certs/system_keyring.c

   1 // SPDX-License-Identifier: GPL-2.0-or-later
   2 /* System trusted keyring for trusted public keys
   3  *
   4  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
   5  * Written by David Howells (dhowells@redhat.com)
   6  */
   7
   8 #include <linux/export.h>
   9 #include <linux/kernel.h>
  10 #include <linux/sched.h>
  11 #include <linux/cred.h>
  12 #include <linux/err.h>
  13 #include <linux/slab.h>
  14 #include <linux/uidgid.h>
  15 #include <linux/verification.h>
  16 #include <keys/asymmetric-type.h>
  17 #include <keys/system_keyring.h>
  18 #include <crypto/pkcs7.h>
  19
  20 static struct key *builtin_trusted_keys;
  21 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
  22 static struct key *secondary_trusted_keys;
  23 #endif
  24 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
  25 static struct key *machine_trusted_keys;
  26 #endif
  27 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
  28 static struct key *platform_trusted_keys;
  29 #endif
  30
  31 extern __initconst const u8 system_certificate_list[];
  32 extern __initconst const unsigned long system_certificate_list_size;
  33 extern __initconst const unsigned long module_cert_size;
  34
  35 /**
  36  * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
  37  * @dest_keyring: Keyring being linked to.
  38  * @type: The type of key being added.
  39  * @payload: The payload of the new key.
  40  * @restriction_key: A ring of keys that can be used to vouch for the new cert.
  41  *
  42  * Restrict the addition of keys into a keyring based on the key-to-be-added
  43  * being vouched for by a key in the built in system keyring.
  44  */
  45 int restrict_link_by_builtin_trusted(struct key *dest_keyring,
  46                                      const struct key_type *type,
  47                                      const union key_payload *payload,
  48                                      struct key *restriction_key)
  49 {
  50         return restrict_link_by_signature(dest_keyring, type, payload,
  51                                           builtin_trusted_keys);
  52 }
  53
  54 /**
  55  * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions by the built-in keyring
  56  * @dest_keyring: Keyring being linked to.
  57  * @type: The type of key being added.
  58  * @payload: The payload of the new key.
  59  * @restriction_key: A ring of keys that can be used to vouch for the new cert.
  60  *
  61  * Restrict the addition of keys into a keyring based on the key-to-be-added
  62  * being vouched for by a key in the built in system keyring. The new key
  63  * must have the digitalSignature usage field set.
  64  */
  65 int restrict_link_by_digsig_builtin(struct key *dest_keyring,
  66                                     const struct key_type *type,
  67                                     const union key_payload *payload,
  68                                     struct key *restriction_key)
  69 {
  70         return restrict_link_by_digsig(dest_keyring, type, payload,
  71                                        builtin_trusted_keys);
  72 }
  73
  74 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
  75 /**
  76  * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
  77  *   addition by both built-in and secondary keyrings.
  78  * @dest_keyring: Keyring being linked to.
  79  * @type: The type of key being added.
  80  * @payload: The payload of the new key.
  81  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
  82  *
  83  * Restrict the addition of keys into a keyring based on the key-to-be-added
  84  * being vouched for by a key in either the built-in or the secondary system
  85  * keyrings.
  86  */
  87 int restrict_link_by_builtin_and_secondary_trusted(
  88         struct key *dest_keyring,
  89         const struct key_type *type,
  90         const union key_payload *payload,
  91         struct key *restrict_key)
  92 {
  93         /* If we have a secondary trusted keyring, then that contains a link
  94          * through to the builtin keyring and the search will follow that link.
  95          */
  96         if (type == &key_type_keyring &&
  97             dest_keyring == secondary_trusted_keys &&
  98             payload == &builtin_trusted_keys->payload)
  99                 /* Allow the builtin keyring to be added to the secondary */
 100                 return 0;
 101
 102         return restrict_link_by_signature(dest_keyring, type, payload,
 103                                           secondary_trusted_keys);
 104 }
 105
 106 /**
 107  * restrict_link_by_digsig_builtin_and_secondary - Restrict by digitalSignature.
 108  * @dest_keyring: Keyring being linked to.
 109  * @type: The type of key being added.
 110  * @payload: The payload of the new key.
 111  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
 112  *
 113  * Restrict the addition of keys into a keyring based on the key-to-be-added
 114  * being vouched for by a key in either the built-in or the secondary system
 115  * keyrings. The new key must have the digitalSignature usage field set.
 116  */
 117 int restrict_link_by_digsig_builtin_and_secondary(struct key *dest_keyring,
 118                                                   const struct key_type *type,
 119                                                   const union key_payload *payload,
 120                                                   struct key *restrict_key)
 121 {
 122         /* If we have a secondary trusted keyring, then that contains a link
 123          * through to the builtin keyring and the search will follow that link.
