
0145
0146 static char *get_raw_hash(const u8 *hash, size_t hash_len,
0147         enum blacklist_hash_type hash_type)
0148 {
0149     size_t type_len;
0150     const char *type_prefix;
0151     char *buffer, *p;
0152
0153     switch (hash_type) {
0154     case BLACKLIST_HASH_X509_TBS:
0155         type_len = sizeof(tbs_prefix) - 1;
0156         type_prefix = tbs_prefix;
0157         break;
0158     case BLACKLIST_HASH_BINARY:
0159         type_len = sizeof(bin_prefix) - 1;
0160         type_prefix = bin_prefix;
0161         break;
0162     default:
0163         WARN_ON_ONCE(1);
0164         return ERR_PTR(-EINVAL);
0165     }
0166     buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
0167     if (!buffer)
0168         return ERR_PTR(-ENOMEM);
0169     p = memcpy(buffer, type_prefix, type_len);
0170     p += type_len;
0171     *p++ = ':';
0172     bin2hex(p, hash, hash_len);
0173     p += hash_len * 2;
0174     *p = '\0';
0175     return buffer;
0176 }
0177
0178 /**
0179  * mark_raw_hash_blacklisted - Add a hash to the system blacklist
0180  * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
0181  */
0182 static int mark_raw_hash_blacklisted(const char *hash)
0183 {
0184     key_ref_t key;
0185
0186     key = key_create_or_update(make_key_ref(blacklist_keyring, true),
0187                    "blacklist",
0188                    hash,
0189                    NULL,
0190                    0,
0191                    BLACKLIST_KEY_PERM,
0192                    KEY_ALLOC_NOT_IN_QUOTA |
0193                    KEY_ALLOC_BUILT_IN);
0194     if (IS_ERR(key)) {
0195         pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
0196         return PTR_ERR(key);
0197     }
0198     return 0;
0199 }
0200
0201 int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
0202         enum blacklist_hash_type hash_type)
0203 {
0204     const char *buffer;
0205     int err;
0206
0207     buffer = get_raw_hash(hash, hash_len, hash_type);
0208     if (IS_ERR(buffer))
0209         return PTR_ERR(buffer);
0210     err = mark_raw_hash_blacklisted(buffer);
0211     kfree(buffer);
0212     return err;
0213 }
0214
0215 /**
0216  * is_hash_blacklisted - Determine if a hash is blacklisted
0217  * @hash: The hash to be checked as a binary blob
0218  * @hash_len: The length of the binary hash
0219  * @hash_type: Type of hash
0220  */
0221 int is_hash_blacklisted(const u8 *hash, size_t hash_len,
0222         enum blacklist_hash_type hash_type)
0223 {
0224     key_ref_t kref;
0225     const char *buffer;
0226     int ret = 0;
0227
0228     buffer = get_raw_hash(hash, hash_len, hash_type);
0229     if (IS_ERR(buffer))
0230         return PTR_ERR(buffer);
0231     kref = keyring_search(make_key_ref(blacklist_keyring, true),
0232                   &key_type_blacklist, buffer, false);
0233     if (!IS_ERR(kref)) {
0234         key_ref_put(kref);
0235         ret = -EKEYREJECTED;
0236     }
0237
0238     kfree(buffer);
0239     return ret;
0240 }
0241 EXPORT_SYMBOL_GPL(is_hash_blacklisted);
0242
0243 int is_binary_blacklisted(const u8 *hash, size_t hash_len)
0244 {
0245     if (is_hash_blacklisted(hash, hash_len, BLACKLIST_HASH_BINARY) ==
0246             -EKEYREJECTED)
0247         return -EPERM;
0248
0249     return 0;
0250 }
0251 EXPORT_SYMBOL_GPL(is_binary_blacklisted);
0252
0253 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
0254 /**
0255  * add_key_to_revocation_list - Add a revocation certificate to the blacklist
0256  * @data: The data blob containing the certificate
0257  * @size: The size of data blob
0258  */
0259 int add_key_to_revocation_list(const char *data, size_t size)
0260 {
0261     key_ref_t key;
0262
0263     key = key_create_or_update(make_key_ref(blacklist_keyring, true),
0264                    "asymmetric",
0265                    NULL,
0266                    data,
0267                    size,
