162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Copyright (C) 2011 Intel Corporation 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Author: 662306a36Sopenharmony_ci * Dmitry Kasatkin <dmitry.kasatkin@intel.com> 762306a36Sopenharmony_ci */ 862306a36Sopenharmony_ci 962306a36Sopenharmony_ci#include <linux/err.h> 1062306a36Sopenharmony_ci#include <linux/sched.h> 1162306a36Sopenharmony_ci#include <linux/slab.h> 1262306a36Sopenharmony_ci#include <linux/cred.h> 1362306a36Sopenharmony_ci#include <linux/kernel_read_file.h> 1462306a36Sopenharmony_ci#include <linux/key-type.h> 1562306a36Sopenharmony_ci#include <linux/digsig.h> 1662306a36Sopenharmony_ci#include <linux/vmalloc.h> 1762306a36Sopenharmony_ci#include <crypto/public_key.h> 1862306a36Sopenharmony_ci#include <keys/system_keyring.h> 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci#include "integrity.h" 2162306a36Sopenharmony_ci 2262306a36Sopenharmony_cistatic struct key *keyring[INTEGRITY_KEYRING_MAX]; 2362306a36Sopenharmony_ci 2462306a36Sopenharmony_cistatic const char * const keyring_name[INTEGRITY_KEYRING_MAX] = { 2562306a36Sopenharmony_ci#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING 2662306a36Sopenharmony_ci "_evm", 2762306a36Sopenharmony_ci "_ima", 2862306a36Sopenharmony_ci#else 2962306a36Sopenharmony_ci ".evm", 3062306a36Sopenharmony_ci ".ima", 3162306a36Sopenharmony_ci#endif 3262306a36Sopenharmony_ci ".platform", 3362306a36Sopenharmony_ci ".machine", 3462306a36Sopenharmony_ci}; 3562306a36Sopenharmony_ci 3662306a36Sopenharmony_ci#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 3762306a36Sopenharmony_ci#define restrict_link_to_ima restrict_link_by_digsig_builtin_and_secondary 3862306a36Sopenharmony_ci#else 3962306a36Sopenharmony_ci#define restrict_link_to_ima restrict_link_by_digsig_builtin 4062306a36Sopenharmony_ci#endif 4162306a36Sopenharmony_ci 4262306a36Sopenharmony_cistatic struct key *integrity_keyring_from_id(const unsigned int id) 4362306a36Sopenharmony_ci{ 4462306a36Sopenharmony_ci if (id >= INTEGRITY_KEYRING_MAX) 4562306a36Sopenharmony_ci return ERR_PTR(-EINVAL); 4662306a36Sopenharmony_ci 4762306a36Sopenharmony_ci if (!keyring[id]) { 4862306a36Sopenharmony_ci keyring[id] = 4962306a36Sopenharmony_ci request_key(&key_type_keyring, keyring_name[id], NULL); 5062306a36Sopenharmony_ci if (IS_ERR(keyring[id])) { 5162306a36Sopenharmony_ci int err = PTR_ERR(keyring[id]); 5262306a36Sopenharmony_ci pr_err("no %s keyring: %d\n", keyring_name[id], err); 5362306a36Sopenharmony_ci keyring[id] = NULL; 5462306a36Sopenharmony_ci return ERR_PTR(err); 5562306a36Sopenharmony_ci } 5662306a36Sopenharmony_ci } 5762306a36Sopenharmony_ci 5862306a36Sopenharmony_ci return keyring[id]; 5962306a36Sopenharmony_ci} 6062306a36Sopenharmony_ci 6162306a36Sopenharmony_ciint integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 6262306a36Sopenharmony_ci const char *digest, int digestlen) 6362306a36Sopenharmony_ci{ 6462306a36Sopenharmony_ci struct key *keyring; 6562306a36Sopenharmony_ci 6662306a36Sopenharmony_ci if (siglen < 2) 6762306a36Sopenharmony_ci return -EINVAL; 6862306a36Sopenharmony_ci 6962306a36Sopenharmony_ci keyring = integrity_keyring_from_id(id); 7062306a36Sopenharmony_ci if (IS_ERR(keyring)) 7162306a36Sopenharmony_ci return PTR_ERR(keyring); 7262306a36Sopenharmony_ci 7362306a36Sopenharmony_ci switch (sig[1]) { 7462306a36Sopenharmony_ci case 1: 7562306a36Sopenharmony_ci /* v1 API expect signature without xattr type */ 7662306a36Sopenharmony_ci return digsig_verify(keyring, sig + 1, siglen - 1, digest, 7762306a36Sopenharmony_ci digestlen); 7862306a36Sopenharmony_ci case 2: /* regular file data hash based signature */ 