1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (C) 2011 Intel Corporation
6 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11 #include <linux/err.h>
12 #include <linux/sched.h>
13 #include <linux/slab.h>
14 #include <linux/cred.h>
15 #include <linux/key-type.h>
16 #include <linux/digsig.h>
17 #include <linux/vmalloc.h>
18 #include <crypto/public_key.h>
19 #include <keys/system_keyring.h>
21 #include "integrity.h"
23 static struct key
*keyring
[INTEGRITY_KEYRING_MAX
];
25 static const char * const keyring_name
[INTEGRITY_KEYRING_MAX
] = {
26 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
36 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
37 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
39 #define restrict_link_to_ima restrict_link_by_builtin_trusted
42 int integrity_digsig_verify(const unsigned int id
, const char *sig
, int siglen
,
43 const char *digest
, int digestlen
)
45 if (id
>= INTEGRITY_KEYRING_MAX
|| siglen
< 2)
50 request_key(&key_type_keyring
, keyring_name
[id
], NULL
);
51 if (IS_ERR(keyring
[id
])) {
52 int err
= PTR_ERR(keyring
[id
]);
53 pr_err("no %s keyring: %d\n", keyring_name
[id
], err
);
61 /* v1 API expect signature without xattr type */
62 return digsig_verify(keyring
[id
], sig
+ 1, siglen
- 1,
65 return asymmetric_verify(keyring
[id
], sig
, siglen
,
72 static int __init
__integrity_init_keyring(const unsigned int id
,
74 struct key_restriction
*restriction
)
76 const struct cred
*cred
= current_cred();
79 keyring
[id
] = keyring_alloc(keyring_name
[id
], KUIDT_INIT(0),
80 KGIDT_INIT(0), cred
, perm
,
81 KEY_ALLOC_NOT_IN_QUOTA
, restriction
, NULL
);
82 if (IS_ERR(keyring
[id
])) {
83 err
= PTR_ERR(keyring
[id
]);
84 pr_info("Can't allocate %s keyring (%d)\n",
85 keyring_name
[id
], err
);
88 if (id
== INTEGRITY_KEYRING_PLATFORM
)
89 set_platform_trusted_keys(keyring
[id
]);
95 int __init
integrity_init_keyring(const unsigned int id
)
97 struct key_restriction
*restriction
;
100 perm
= (KEY_POS_ALL
& ~KEY_POS_SETATTR
) | KEY_USR_VIEW
101 | KEY_USR_READ
| KEY_USR_SEARCH
;
103 if (id
== INTEGRITY_KEYRING_PLATFORM
) {
108 if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING
))
111 restriction
= kzalloc(sizeof(struct key_restriction
), GFP_KERNEL
);
115 restriction
->check
= restrict_link_to_ima
;
116 perm
|= KEY_USR_WRITE
;
119 return __integrity_init_keyring(id
, perm
, restriction
);
122 int __init
integrity_add_key(const unsigned int id
, const void *data
,
123 off_t size
, key_perm_t perm
)
131 key
= key_create_or_update(make_key_ref(keyring
[id
], 1), "asymmetric",
132 NULL
, data
, size
, perm
,
133 KEY_ALLOC_NOT_IN_QUOTA
);
136 pr_err("Problem loading X.509 certificate %d\n", rc
);
138 pr_notice("Loaded X.509 cert '%s'\n",
139 key_ref_to_ptr(key
)->description
);
147 int __init
integrity_load_x509(const unsigned int id
, const char *path
)
154 rc
= kernel_read_file_from_path(path
, &data
, &size
, 0,
155 READING_X509_CERTIFICATE
);
157 pr_err("Unable to open file: %s (%d)", path
, rc
);
161 perm
= (KEY_POS_ALL
& ~KEY_POS_SETATTR
) | KEY_USR_VIEW
| KEY_USR_READ
;
163 pr_info("Loading X.509 certificate: %s\n", path
);
164 rc
= integrity_add_key(id
, (const void *)data
, size
, perm
);
170 int __init
integrity_load_cert(const unsigned int id
, const char *source
,
171 const void *data
, size_t len
, key_perm_t perm
)
176 pr_info("Loading X.509 certificate: %s\n", source
);
177 return integrity_add_key(id
, data
, len
, perm
);