0268                    KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH
0269                    | KEY_USR_VIEW,
0270                    KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN
0271                    | KEY_ALLOC_BYPASS_RESTRICTION);
0272
0273     if (IS_ERR(key)) {
0274         pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
0275         return PTR_ERR(key);
0276     }
0277
0278     return 0;
0279 }
0280
0281 /**
0282  * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
0283  * @pkcs7: The PKCS#7 message to check
0284  */
0285 int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
0286 {
0287     int ret;
0288
0289     ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
0290
0291     if (ret == 0)
0292         return -EKEYREJECTED;
0293
0294     return -ENOKEY;
0295 }
0296 #endif
0297
0298 static int restrict_link_for_blacklist(struct key *dest_keyring,
0299         const struct key_type *type, const union key_payload *payload,
0300         struct key *restrict_key)
0301 {
0302     if (type == &key_type_blacklist)
0303         return 0;
0304     return -EOPNOTSUPP;
0305 }
0306
0307 /*
0308  * Initialise the blacklist
0309  *
0310  * The blacklist_init() function is registered as an initcall via
0311  * device_initcall().  As a result if the blacklist_init() function fails for
0312  * any reason the kernel continues to execute.  While cleanly returning -ENODEV
0313  * could be acceptable for some non-critical kernel parts, if the blacklist
0314  * keyring fails to load it defeats the certificate/key based deny list for
0315  * signed modules.  If a critical piece of security functionality that users
0316  * expect to be present fails to initialize, panic()ing is likely the right
0317  * thing to do.
0318  */
0319 static int __init blacklist_init(void)
0320 {
0321     const char *const *bl;
0322     struct key_restriction *restriction;
0323
0324     if (register_key_type(&key_type_blacklist) < 0)
0325         panic("Can't allocate system blacklist key type\n");
0326
0327     restriction = kzalloc(sizeof(*restriction), GFP_KERNEL);
0328     if (!restriction)
0329         panic("Can't allocate blacklist keyring restriction\n");
0330     restriction->check = restrict_link_for_blacklist;
0331
0332     blacklist_keyring =
0333         keyring_alloc(".blacklist",
0334                   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
0335                   KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH |
0336                   KEY_POS_WRITE |
0337                   KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH
0338 #ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE
0339                   | KEY_USR_WRITE
0340 #endif
0341                   , KEY_ALLOC_NOT_IN_QUOTA |
0342                   KEY_ALLOC_SET_KEEP,
0343                   restriction, NULL);
0344     if (IS_ERR(blacklist_keyring))
0345         panic("Can't allocate system blacklist keyring\n");
0346
0347     for (bl = blacklist_hashes; *bl; bl++)
0348         if (mark_raw_hash_blacklisted(*bl) < 0)
0349             pr_err("- blacklisting failed\n");
0350     return 0;
0351 }
0352
0353 /*
0354  * Must be initialised before we try and load the keys into the keyring.
0355  */
0356 device_initcall(blacklist_init);
0357
0358 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
0359 /*
0360  * Load the compiled-in list of revocation X.509 certificates.
0361  */
0362 static __init int load_revocation_certificate_list(void)
0363 {
0364     if (revocation_certificate_list_size)
0365         pr_notice("Loading compiled-in revocation X.509 certificates\n");
0366
0367     return x509_load_certificate_list(revocation_certificate_list,
0368                       revocation_certificate_list_size,
0369                       blacklist_keyring);
0370 }
0371 late_initcall(load_revocation_certificate_list);
0372 #endif