7962306a36Sopenharmony_ci case 3: /* struct ima_file_id data based signature */ 8062306a36Sopenharmony_ci return asymmetric_verify(keyring, sig, siglen, digest, 8162306a36Sopenharmony_ci digestlen); 8262306a36Sopenharmony_ci } 8362306a36Sopenharmony_ci 8462306a36Sopenharmony_ci return -EOPNOTSUPP; 8562306a36Sopenharmony_ci} 8662306a36Sopenharmony_ci 8762306a36Sopenharmony_ciint integrity_modsig_verify(const unsigned int id, const struct modsig *modsig) 8862306a36Sopenharmony_ci{ 8962306a36Sopenharmony_ci struct key *keyring; 9062306a36Sopenharmony_ci 9162306a36Sopenharmony_ci keyring = integrity_keyring_from_id(id); 9262306a36Sopenharmony_ci if (IS_ERR(keyring)) 9362306a36Sopenharmony_ci return PTR_ERR(keyring); 9462306a36Sopenharmony_ci 9562306a36Sopenharmony_ci return ima_modsig_verify(keyring, modsig); 9662306a36Sopenharmony_ci} 9762306a36Sopenharmony_ci 9862306a36Sopenharmony_cistatic int __init __integrity_init_keyring(const unsigned int id, 9962306a36Sopenharmony_ci key_perm_t perm, 10062306a36Sopenharmony_ci struct key_restriction *restriction) 10162306a36Sopenharmony_ci{ 10262306a36Sopenharmony_ci const struct cred *cred = current_cred(); 10362306a36Sopenharmony_ci int err = 0; 10462306a36Sopenharmony_ci 10562306a36Sopenharmony_ci keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0), 10662306a36Sopenharmony_ci KGIDT_INIT(0), cred, perm, 10762306a36Sopenharmony_ci KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL); 10862306a36Sopenharmony_ci if (IS_ERR(keyring[id])) { 10962306a36Sopenharmony_ci err = PTR_ERR(keyring[id]); 11062306a36Sopenharmony_ci pr_info("Can't allocate %s keyring (%d)\n", 11162306a36Sopenharmony_ci keyring_name[id], err); 11262306a36Sopenharmony_ci keyring[id] = NULL; 11362306a36Sopenharmony_ci } else { 11462306a36Sopenharmony_ci if (id == INTEGRITY_KEYRING_PLATFORM) 11562306a36Sopenharmony_ci set_platform_trusted_keys(keyring[id]); 11662306a36Sopenharmony_ci if (id == INTEGRITY_KEYRING_MACHINE && imputed_trust_enabled()) 11762306a36Sopenharmony_ci set_machine_trusted_keys(keyring[id]); 11862306a36Sopenharmony_ci if (id == INTEGRITY_KEYRING_IMA) 11962306a36Sopenharmony_ci load_module_cert(keyring[id]); 12062306a36Sopenharmony_ci } 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci return err; 12362306a36Sopenharmony_ci} 12462306a36Sopenharmony_ci 12562306a36Sopenharmony_ciint __init integrity_init_keyring(const unsigned int id) 12662306a36Sopenharmony_ci{ 12762306a36Sopenharmony_ci struct key_restriction *restriction; 12862306a36Sopenharmony_ci key_perm_t perm; 12962306a36Sopenharmony_ci int ret; 13062306a36Sopenharmony_ci 13162306a36Sopenharmony_ci perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW 13262306a36Sopenharmony_ci | KEY_USR_READ | KEY_USR_SEARCH; 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci if (id == INTEGRITY_KEYRING_PLATFORM || 13562306a36Sopenharmony_ci (id == INTEGRITY_KEYRING_MACHINE && 13662306a36Sopenharmony_ci !IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING))) { 13762306a36Sopenharmony_ci restriction = NULL; 13862306a36Sopenharmony_ci goto out; 13962306a36Sopenharmony_ci } 14062306a36Sopenharmony_ci 14162306a36Sopenharmony_ci if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING)) 14262306a36Sopenharmony_ci return 0; 14362306a36Sopenharmony_ci 14462306a36Sopenharmony_ci restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL); 14562306a36Sopenharmony_ci if (!restriction) 14662306a36Sopenharmony_ci return -ENOMEM; 14762306a36Sopenharmony_ci 14862306a36Sopenharmony_ci if (id == INTEGRITY_KEYRING_MACHINE) 14962306a36Sopenharmony_ci restriction->check = restrict_link_by_ca; 15062306a36Sopenharmony_ci else 15162306a36Sopenharmony_ci restriction->check = restrict_link_to_ima; 15262306a36Sopenharmony_ci 15362306a36Sopenharmony_ci /* 15462306a36Sopenharmony_ci * MOK keys can only be added through a read-only runtime services 15562306a36Sopenharmony_ci * UEFI variable during boot. No additional keys shall be allowed to 15662306a36Sopenharmony_ci * load into the machine keyring following init from userspace. 