Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/drivers/md/dm-verity-verify-sig.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * Copyright (C) 2019 Microsoft Corporation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Author:  Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) #include <linux/device-mapper.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) #include <linux/verification.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) #include <keys/user-type.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #include <linux/module.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include "dm-verity.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include "dm-verity-verify-sig.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) static bool require_signatures;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) module_param(require_signatures, bool, 0444);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) MODULE_PARM_DESC(require_signatures,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 		"Verify the roothash of dm-verity hash tree");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) #define DM_VERITY_IS_SIG_FORCE_ENABLED() \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) 	(require_signatures != false)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) bool verity_verify_is_sig_opt_arg(const char *arg_name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 	return (!strcasecmp(arg_name,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 			    DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) static int verity_verify_get_sig_from_key(const char *key_desc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 					struct dm_verity_sig_opts *sig_opts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 	const struct user_key_payload *ukp;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 	key = request_key(&key_type_user,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 			key_desc, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 	if (IS_ERR(key))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 		return PTR_ERR(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 	down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 	ukp = user_key_payload_locked(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 	if (!ukp) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 		ret = -EKEYREVOKED;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 		goto end;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 	sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 	if (!sig_opts->sig) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 		ret = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 		goto end;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 	sig_opts->sig_size = ukp->datalen;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) end:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 	key_put(key);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 				     struct dm_verity *v,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 				     struct dm_verity_sig_opts *sig_opts,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 				     unsigned int *argc,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 				     const char *arg_name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	struct dm_target *ti = v->ti;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 	int ret = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	const char *sig_key = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 	if (!*argc) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 		ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	sig_key = dm_shift_arg(as);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	(*argc)--;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	if (ret < 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 		ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	if (!v->signature_key_desc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 		return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97)  * verify_verify_roothash - Verify the root hash of the verity hash device
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98)  *			     using builtin trusted keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)  * @root_hash: For verity, the roothash/data to be verified.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)  * @root_hash_len: Size of the roothash/data to be verified.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)  * @sig_data: The trusted signature that verifies the roothash/data.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)  * @sig_len: Size of the signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 			    const void *sig_data, size_t sig_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 	int ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 	if (!root_hash || root_hash_len == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 		return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	if (!sig_data  || sig_len == 0) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 		if (DM_VERITY_IS_SIG_FORCE_ENABLED())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 			return -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 		else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 			return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 	ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 				sig_len, NULL, VERIFYING_UNSPECIFIED_SIGNATURE,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 				NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 	kfree(sig_opts->sig);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	sig_opts->sig = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	sig_opts->sig_size = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.