xref: /linux/certs/system_keyring.c (revision 0a94608f0f7de9b1135ffea3546afe68eafef57f)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* System trusted keyring for trusted public keys
3  *
4  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #include <linux/export.h>
9 #include <linux/kernel.h>
10 #include <linux/sched.h>
11 #include <linux/cred.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/uidgid.h>
15 #include <linux/verification.h>
16 #include <keys/asymmetric-type.h>
17 #include <keys/system_keyring.h>
18 #include <crypto/pkcs7.h>
19 #include "common.h"
20 
21 static struct key *builtin_trusted_keys;
22 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
23 static struct key *secondary_trusted_keys;
24 #endif
25 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
26 static struct key *machine_trusted_keys;
27 #endif
28 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
29 static struct key *platform_trusted_keys;
30 #endif
31 
32 extern __initconst const u8 system_certificate_list[];
33 extern __initconst const unsigned long system_certificate_list_size;
34 extern __initconst const unsigned long module_cert_size;
35 
36 /**
37  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
38  *
39  * Restrict the addition of keys into a keyring based on the key-to-be-added
40  * being vouched for by a key in the built in system keyring.
41  */
42 int restrict_link_by_builtin_trusted(struct key *dest_keyring,
43 				     const struct key_type *type,
44 				     const union key_payload *payload,
45 				     struct key *restriction_key)
46 {
47 	return restrict_link_by_signature(dest_keyring, type, payload,
48 					  builtin_trusted_keys);
49 }
50 
51 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
52 /**
53  * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
54  *   addition by both builtin and secondary keyrings
55  *
56  * Restrict the addition of keys into a keyring based on the key-to-be-added
57  * being vouched for by a key in either the built-in or the secondary system
58  * keyrings.
59  */
60 int restrict_link_by_builtin_and_secondary_trusted(
61 	struct key *dest_keyring,
62 	const struct key_type *type,
63 	const union key_payload *payload,
64 	struct key *restrict_key)
65 {
66 	/* If we have a secondary trusted keyring, then that contains a link
67 	 * through to the builtin keyring and the search will follow that link.
68 	 */
69 	if (type == &key_type_keyring &&
70 	    dest_keyring == secondary_trusted_keys &&
71 	    payload == &builtin_trusted_keys->payload)
72 		/* Allow the builtin keyring to be added to the secondary */
73 		return 0;
74 
75 	return restrict_link_by_signature(dest_keyring, type, payload,
76 					  secondary_trusted_keys);
77 }
78 
79 /**
80  * Allocate a struct key_restriction for the "builtin and secondary trust"
81  * keyring. Only for use in system_trusted_keyring_init().
82  */
83 static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
84 {
85 	struct key_restriction *restriction;
86 
87 	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
88 
89 	if (!restriction)
90 		panic("Can't allocate secondary trusted keyring restriction\n");
91 
92 	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
93 		restriction->check = restrict_link_by_builtin_secondary_and_machine;
94 	else
95 		restriction->check = restrict_link_by_builtin_and_secondary_trusted;
96 
97 	return restriction;
98 }
99 #endif
100 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
101 void __init set_machine_trusted_keys(struct key *keyring)
102 {
103 	machine_trusted_keys = keyring;
104 
105 	if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
106 		panic("Can't link (machine) trusted keyrings\n");
107 }
108 
109 /**
110  * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
111  * @dest_keyring: Keyring being linked to.
112  * @type: The type of key being added.
113  * @payload: The payload of the new key.
114  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
115  *
116  * Restrict the addition of keys into a keyring based on the key-to-be-added
117  * being vouched for by a key in either the built-in, the secondary, or
118  * the machine keyrings.
119  */
120 int restrict_link_by_builtin_secondary_and_machine(
121 	struct key *dest_keyring,
122 	const struct key_type *type,
123 	const union key_payload *payload,
124 	struct key *restrict_key)
125 {
126 	if (machine_trusted_keys && type == &key_type_keyring &&
127 	    dest_keyring == secondary_trusted_keys &&
128 	    payload == &machine_trusted_keys->payload)
129 		/* Allow the machine keyring to be added to the secondary */
130 		return 0;
131 
132 	return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
133 							      payload, restrict_key);
134 }
135 #endif
136 
137 /*
138  * Create the trusted keyrings
139  */
140 static __init int system_trusted_keyring_init(void)
141 {
142 	pr_notice("Initialise system trusted keyrings\n");
143 
144 	builtin_trusted_keys =
145 		keyring_alloc(".builtin_trusted_keys",
146 			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
147 			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
148 			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
149 			      KEY_ALLOC_NOT_IN_QUOTA,
150 			      NULL, NULL);
151 	if (IS_ERR(builtin_trusted_keys))
152 		panic("Can't allocate builtin trusted keyring\n");
153 
154 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
155 	secondary_trusted_keys =
156 		keyring_alloc(".secondary_trusted_keys",
157 			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
158 			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
159 			       KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
160 			       KEY_USR_WRITE),
161 			      KEY_ALLOC_NOT_IN_QUOTA,
162 			      get_builtin_and_secondary_restriction(),
163 			      NULL);
164 	if (IS_ERR(secondary_trusted_keys))
165 		panic("Can't allocate secondary trusted keyring\n");
166 
167 	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
168 		panic("Can't link trusted keyrings\n");
169 #endif
170 
171 	return 0;
172 }
173 
174 /*
175  * Must be initialised before we try and load the keys into the keyring.
