1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2011 Intel Corporation
6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11 #include <linux/err.h>
12 #include <linux/sched.h>
13 #include <linux/slab.h>
14 #include <linux/cred.h>
15 #include <linux/key-type.h>
16 #include <linux/digsig.h>
17 #include <linux/vmalloc.h>
18 #include <crypto/public_key.h>
19 #include <keys/system_keyring.h>
21 #include "integrity.h"
23 static struct key
*keyring
[INTEGRITY_KEYRING_MAX
];
25 static const char * const keyring_name
[INTEGRITY_KEYRING_MAX
] = {
26 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
36 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
37 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
39 #define restrict_link_to_ima restrict_link_by_builtin_trusted
42 int integrity_digsig_verify(const unsigned int id
, const char *sig
, int siglen
,
43 const char *digest
, int digestlen
)
45 if (id
>= INTEGRITY_KEYRING_MAX
|| siglen
< 2)
50 request_key(&key_type_keyring
, keyring_name
[id
],
52 if (IS_ERR(keyring
[id
])) {
53 int err
= PTR_ERR(keyring
[id
]);
54 pr_err("no %s keyring: %d\n", keyring_name
[id
], err
);
62 /* v1 API expect signature without xattr type */
63 return digsig_verify(keyring
[id
], sig
+ 1, siglen
- 1,
66 return asymmetric_verify(keyring
[id
], sig
, siglen
,
73 static int __integrity_init_keyring(const unsigned int id
, struct key_acl
*acl
,
74 struct key_restriction
*restriction
)
76 const struct cred
*cred
= current_cred();
79 keyring
[id
] = keyring_alloc(keyring_name
[id
], KUIDT_INIT(0),
80 KGIDT_INIT(0), cred
, acl
,
81 KEY_ALLOC_NOT_IN_QUOTA
, restriction
, NULL
);
82 if (IS_ERR(keyring
[id
])) {
83 err
= PTR_ERR(keyring
[id
]);
84 pr_info("Can't allocate %s keyring (%d)\n",
85 keyring_name
[id
], err
);
88 if (id
== INTEGRITY_KEYRING_PLATFORM
)
89 set_platform_trusted_keys(keyring
[id
]);
95 int __init
integrity_init_keyring(const unsigned int id
)
97 struct key_restriction
*restriction
;
98 struct key_acl
*acl
= &internal_keyring_acl
;
100 if (id
== INTEGRITY_KEYRING_PLATFORM
) {
105 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING
))
108 restriction
= kzalloc(sizeof(struct key_restriction
), GFP_KERNEL
);
112 restriction
->check
= restrict_link_to_ima
;
113 acl
= &internal_writable_keyring_acl
;
116 return __integrity_init_keyring(id
, acl
, restriction
);
119 static int __init
integrity_add_key(const unsigned int id
, const void *data
,
120 off_t size
, struct key_acl
*acl
)
128 key
= key_create_or_update(make_key_ref(keyring
[id
], 1), "asymmetric",
129 NULL
, data
, size
, acl
?: &internal_key_acl
,
130 KEY_ALLOC_NOT_IN_QUOTA
);
133 pr_err("Problem loading X.509 certificate %d\n", rc
);
135 pr_notice("Loaded X.509 cert '%s'\n",
136 key_ref_to_ptr(key
)->description
);
144 int __init
integrity_load_x509(const unsigned int id
, const char *path
)
150 rc
= kernel_read_file_from_path(path
, &data
, &size
, 0,
151 READING_X509_CERTIFICATE
);
153 pr_err("Unable to open file: %s (%d)", path
, rc
);
157 pr_info("Loading X.509 certificate: %s\n", path
);
158 rc
= integrity_add_key(id
, data
, size
, NULL
);
164 int __init
integrity_load_cert(const unsigned int id
, const char *source
,
165 const void *data
, size_t len
, struct key_acl
*acl
)
170 pr_info("Loading X.509 certificate: %s\n", source
);
171 return integrity_add_key(id
, data
, len
, acl
);