1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2011 Intel Corporation
6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11 #include <linux/err.h>
12 #include <linux/sched.h>
13 #include <linux/slab.h>
14 #include <linux/cred.h>
15 #include <linux/key-type.h>
16 #include <linux/digsig.h>
17 #include <linux/vmalloc.h>
18 #include <crypto/public_key.h>
19 #include <keys/system_keyring.h>
21 #include "integrity.h"
23 static struct key
*keyring
[INTEGRITY_KEYRING_MAX
];
25 static const char * const keyring_name
[INTEGRITY_KEYRING_MAX
] = {
26 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
36 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
37 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
39 #define restrict_link_to_ima restrict_link_by_builtin_trusted
42 int integrity_digsig_verify(const unsigned int id
, const char *sig
, int siglen
,
43 const char *digest
, int digestlen
)
45 if (id
>= INTEGRITY_KEYRING_MAX
|| siglen
< 2)
50 request_key(&key_type_keyring
, keyring_name
[id
], NULL
);
51 if (IS_ERR(keyring
[id
])) {
52 int err
= PTR_ERR(keyring
[id
]);
53 pr_err("no %s keyring: %d\n", keyring_name
[id
], err
);
61 /* v1 API expect signature without xattr type */
62 return digsig_verify(keyring
[id
], sig
+ 1, siglen
- 1,
65 return asymmetric_verify(keyring
[id
], sig
, siglen
,
72 static int __integrity_init_keyring(const unsigned int id
, key_perm_t perm
,
73 struct key_restriction
*restriction
)
75 const struct cred
*cred
= current_cred();
78 keyring
[id
] = keyring_alloc(keyring_name
[id
], KUIDT_INIT(0),
79 KGIDT_INIT(0), cred
, perm
,
80 KEY_ALLOC_NOT_IN_QUOTA
, restriction
, NULL
);
81 if (IS_ERR(keyring
[id
])) {
82 err
= PTR_ERR(keyring
[id
]);
83 pr_info("Can't allocate %s keyring (%d)\n",
84 keyring_name
[id
], err
);
87 if (id
== INTEGRITY_KEYRING_PLATFORM
)
88 set_platform_trusted_keys(keyring
[id
]);
94 int __init
integrity_init_keyring(const unsigned int id
)
96 struct key_restriction
*restriction
;
99 perm
= (KEY_POS_ALL
& ~KEY_POS_SETATTR
) | KEY_USR_VIEW
100 | KEY_USR_READ
| KEY_USR_SEARCH
;
102 if (id
== INTEGRITY_KEYRING_PLATFORM
) {
107 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING
))
110 restriction
= kzalloc(sizeof(struct key_restriction
), GFP_KERNEL
);
114 restriction
->check
= restrict_link_to_ima
;
115 perm
|= KEY_USR_WRITE
;
118 return __integrity_init_keyring(id
, perm
, restriction
);
121 int __init
integrity_add_key(const unsigned int id
, const void *data
,
122 off_t size
, key_perm_t perm
)
130 key
= key_create_or_update(make_key_ref(keyring
[id
], 1), "asymmetric",
131 NULL
, data
, size
, perm
,
132 KEY_ALLOC_NOT_IN_QUOTA
);
135 pr_err("Problem loading X.509 certificate %d\n", rc
);
137 pr_notice("Loaded X.509 cert '%s'\n",
138 key_ref_to_ptr(key
)->description
);
146 int __init
integrity_load_x509(const unsigned int id
, const char *path
)
153 rc
= kernel_read_file_from_path(path
, &data
, &size
, 0,
154 READING_X509_CERTIFICATE
);
156 pr_err("Unable to open file: %s (%d)", path
, rc
);
160 perm
= (KEY_POS_ALL
& ~KEY_POS_SETATTR
) | KEY_USR_VIEW
| KEY_USR_READ
;
162 pr_info("Loading X.509 certificate: %s\n", path
);
163 rc
= integrity_add_key(id
, (const void *)data
, size
, perm
);
169 int __init
integrity_load_cert(const unsigned int id
, const char *source
,
170 const void *data
, size_t len
, key_perm_t perm
)
175 pr_info("Loading X.509 certificate: %s\n", source
);
176 return integrity_add_key(id
, data
, len
, perm
);