the-tree/certs/system_keyring.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* System trusted keyring for trusted public keys
0003  *
0004  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #include <linux/export.h>
0009 #include <linux/kernel.h>
0010 #include <linux/sched.h>
0011 #include <linux/cred.h>
0012 #include <linux/err.h>
0013 #include <linux/slab.h>
0014 #include <linux/uidgid.h>
0015 #include <linux/verification.h>
0016 #include <keys/asymmetric-type.h>
0017 #include <keys/system_keyring.h>
0018 #include <crypto/pkcs7.h>
0019
0020 static struct key *builtin_trusted_keys;
0021 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
0022 static struct key *secondary_trusted_keys;
0023 #endif
0024 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
0025 static struct key *machine_trusted_keys;
0026 #endif
0027 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
0028 static struct key *platform_trusted_keys;
0029 #endif
0030
0031 extern __initconst const u8 system_certificate_list[];
0032 extern __initconst const unsigned long system_certificate_list_size;
0033 extern __initconst const unsigned long module_cert_size;
0034
0035 /**
0036  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
0037  *
0038  * Restrict the addition of keys into a keyring based on the key-to-be-added
0039  * being vouched for by a key in the built in system keyring.
0040  */
0041 int restrict_link_by_builtin_trusted(struct key *dest_keyring,
0042                      const struct key_type *type,
0043                      const union key_payload *payload,
0044                      struct key *restriction_key)
0045 {
0046     return restrict_link_by_signature(dest_keyring, type, payload,
0047                       builtin_trusted_keys);
0048 }
0049
0050 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
0051 /**
0052  * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
0053  *   addition by both builtin and secondary keyrings
0054  *
0055  * Restrict the addition of keys into a keyring based on the key-to-be-added
0056  * being vouched for by a key in either the built-in or the secondary system
0057  * keyrings.
0058  */
0059 int restrict_link_by_builtin_and_secondary_trusted(
0060     struct key *dest_keyring,
0061     const struct key_type *type,
0062     const union key_payload *payload,
0063     struct key *restrict_key)
0064 {
0065     /* If we have a secondary trusted keyring, then that contains a link
0066      * through to the builtin keyring and the search will follow that link.
0067      */
0068     if (type == &key_type_keyring &&
0069         dest_keyring == secondary_trusted_keys &&
0070         payload == &builtin_trusted_keys->payload)
0071         /* Allow the builtin keyring to be added to the secondary */
0072         return 0;
0073
0074     return restrict_link_by_signature(dest_keyring, type, payload,
0075                       secondary_trusted_keys);
0076 }
0077
0078 /**
0079  * Allocate a struct key_restriction for the "builtin and secondary trust"
0080  * keyring. Only for use in system_trusted_keyring_init().
0081  */
0082 static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
0083 {
0084     struct key_restriction *restriction;
0085
0086     restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
0087
0088     if (!restriction)
0089         panic("Can't allocate secondary trusted keyring restriction\n");
0090
0091     if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
0092         restriction->check = restrict_link_by_builtin_secondary_and_machine;
0093     else
0094         restriction->check = restrict_link_by_builtin_and_secondary_trusted;
0095
0096     return restriction;
0097 }
0098 #endif
0099 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
0100 void __init set_machine_trusted_keys(struct key *keyring)
0101 {
0102     machine_trusted_keys = keyring;
0103
0104     if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
0105         panic("Can't link (machine) trusted keyrings\n");
0106 }
0107
0108 /**
0109  * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
0110  * @dest_keyring: Keyring being linked to.
0111  * @type: The type of key being added.
0112  * @payload: The payload of the new key.
0113  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
0114  *
0115  * Restrict the addition of keys into a keyring based on the key-to-be-added
0116  * being vouched for by a key in either the built-in, the secondary, or
0117  * the machine keyrings.
0118  */
0119 int restrict_link_by_builtin_secondary_and_machine(
0120     struct key *dest_keyring,
0121     const struct key_type *type,
0122     const union key_payload *payload,
0123     struct key *restrict_key)
0124 {
0125     if (machine_trusted_keys && type == &key_type_keyring &&
0126         dest_keyring == secondary_trusted_keys &&
0127         payload == &machine_trusted_keys->payload)
0128         /* Allow the machine keyring to be added to the secondary */
0129         return 0;
0130
0131     return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
0132                                   payload, restrict_key);
0133 }
0134 #endif
0135
0136 /*
0137  * Create the trusted keyrings
0138  */
0139 static __init int system_trusted_keyring_init(void)
0140 {
0141     pr_notice("Initialise system trusted keyrings\n");
0142
0143     builtin_trusted_keys =
0144         keyring_alloc(".builtin_trusted_keys",
0145                   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
0146                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
0147                   KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
0148                   KEY_ALLOC_NOT_IN_QUOTA,
0149                   NULL, NULL);
0150     if (IS_ERR(builtin_trusted_keys))
0151         panic("Can't allocate builtin trusted keyring\n");
0152
0153 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
0154     secondary_trusted_keys =
0155         keyring_alloc(".secondary_trusted_keys",
0156                   GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
0157                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
0158                    KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
0159                    KEY_USR_WRITE),
0160                   KEY_ALLOC_NOT_IN_QUOTA,
0161                   get_builtin_and_secondary_restriction(),
0162                   NULL);
0163     if (IS_ERR(secondary_trusted_keys))
0164         panic("Can't allocate secondary trusted keyring\n");
0165
0166     if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
0167         panic("Can't link trusted keyrings\n");
0168 #endif
0169
0170     return 0;
0171 }
0172
0173 /*
0174  * Must be initialised before we try and load the keys into the keyring.
