1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2011 Intel Corporation 4 * 5 * Author: 6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 7 */ 8 9 #include <linux/err.h> 10 #include <linux/sched.h> 11 #include <linux/slab.h> 12 #include <linux/cred.h> 13 #include <linux/kernel_read_file.h> 14 #include <linux/key-type.h> 15 #include <linux/digsig.h> 16 #include <linux/vmalloc.h> 17 #include <crypto/public_key.h> 18 #include <keys/system_keyring.h> 19 20 #include "integrity.h" 21 22 static struct key *keyring[INTEGRITY_KEYRING_MAX]; 23 24 static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { 25 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 26 "_evm", 27 "_ima", 28 #else 29 ".evm", 30 ".ima", 31 #endif 32 ".platform", 33 ".machine", 34 }; 35 36 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 37 #define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary 38 #else 39 #define restrict_link_to_ima restrict_link_by_digsig_builtin 40 #endif 41 42 static struct key *integrity_keyring_from_id(const unsigned int id) 43 { 44 if (id >= INTEGRITY_KEYRING_MAX) 45 return ERR_PTR(-EINVAL); 46 47 if (!keyring[id]) { 48 keyring[id] = 49 request_key(&key_type_keyring, keyring_name[id], NULL); 50 if (IS_ERR(keyring[id])) { 51 int err = PTR_ERR(keyring[id]); 52 pr_err("no %s keyring: %d\n", keyring_name[id], err); 53 keyring[id] = NULL; 54 return ERR_PTR(err); 55 } 56 } 57 58 return keyring[id]; 59 } 60 61 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 62 const char *digest, int digestlen, u8 algo) 63 { 64 struct key *keyring; 65 66 if (siglen < 2) 67 return -EINVAL; 68 69 keyring = integrity_keyring_from_id(id); 70 if (IS_ERR(keyring)) 71 return PTR_ERR(keyring); 72 73 switch (sig[1]) { 74 case 1: 75 /* v1 API expect signature without xattr type */ 76 return digsig_verify(keyring, sig + 1, siglen - 1, digest, 77 digestlen); 78 case 2: /* regular file data hash based signature */ 79 return asymmetric_verify(keyring, sig, siglen, digest, 80 digestlen); 81 case 3: /* struct ima_file_id data based signature */ 82 return asymmetric_verify_v3(keyring, sig, siglen, digest, 83 digestlen, algo); 84 } 85 86 return -EOPNOTSUPP; 87 } 88 89 int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig) 90 { 91 struct key *keyring; 92 93 keyring = integrity_keyring_from_id(id); 94 if (IS_ERR(keyring)) 95 return PTR_ERR(keyring); 96 97 return ima_modsig_verify(keyring, modsig); 98 } 99 100 static int __init __integrity_init_keyring(const unsigned int id, 101 key_perm_t perm, 102 struct key_restriction *restriction) 103 { 104 const struct cred *cred = current_cred(); 105 int err = 0; 106 107 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 108 KGIDT_INIT(0), cred, perm, 109 KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL); 110 if (IS_ERR(keyring[id])) { 111 err = PTR_ERR(keyring[id]); 112 pr_info("Can't allocate %s keyring (%d)\n", 113 keyring_name[id], err); 114 keyring[id] = NULL; 115 } else { 116 if (id == INTEGRITY_KEYRING_PLATFORM) 117 set_platform_trusted_keys(keyring[id]); 118 if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) 119 set_machine_trusted_keys(keyring[id]); 120 if (id == INTEGRITY_KEYRING_IMA) 121 load_module_cert(keyring[id]); 122 } 123 124 return err; 125 } 126 127 int __init integrity_init_keyring(const unsigned int id) 128 { 129 struct key_restriction *restriction; 130 key_perm_t perm; 131 int ret; 132 133 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 134 | KEY_USR_READ | KEY_USR_SEARCH; 135 136 if (id == INTEGRITY_KEYRING_PLATFORM || 137 (id == INTEGRITY_KEYRING_MACHINE && 138 !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { 139 restriction = NULL; 140 goto out; 141 } 142 143 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 144 return 0; 145 146 restriction = kzalloc_obj(struct key_restriction); 147 if (!restriction) 148 return -ENOMEM; 149 150 if (id == INTEGRITY_KEYRING_MACHINE) 151 restriction->check = restrict_link_by_ca; 152 else 153 restriction->check = restrict_link_to_ima; 154 155 /* 156 * MOK keys can only be added through a read-only runtime services 157 * UEFI variable during boot. No additional keys shall be allowed to 158 * load into the machine keyring following init from userspace. 159 */ 160 if (id != INTEGRITY_KEYRING_MACHINE) 161 perm |= KEY_USR_WRITE; 162 163 out: 164 ret = __integrity_init_keyring(id, perm, restriction); 165 if (ret) 166 kfree(restriction); 167 return ret; 168 } 169 170 static int __init integrity_add_key(const unsigned int id, const void *data, 171 off_t size, key_perm_t perm) 172 { 173 key_ref_t key; 174 int rc = 0; 175 176 if (!keyring[id]) 177 return -EINVAL; 178 179 key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric", 180 NULL, data, size, perm, 181 KEY_ALLOC_NOT_IN_QUOTA); 182 if (IS_ERR(key)) { 183 rc = PTR_ERR(key); 184 if (id != INTEGRITY_KEYRING_MACHINE) 185 pr_err("Problem loading X.509 certificate %d\n", rc); 186 } else { 187 pr_notice("Loaded X.509 cert '%s'\n", 188 key_ref_to_ptr(key)->description); 189 key_ref_put(key); 190 } 191 192 return rc; 193 194 } 195 196 int __init integrity_load_x509(const unsigned int id, const char *path) 197 { 198 void *data = NULL; 199 size_t size; 200 int rc; 201 key_perm_t perm; 202 203 rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL, 204 READING_X509_CERTIFICATE); 205 if (rc < 0) { 206 pr_err("Unable to open file: %s (%d)", path, rc); 207 return rc; 208 } 209 size = rc; 210 211 perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ; 212 213 pr_info("Loading X.509 certificate: %s\n", path); 214 rc = integrity_add_key(id, (const void *)data, size, perm); 215 216 vfree(data); 217 return rc; 218 } 219 220 int __init integrity_load_cert(const unsigned int id, const char *source, 221 const void *data, size_t len, key_perm_t perm) 222 { 223 if (!data) 224 return -EINVAL; 225 226 pr_info("Loading X.509 certificate: %s\n", source); 227 return integrity_add_key(id, data, len, perm); 228 } 229