fs/verity/signature.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Verification of builtin signatures
0004  *
0005  * Copyright 2019 Google LLC
0006  */
0007
0008 #include "fsverity_private.h"
0009
0010 #include <linux/cred.h>
0011 #include <linux/key.h>
0012 #include <linux/slab.h>
0013 #include <linux/verification.h>
0014
0015 /*
0016  * /proc/sys/fs/verity/require_signatures
0017  * If 1, all verity files must have a valid builtin signature.
0018  */
0019 static int fsverity_require_signatures;
0020
0021 /*
0022  * Keyring that contains the trusted X.509 certificates.
0023  *
0024  * Only root (kuid=0) can modify this.  Also, root may use
0025  * keyctl_restrict_keyring() to prevent any more additions.
0026  */
0027 static struct key *fsverity_keyring;
0028
0029 /**
0030  * fsverity_verify_signature() - check a verity file's signature
0031  * @vi: the file's fsverity_info
0032  * @signature: the file's built-in signature
0033  * @sig_size: size of signature in bytes, or 0 if no signature
0034  *
0035  * If the file includes a signature of its fs-verity file digest, verify it
0036  * against the certificates in the fs-verity keyring.
0037  *
0038  * Return: 0 on success (signature valid or not required); -errno on failure
0039  */
0040 int fsverity_verify_signature(const struct fsverity_info *vi,
0041                   const u8 *signature, size_t sig_size)
0042 {
0043     const struct inode *inode = vi->inode;
0044     const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
0045     struct fsverity_formatted_digest *d;
0046     int err;
0047
0048     if (sig_size == 0) {
0049         if (fsverity_require_signatures) {
0050             fsverity_err(inode,
0051                      "require_signatures=1, rejecting unsigned file!");
0052             return -EPERM;
0053         }
0054         return 0;
0055     }
0056
0057     d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
0058     if (!d)
0059         return -ENOMEM;
0060     memcpy(d->magic, "FSVerity", 8);
0061     d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
0062     d->digest_size = cpu_to_le16(hash_alg->digest_size);
0063     memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
0064
0065     err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
0066                      signature, sig_size, fsverity_keyring,
0067                      VERIFYING_UNSPECIFIED_SIGNATURE,
0068                      NULL, NULL);
0069     kfree(d);
0070
0071     if (err) {
0072         if (err == -ENOKEY)
0073             fsverity_err(inode,
0074                      "File's signing cert isn't in the fs-verity keyring");
0075         else if (err == -EKEYREJECTED)
0076             fsverity_err(inode, "Incorrect file signature");
0077         else if (err == -EBADMSG)
0078             fsverity_err(inode, "Malformed file signature");
0079         else
0080             fsverity_err(inode, "Error %d verifying file signature",
0081                      err);
0082         return err;
0083     }
0084
0085     pr_debug("Valid signature for file digest %s:%*phN\n",
0086          hash_alg->name, hash_alg->digest_size, vi->file_digest);
0087     return 0;
0088 }
0089
0090 #ifdef CONFIG_SYSCTL
0091 static struct ctl_table_header *fsverity_sysctl_header;
0092
0093 static const struct ctl_path fsverity_sysctl_path[] = {
0094     { .procname = "fs", },
0095     { .procname = "verity", },
0096     { }
0097 };
0098
0099 static struct ctl_table fsverity_sysctl_table[] = {
0100     {
0101         .procname       = "require_signatures",
0102         .data           = &fsverity_require_signatures,
0103         .maxlen         = sizeof(int),
0104         .mode           = 0644,
0105         .proc_handler   = proc_dointvec_minmax,
0106         .extra1         = SYSCTL_ZERO,
0107         .extra2         = SYSCTL_ONE,
0108     },
0109     { }
0110 };
0111
0112 static int __init fsverity_sysctl_init(void)
0113 {
0114     fsverity_sysctl_header = register_sysctl_paths(fsverity_sysctl_path,
0115                                fsverity_sysctl_table);
0116     if (!fsverity_sysctl_header) {
0117         pr_err("sysctl registration failed!\n");
0118         return -ENOMEM;
0119     }
0120     return 0;
0121 }
0122 #else /* !CONFIG_SYSCTL */
0123 static inline int __init fsverity_sysctl_init(void)
0124 {
0125     return 0;
0126 }
0127 #endif /* !CONFIG_SYSCTL */
0128
0129 int __init fsverity_init_signature(void)
0130 {
0131     struct key *ring;
0132     int err;
0133
0134     ring = keyring_alloc(".fs-verity", KUIDT_INIT(0), KGIDT_INIT(0),
0135                  current_cred(), KEY_POS_SEARCH |
0136                 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE |
0137                 KEY_USR_SEARCH | KEY_USR_SETATTR,
0138                  KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
0139     if (IS_ERR(ring))
0140         return PTR_ERR(ring);
0141
0142     err = fsverity_sysctl_init();
0143     if (err)
0144         goto err_put_ring;
0145
0146     fsverity_keyring = ring;
0147     return 0;
0148
0149 err_put_ring:
0150     key_put(ring);
0151     return err;
0152 }