 124          */
 125         if (type == &key_type_keyring &&
 126             dest_keyring == secondary_trusted_keys &&
 127             payload == &builtin_trusted_keys->payload)
 128                 /* Allow the builtin keyring to be added to the secondary */
 129                 return 0;
 130
 131         return restrict_link_by_digsig(dest_keyring, type, payload,
 132                                        secondary_trusted_keys);
 133 }
 134
 135 /*
 136  * Allocate a struct key_restriction for the "builtin and secondary trust"
 137  * keyring. Only for use in system_trusted_keyring_init().
 138  */
 139 static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
 140 {
 141         struct key_restriction *restriction;
 142
 143         restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
 144
 145         if (!restriction)
 146                 panic("Can't allocate secondary trusted keyring restriction\n");
 147
 148         if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
 149                 restriction->check = restrict_link_by_builtin_secondary_and_machine;
 150         else
 151                 restriction->check = restrict_link_by_builtin_and_secondary_trusted;
 152
 153         return restriction;
 154 }
 155
 156 /**
 157  * add_to_secondary_keyring - Add to secondary keyring.
 158  * @source: Source of key
 159  * @data: The blob holding the key
 160  * @len: The length of the data blob
 161  *
 162  * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin,
 163  * machine or secondary keyring itself.
 164  */
 165 void __init add_to_secondary_keyring(const char *source, const void *data, size_t len)
 166 {
 167         key_ref_t key;
 168         key_perm_t perm;
 169
 170         perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW;
 171
 172         key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
 173                                    "asymmetric",
 174                                    NULL, data, len, perm,
 175                                    KEY_ALLOC_NOT_IN_QUOTA);
 176         if (IS_ERR(key)) {
 177                 pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n",
 178                        source, PTR_ERR(key));
 179                 return;
 180         }
 181
 182         pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description);
 183         key_ref_put(key);
 184 }
 185 #endif
 186 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 187 void __init set_machine_trusted_keys(struct key *keyring)
 188 {
 189         machine_trusted_keys = keyring;
 190
 191         if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
 192                 panic("Can't link (machine) trusted keyrings\n");
 193 }
 194
 195 /**
 196  * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
 197  * @dest_keyring: Keyring being linked to.
 198  * @type: The type of key being added.
 199  * @payload: The payload of the new key.
 200  * @restrict_key: A ring of keys that can be used to vouch for the new cert.
 201  *
 202  * Restrict the addition of keys into a keyring based on the key-to-be-added
 203  * being vouched for by a key in either the built-in, the secondary, or
 204  * the machine keyrings.
 205  */
 206 int restrict_link_by_builtin_secondary_and_machine(
 207         struct key *dest_keyring,
 208         const struct key_type *type,
 209         const union key_payload *payload,
 210         struct key *restrict_key)
 211 {
 212         if (machine_trusted_keys && type == &key_type_keyring &&
 213             dest_keyring == secondary_trusted_keys &&
 214             payload == &machine_trusted_keys->payload)
 215                 /* Allow the machine keyring to be added to the secondary */
 216                 return 0;
 217
 218         return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
 219                                                               payload, restrict_key);
 220 }
 221 #endif
 222
 223 /*
 224  * Create the trusted keyrings
 225  */
 226 static __init int system_trusted_keyring_init(void)
 227 {
 228         pr_notice("Initialise system trusted keyrings\n");
 229
 230         builtin_trusted_keys =
 231                 keyring_alloc(".builtin_trusted_keys",
 232                               GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
 233                               ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 234                               KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
 235                               KEY_ALLOC_NOT_IN_QUOTA,
 236                               NULL, NULL);
 237         if (IS_ERR(builtin_trusted_keys))
 238                 panic("Can't allocate builtin trusted keyring\n");
 239
 240 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 241         secondary_trusted_keys =
 242                 keyring_alloc(".secondary_trusted_keys",
 243                               GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
 244                               ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
 245                                KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
 246                                KEY_USR_WRITE),
 247                               KEY_ALLOC_NOT_IN_QUOTA,
 248                               get_builtin_and_secondary_restriction(),
 249                               NULL);
 250         if (IS_ERR(secondary_trusted_keys))
 251                 panic("Can't allocate secondary trusted keyring\n");
 252
 253         if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
 254                 panic("Can't link trusted keyrings\n");
 255 #endif
 256
 257         return 0;
 258 }
 259
 260 /*
 261  * Must be initialised before we try and load the keys into the keyring.
 262  */
 263 device_initcall(system_trusted_keyring_init);
 264
 265 __init int load_module_cert(struct key *keyring)
 266 {
 267         if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
 268                 return 0;
 269
 270         pr_notice("Loading compiled-in module X.509 certificates\n");
 271
 272         return x509_load_certificate_list(system_certificate_list,
 273                                           module_cert_size, keyring);
 274 }
 275
 276 /*
 277  * Load the compiled-in list of X.509 certificates.