0175  */
0176 device_initcall(system_trusted_keyring_init);
0177
0178 __init int load_module_cert(struct key *keyring)
0179 {
0180     if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
0181         return 0;
0182
0183     pr_notice("Loading compiled-in module X.509 certificates\n");
0184
0185     return x509_load_certificate_list(system_certificate_list,
0186                       module_cert_size, keyring);
0187 }
0188
0189 /*
0190  * Load the compiled-in list of X.509 certificates.
0191  */
0192 static __init int load_system_certificate_list(void)
0193 {
0194     const u8 *p;
0195     unsigned long size;
0196
0197     pr_notice("Loading compiled-in X.509 certificates\n");
0198
0199 #ifdef CONFIG_MODULE_SIG
0200     p = system_certificate_list;
0201     size = system_certificate_list_size;
0202 #else
0203     p = system_certificate_list + module_cert_size;
0204     size = system_certificate_list_size - module_cert_size;
0205 #endif
0206
0207     return x509_load_certificate_list(p, size, builtin_trusted_keys);
0208 }
0209 late_initcall(load_system_certificate_list);
0210
0211 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
0212
0213 /**
0214  * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
0215  * @data: The data to be verified (NULL if expecting internal data).
0216  * @len: Size of @data.
0217  * @pkcs7: The PKCS#7 message that is the signature.
0218  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
0219  *                  (void *)1UL for all trusted keys).
0220  * @usage: The use to which the key is being put.
0221  * @view_content: Callback to gain access to content.
0222  * @ctx: Context for callback.
0223  */
0224 int verify_pkcs7_message_sig(const void *data, size_t len,
0225                  struct pkcs7_message *pkcs7,
0226                  struct key *trusted_keys,
0227                  enum key_being_used_for usage,
0228                  int (*view_content)(void *ctx,
0229                          const void *data, size_t len,
0230                          size_t asn1hdrlen),
0231                  void *ctx)
0232 {
0233     int ret;
0234
0235     /* The data should be detached - so we need to supply it. */
0236     if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
0237         pr_err("PKCS#7 signature with non-detached data\n");
0238         ret = -EBADMSG;
0239         goto error;
0240     }
0241
0242     ret = pkcs7_verify(pkcs7, usage);
0243     if (ret < 0)
0244         goto error;
0245
0246     if (!trusted_keys) {
0247         trusted_keys = builtin_trusted_keys;
0248     } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
0249 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
0250         trusted_keys = secondary_trusted_keys;
0251 #else
0252         trusted_keys = builtin_trusted_keys;
0253 #endif
0254     } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
0255 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
0256         trusted_keys = platform_trusted_keys;
0257 #else
0258         trusted_keys = NULL;
0259 #endif
0260         if (!trusted_keys) {
0261             ret = -ENOKEY;
0262             pr_devel("PKCS#7 platform keyring is not available\n");
0263             goto error;
0264         }
0265
0266         ret = is_key_on_revocation_list(pkcs7);
0267         if (ret != -ENOKEY) {
0268             pr_devel("PKCS#7 platform key is on revocation list\n");
0269             goto error;
0270         }
0271     }
0272     ret = pkcs7_validate_trust(pkcs7, trusted_keys);
0273     if (ret < 0) {
0274         if (ret == -ENOKEY)
0275             pr_devel("PKCS#7 signature not signed with a trusted key\n");
0276         goto error;
0277     }
0278
0279     if (view_content) {
0280         size_t asn1hdrlen;
0281
0282         ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
0283         if (ret < 0) {
0284             if (ret == -ENODATA)
0285                 pr_devel("PKCS#7 message does not contain data\n");
0286             goto error;
0287         }
0288
0289         ret = view_content(ctx, data, len, asn1hdrlen);
0290     }
0291
0292 error:
0293     pr_devel("<==%s() = %d\n", __func__, ret);
0294     return ret;
0295 }
0296
0297 /**
0298  * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
0299  * @data: The data to be verified (NULL if expecting internal data).
0300  * @len: Size of @data.
0301  * @raw_pkcs7: The PKCS#7 message that is the signature.
0302  * @pkcs7_len: The size of @raw_pkcs7.
0303  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
0304  *                  (void *)1UL for all trusted keys).
0305  * @usage: The use to which the key is being put.
0306  * @view_content: Callback to gain access to content.
0307  * @ctx: Context for callback.
0308  */
0309 int verify_pkcs7_signature(const void *data, size_t len,
0310                const void *raw_pkcs7, size_t pkcs7_len,
0311                struct key *trusted_keys,
0312                enum key_being_used_for usage,
0313                int (*view_content)(void *ctx,
0314                            const void *data, size_t len,
0315                            size_t asn1hdrlen),
0316                void *ctx)
0317 {
0318     struct pkcs7_message *pkcs7;
0319     int ret;
0320
0321     pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
0322     if (IS_ERR(pkcs7))
0323         return PTR_ERR(pkcs7);
0324
0325     ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
0326                        view_content, ctx);
0327
0328     pkcs7_free_message(pkcs7);
0329     pr_devel("<==%s() = %d\n", __func__, ret);
0330     return ret;
0331 }
0332 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
0333
0334 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
0335
0336 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
0337 void __init set_platform_trusted_keys(struct key *keyring)
0338 {
0339     platform_trusted_keys = keyring;
0340 }
0341 #endif