^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0+
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * IMA support for appraising module-style appended signatures.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Copyright (C) 2019 IBM Corporation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) * Author:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * Thiago Jung Bauermann <bauerman@linux.ibm.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) #include <linux/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) #include <linux/module_signature.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) #include <keys/asymmetric-type.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) #include <crypto/pkcs7.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) #include "ima.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) struct modsig {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) struct pkcs7_message *pkcs7_msg;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) enum hash_algo hash_algo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) /* This digest will go in the 'd-modsig' field of the IMA template. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) const u8 *digest;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) u32 digest_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * This is what will go to the measurement list if the template requires
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) * storing the signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) int raw_pkcs7_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) u8 raw_pkcs7[];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) * ima_read_modsig - Read modsig from buf.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) * Return: 0 on success, error code otherwise.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) struct modsig **modsig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) const size_t marker_len = strlen(MODULE_SIG_STRING);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) const struct module_signature *sig;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) struct modsig *hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) size_t sig_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) const void *p;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) if (buf_len <= marker_len + sizeof(*sig))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) return -ENOENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) p = buf + buf_len - marker_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) if (memcmp(p, MODULE_SIG_STRING, marker_len))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) return -ENOENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) buf_len -= marker_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) sig = (const struct module_signature *)(p - sizeof(*sig));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) rc = mod_check_sig(sig, buf_len, func_tokens[func]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) sig_len = be32_to_cpu(sig->sig_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) buf_len -= sig_len + sizeof(*sig);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) /* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) if (!hdr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) if (IS_ERR(hdr->pkcs7_msg)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) rc = PTR_ERR(hdr->pkcs7_msg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) kfree(hdr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) return rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) hdr->raw_pkcs7_len = sig_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) /* We don't know the hash algorithm yet. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) hdr->hash_algo = HASH_ALGO__LAST;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) *modsig = hdr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) * ima_collect_modsig - Calculate the file hash without the appended signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) * Since the modsig is part of the file contents, the hash used in its signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) * isn't the same one ordinarily calculated by IMA. Therefore PKCS7 code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) * calculates a separate one for signature verification.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) int rc;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) * Provide the file contents (minus the appended sig) so that the PKCS7
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) * code can calculate the file hash.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) size -= modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) sizeof(struct module_signature);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) rc = pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) if (rc)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) /* Ask the PKCS7 code to calculate the file hash. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) rc = pkcs7_get_digest(modsig->pkcs7_msg, &modsig->digest,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) &modsig->digest_size, &modsig->hash_algo);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) int ima_modsig_verify(struct key *keyring, const struct modsig *modsig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) VERIFYING_MODULE_SIGNATURE, NULL, NULL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) const u8 **digest, u32 *digest_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) *algo = modsig->hash_algo;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) *digest = modsig->digest;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) *digest_size = modsig->digest_size;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) u32 *data_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) *data = &modsig->raw_pkcs7;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) *data_len = modsig->raw_pkcs7_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) void ima_free_modsig(struct modsig *modsig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) if (!modsig)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) return;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) pkcs7_free_message(modsig->pkcs7_msg);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) kfree(modsig);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) }
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags