0001
0002
0003
0004
0005
0006
0007
0008
0009 #include <linux/err.h>
0010 #include <linux/sched.h>
0011 #include <linux/slab.h>
0012 #include <linux/cred.h>
0013 #include <linux/kernel_read_file.h>
0014 #include <linux/key-type.h>
0015 #include <linux/digsig.h>
0016 #include <linux/vmalloc.h>
0017 #include <crypto/public_key.h>
0018 #include <keys/system_keyring.h>
0019
0020 #include "integrity.h"
0021
0022 static struct key *keyring[INTEGRITY_KEYRING_MAX];
0023
0024 static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
0025 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
0026 "_evm",
0027 "_ima",
0028 #else
0029 ".evm",
0030 ".ima",
0031 #endif
0032 ".platform",
0033 ".machine",
0034 };
0035
0036 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
0037 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
0038 #else
0039 #define restrict_link_to_ima restrict_link_by_builtin_trusted
0040 #endif
0041
0042 static struct key *integrity_keyring_from_id(const unsigned int id)
0043 {
0044 if (id >= INTEGRITY_KEYRING_MAX)
0045 return ERR_PTR(-EINVAL);
0046
0047 if (!keyring[id]) {
0048 keyring[id] =
0049 request_key(&key_type_keyring, keyring_name[id], NULL);
0050 if (IS_ERR(keyring[id])) {
0051 int err = PTR_ERR(keyring[id]);
0052 pr_err("no %s keyring: %d\n", keyring_name[id], err);
0053 keyring[id] = NULL;
0054 return ERR_PTR(err);
0055 }
0056 }
0057
0058 return keyring[id];
0059 }
0060
0061 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
0062 const char *digest, int digestlen)
0063 {
0064 struct key *keyring;
0065
0066 if (siglen < 2)
0067 return -EINVAL;
0068
0069 keyring = integrity_keyring_from_id(id);
0070 if (IS_ERR(keyring))
0071 return PTR_ERR(keyring);
0072
0073 switch (sig[1]) {
0074 case 1:
0075
0076 return digsig_verify(keyring, sig + 1, siglen - 1, digest,
0077 digestlen);
0078 case 2:
0079 case 3:
0080 return asymmetric_verify(keyring, sig, siglen, digest,
0081 digestlen);
0082 }
0083
0084 return -EOPNOTSUPP;
0085 }
0086
0087 int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
0088 {
0089 struct key *keyring;
0090
0091 keyring = integrity_keyring_from_id(id);
0092 if (IS_ERR(keyring))
0093 return PTR_ERR(keyring);
0094
0095 return ima_modsig_verify(keyring, modsig);
0096 }
0097
0098 static int __init __integrity_init_keyring(const unsigned int id,
0099 key_perm_t perm,
0100 struct key_restriction *restriction)
0101 {
0102 const struct cred *cred = current_cred();
0103 int err = 0;
0104
0105 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
0106 KGIDT_INIT(0), cred, perm,
0107 KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
0108 if (IS_ERR(keyring[id])) {
0109 err = PTR_ERR(keyring[id]);
0110 pr_info("Can't allocate %s keyring (%d)\n",
0111 keyring_name[id], err);
0112 keyring[id] = NULL;
0113 } else {
0114 if (id == INTEGRITY_KEYRING_PLATFORM)
0115 set_platform_trusted_keys(keyring[id]);
0116 if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
0117 set_machine_trusted_keys(keyring[id]);
0118 if (id == INTEGRITY_KEYRING_IMA)
0119 load_module_cert(keyring[id]);
0120 }
0121
0122 return err;
0123 }
0124
0125 int __init integrity_init_keyring(const unsigned int id)
0126 {
0127 struct key_restriction *restriction;
0128 key_perm_t perm;
0129
0130 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
0131 | KEY_USR_READ | KEY_USR_SEARCH;
0132
0133 if (id == INTEGRITY_KEYRING_PLATFORM ||
0134 id == INTEGRITY_KEYRING_MACHINE) {
0135 restriction = NULL;
0136 goto out;
0137 }
0138
0139 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
0140 return 0;
0141
0142 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
0143 if (!restriction)
0144 return -ENOMEM;
0145
0146 restriction->check = restrict_link_to_ima;
0147
0148
0149
0150
0151
0152
0153 if (id != INTEGRITY_KEYRING_MACHINE)
0154 perm |= KEY_USR_WRITE;
0155
0156 out:
0157 return __integrity_init_keyring(id, perm, restriction);
0158 }
0159
0160 static int __init integrity_add_key(const unsigned int id, const void *data,
0161 off_t size, key_perm_t perm)
0162 {
0163 key_ref_t key;
0164 int rc = 0;
0165
0166 if (!keyring[id])
0167 return -EINVAL;
0168
0169 key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
0170 NULL, data, size, perm,
0171 KEY_ALLOC_NOT_IN_QUOTA);
0172 if (IS_ERR(key)) {
0173 rc = PTR_ERR(key);
0174 pr_err("Problem loading X.509 certificate %d\n", rc);
0175 } else {
0176 pr_notice("Loaded X.509 cert '%s'\n",
0177 key_ref_to_ptr(key)->description);
0178 key_ref_put(key);
0179 }
0180
0181 return rc;
0182
0183 }
0184
0185 int __init integrity_load_x509(const unsigned int id, const char *path)
0186 {
0187 void *data = NULL;
0188 size_t size;
0189 int rc;
0190 key_perm_t perm;
0191
0192 rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
0193 READING_X509_CERTIFICATE);
0194 if (rc < 0) {
0195 pr_err("Unable to open file: %s (%d)", path, rc);
0196 return rc;
0197 }
0198 size = rc;
0199
0200 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ;
0201
0202 pr_info("Loading X.509 certificate: %s\n", path);
0203 rc = integrity_add_key(id, (const void *)data, size, perm);
0204
0205 vfree(data);
0206 return rc;
0207 }
0208
0209 int __init integrity_load_cert(const unsigned int id, const char *source,
0210 const void *data, size_t len, key_perm_t perm)
0211 {
0212 if (!data)
0213 return -EINVAL;
0214
0215 pr_info("Loading X.509 certificate: %s\n", source);
0216 return integrity_add_key(id, data, len, perm);
0217 }