 278  */
 279 static __init int load_system_certificate_list(void)
 280 {
 281         const u8 *p;
 282         unsigned long size;
 283
 284         pr_notice("Loading compiled-in X.509 certificates\n");
 285
 286 #ifdef CONFIG_MODULE_SIG
 287         p = system_certificate_list;
 288         size = system_certificate_list_size;
 289 #else
 290         p = system_certificate_list + module_cert_size;
 291         size = system_certificate_list_size - module_cert_size;
 292 #endif
 293
 294         return x509_load_certificate_list(p, size, builtin_trusted_keys);
 295 }
 296 late_initcall(load_system_certificate_list);
 297
 298 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
 299
 300 /**
 301  * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
 302  * @data: The data to be verified (NULL if expecting internal data).
 303  * @len: Size of @data.
 304  * @pkcs7: The PKCS#7 message that is the signature.
 305  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
 306  *                                      (void *)1UL for all trusted keys).
 307  * @usage: The use to which the key is being put.
 308  * @view_content: Callback to gain access to content.
 309  * @ctx: Context for callback.
 310  */
 311 int verify_pkcs7_message_sig(const void *data, size_t len,
 312                              struct pkcs7_message *pkcs7,
 313                              struct key *trusted_keys,
 314                              enum key_being_used_for usage,
 315                              int (*view_content)(void *ctx,
 316                                                  const void *data, size_t len,
 317                                                  size_t asn1hdrlen),
 318                              void *ctx)
 319 {
 320         int ret;
 321
 322         /* The data should be detached - so we need to supply it. */
 323         if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
 324                 pr_err("PKCS#7 signature with non-detached data\n");
 325                 ret = -EBADMSG;
 326                 goto error;
 327         }
 328
 329         ret = pkcs7_verify(pkcs7, usage);
 330         if (ret < 0)
 331                 goto error;
 332
 333         ret = is_key_on_revocation_list(pkcs7);
 334         if (ret != -ENOKEY) {
 335                 pr_devel("PKCS#7 key is on revocation list\n");
 336                 goto error;
 337         }
 338
 339         if (!trusted_keys) {
 340                 trusted_keys = builtin_trusted_keys;
 341         } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
 342 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 343                 trusted_keys = secondary_trusted_keys;
 344 #else
 345                 trusted_keys = builtin_trusted_keys;
 346 #endif
 347         } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
 348 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 349                 trusted_keys = platform_trusted_keys;
 350 #else
 351                 trusted_keys = NULL;
 352 #endif
 353                 if (!trusted_keys) {
 354                         ret = -ENOKEY;
 355                         pr_devel("PKCS#7 platform keyring is not available\n");
 356                         goto error;
 357                 }
 358         }
 359         ret = pkcs7_validate_trust(pkcs7, trusted_keys);
 360         if (ret < 0) {
 361                 if (ret == -ENOKEY)
 362                         pr_devel("PKCS#7 signature not signed with a trusted key\n");
 363                 goto error;
 364         }
 365
 366         if (view_content) {
 367                 size_t asn1hdrlen;
 368
 369                 ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
 370                 if (ret < 0) {
 371                         if (ret == -ENODATA)
 372                                 pr_devel("PKCS#7 message does not contain data\n");
 373                         goto error;
 374                 }
 375
 376                 ret = view_content(ctx, data, len, asn1hdrlen);
 377         }
 378
 379 error:
 380         pr_devel("<==%s() = %d\n", __func__, ret);
 381         return ret;
 382 }
 383
 384 /**
 385  * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
 386  * @data: The data to be verified (NULL if expecting internal data).
 387  * @len: Size of @data.
 388  * @raw_pkcs7: The PKCS#7 message that is the signature.
 389  * @pkcs7_len: The size of @raw_pkcs7.
 390  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
 391  *                                      (void *)1UL for all trusted keys).
 392  * @usage: The use to which the key is being put.
 393  * @view_content: Callback to gain access to content.
 394  * @ctx: Context for callback.
 395  */
 396 int verify_pkcs7_signature(const void *data, size_t len,
 397                            const void *raw_pkcs7, size_t pkcs7_len,
 398                            struct key *trusted_keys,
 399                            enum key_being_used_for usage,
 400                            int (*view_content)(void *ctx,
 401                                                const void *data, size_t len,
 402                                                size_t asn1hdrlen),
 403                            void *ctx)
 404 {
 405         struct pkcs7_message *pkcs7;
 406         int ret;
 407
 408         pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
 409         if (IS_ERR(pkcs7))
 410                 return PTR_ERR(pkcs7);
 411
 412         ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
 413                                        view_content, ctx);
 414
 415         pkcs7_free_message(pkcs7);
 416         pr_devel("<==%s() = %d\n", __func__, ret);
 417         return ret;
 418 }
 419 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
 420
 421 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 422
 423 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 424 void __init set_platform_trusted_keys(struct key *keyring)
 425 {
 426         platform_trusted_keys = keyring;
 427 }
 428 #endif