176  */
177 device_initcall(system_trusted_keyring_init);
178 
179 __init int load_module_cert(struct key *keyring)
180 {
181 	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
182 		return 0;
183 
184 	pr_notice("Loading compiled-in module X.509 certificates\n");
185 
186 	return load_certificate_list(system_certificate_list, module_cert_size, keyring);
187 }
188 
189 /*
190  * Load the compiled-in list of X.509 certificates.
191  */
192 static __init int load_system_certificate_list(void)
193 {
194 	const u8 *p;
195 	unsigned long size;
196 
197 	pr_notice("Loading compiled-in X.509 certificates\n");
198 
199 #ifdef CONFIG_MODULE_SIG
200 	p = system_certificate_list;
201 	size = system_certificate_list_size;
202 #else
203 	p = system_certificate_list + module_cert_size;
204 	size = system_certificate_list_size - module_cert_size;
205 #endif
206 
207 	return load_certificate_list(p, size, builtin_trusted_keys);
208 }
209 late_initcall(load_system_certificate_list);
210 
211 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
212 
213 /**
214  * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
215  * @data: The data to be verified (NULL if expecting internal data).
216  * @len: Size of @data.
217  * @pkcs7: The PKCS#7 message that is the signature.
218  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
219  *					(void *)1UL for all trusted keys).
220  * @usage: The use to which the key is being put.
221  * @view_content: Callback to gain access to content.
222  * @ctx: Context for callback.
223  */
224 int verify_pkcs7_message_sig(const void *data, size_t len,
225 			     struct pkcs7_message *pkcs7,
226 			     struct key *trusted_keys,
227 			     enum key_being_used_for usage,
228 			     int (*view_content)(void *ctx,
229 						 const void *data, size_t len,
230 						 size_t asn1hdrlen),
231 			     void *ctx)
232 {
233 	int ret;
234 
235 	/* The data should be detached - so we need to supply it. */
236 	if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
237 		pr_err("PKCS#7 signature with non-detached data\n");
238 		ret = -EBADMSG;
239 		goto error;
240 	}
241 
242 	ret = pkcs7_verify(pkcs7, usage);
243 	if (ret < 0)
244 		goto error;
245 
246 	if (!trusted_keys) {
247 		trusted_keys = builtin_trusted_keys;
248 	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
249 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
250 		trusted_keys = secondary_trusted_keys;
251 #else
252 		trusted_keys = builtin_trusted_keys;
253 #endif
254 	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
255 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
256 		trusted_keys = platform_trusted_keys;
257 #else
258 		trusted_keys = NULL;
259 #endif
260 		if (!trusted_keys) {
261 			ret = -ENOKEY;
262 			pr_devel("PKCS#7 platform keyring is not available\n");
263 			goto error;
264 		}
265 
266 		ret = is_key_on_revocation_list(pkcs7);
267 		if (ret != -ENOKEY) {
268 			pr_devel("PKCS#7 platform key is on revocation list\n");
269 			goto error;
270 		}
271 	}
272 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
273 	if (ret < 0) {
274 		if (ret == -ENOKEY)
275 			pr_devel("PKCS#7 signature not signed with a trusted key\n");
276 		goto error;
277 	}
278 
279 	if (view_content) {
280 		size_t asn1hdrlen;
281 
282 		ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
283 		if (ret < 0) {
284 			if (ret == -ENODATA)
285 				pr_devel("PKCS#7 message does not contain data\n");
286 			goto error;
287 		}
288 
289 		ret = view_content(ctx, data, len, asn1hdrlen);
290 	}
291 
292 error:
293 	pr_devel("<==%s() = %d\n", __func__, ret);
294 	return ret;
295 }
296 
297 /**
298  * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
299  * @data: The data to be verified (NULL if expecting internal data).
300  * @len: Size of @data.
301  * @raw_pkcs7: The PKCS#7 message that is the signature.
302  * @pkcs7_len: The size of @raw_pkcs7.
303  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
304  *					(void *)1UL for all trusted keys).
305  * @usage: The use to which the key is being put.
306  * @view_content: Callback to gain access to content.
307  * @ctx: Context for callback.
308  */
309 int verify_pkcs7_signature(const void *data, size_t len,
310 			   const void *raw_pkcs7, size_t pkcs7_len,
311 			   struct key *trusted_keys,
312 			   enum key_being_used_for usage,
313 			   int (*view_content)(void *ctx,
314 					       const void *data, size_t len,
315 					       size_t asn1hdrlen),
316 			   void *ctx)
317 {
318 	struct pkcs7_message *pkcs7;
319 	int ret;
320 
321 	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
322 	if (IS_ERR(pkcs7))
323 		return PTR_ERR(pkcs7);
324 
325 	ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
326 				       view_content, ctx);
327 
328 	pkcs7_free_message(pkcs7);
329 	pr_devel("<==%s() = %d\n", __func__, ret);
330 	return ret;
331 }
332 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
333 
334 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
335 
336 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
337 void __init set_platform_trusted_keys(struct key *keyring)
338 {
339 	platform_trusted_keys = keyring;
340 }
341 #endif
342