15762306a36Sopenharmony_ci */ 15862306a36Sopenharmony_ci if (id != INTEGRITY_KEYRING_MACHINE) 15962306a36Sopenharmony_ci perm |= KEY_USR_WRITE; 16062306a36Sopenharmony_ci 16162306a36Sopenharmony_ciout: 16262306a36Sopenharmony_ci ret = __integrity_init_keyring(id, perm, restriction); 16362306a36Sopenharmony_ci if (ret) 16462306a36Sopenharmony_ci kfree(restriction); 16562306a36Sopenharmony_ci return ret; 16662306a36Sopenharmony_ci} 16762306a36Sopenharmony_ci 16862306a36Sopenharmony_cistatic int __init integrity_add_key(const unsigned int id, const void *data, 16962306a36Sopenharmony_ci off_t size, key_perm_t perm) 17062306a36Sopenharmony_ci{ 17162306a36Sopenharmony_ci key_ref_t key; 17262306a36Sopenharmony_ci int rc = 0; 17362306a36Sopenharmony_ci 17462306a36Sopenharmony_ci if (!keyring[id]) 17562306a36Sopenharmony_ci return -EINVAL; 17662306a36Sopenharmony_ci 17762306a36Sopenharmony_ci key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric", 17862306a36Sopenharmony_ci NULL, data, size, perm, 17962306a36Sopenharmony_ci KEY_ALLOC_NOT_IN_QUOTA); 18062306a36Sopenharmony_ci if (IS_ERR(key)) { 18162306a36Sopenharmony_ci rc = PTR_ERR(key); 18262306a36Sopenharmony_ci pr_err("Problem loading X.509 certificate %d\n", rc); 18362306a36Sopenharmony_ci } else { 18462306a36Sopenharmony_ci pr_notice("Loaded X.509 cert '%s'\n", 18562306a36Sopenharmony_ci key_ref_to_ptr(key)->description); 18662306a36Sopenharmony_ci key_ref_put(key); 18762306a36Sopenharmony_ci } 18862306a36Sopenharmony_ci 18962306a36Sopenharmony_ci return rc; 19062306a36Sopenharmony_ci 19162306a36Sopenharmony_ci} 19262306a36Sopenharmony_ci 19362306a36Sopenharmony_ciint __init integrity_load_x509(const unsigned int id, const char *path) 19462306a36Sopenharmony_ci{ 19562306a36Sopenharmony_ci void *data = NULL; 19662306a36Sopenharmony_ci size_t size; 19762306a36Sopenharmony_ci int rc; 19862306a36Sopenharmony_ci key_perm_t perm; 19962306a36Sopenharmony_ci 20062306a36Sopenharmony_ci rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL, 20162306a36Sopenharmony_ci READING_X509_CERTIFICATE); 20262306a36Sopenharmony_ci if (rc < 0) { 20362306a36Sopenharmony_ci pr_err("Unable to open file: %s (%d)", path, rc); 20462306a36Sopenharmony_ci return rc; 20562306a36Sopenharmony_ci } 20662306a36Sopenharmony_ci size = rc; 20762306a36Sopenharmony_ci 20862306a36Sopenharmony_ci perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW | KEY_USR_READ; 20962306a36Sopenharmony_ci 21062306a36Sopenharmony_ci pr_info("Loading X.509 certificate: %s\n", path); 21162306a36Sopenharmony_ci rc = integrity_add_key(id, (const void *)data, size, perm); 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_ci vfree(data); 21462306a36Sopenharmony_ci return rc; 21562306a36Sopenharmony_ci} 21662306a36Sopenharmony_ci 21762306a36Sopenharmony_ciint __init integrity_load_cert(const unsigned int id, const char *source, 21862306a36Sopenharmony_ci const void *data, size_t len, key_perm_t perm) 21962306a36Sopenharmony_ci{ 22062306a36Sopenharmony_ci if (!data) 22162306a36Sopenharmony_ci return -EINVAL; 22262306a36Sopenharmony_ci 22362306a36Sopenharmony_ci pr_info("Loading X.509 certificate: %s\n", source); 22462306a36Sopenharmony_ci return integrity_add_key(id, data, len, perm); 22562306a36Sopenharmony_ci} 226