1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Parse a signed PE binary
4 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #define pr_fmt(fmt) "PEFILE: "fmt
9 #include <linux/module.h>
10 #include <linux/kernel.h>
11 #include <linux/slab.h>
12 #include <linux/err.h>
14 #include <linux/asn1.h>
15 #include <linux/verification.h>
16 #include <crypto/hash.h>
17 #include "verify_pefile.h"
22 static int pefile_parse_binary(const void *pebuf
, unsigned int pelen
,
23 struct pefile_context
*ctx
)
25 const struct mz_hdr
*mz
= pebuf
;
26 const struct pe_hdr
*pe
;
27 const struct pe32_opt_hdr
*pe32
;
28 const struct pe32plus_opt_hdr
*pe64
;
29 const struct data_directory
*ddir
;
30 const struct data_dirent
*dde
;
31 const struct section_header
*secs
, *sec
;
32 size_t cursor
, datalen
= pelen
;
36 #define chkaddr(base, x, s) \
38 if ((x) < base || (s) >= datalen || (x) > datalen - (s)) \
42 chkaddr(0, 0, sizeof(*mz
));
43 if (mz
->magic
!= MZ_MAGIC
)
47 chkaddr(cursor
, mz
->peaddr
, sizeof(*pe
));
48 pe
= pebuf
+ mz
->peaddr
;
49 if (pe
->magic
!= PE_MAGIC
)
51 cursor
= mz
->peaddr
+ sizeof(*pe
);
53 chkaddr(0, cursor
, sizeof(pe32
->magic
));
54 pe32
= pebuf
+ cursor
;
55 pe64
= pebuf
+ cursor
;
57 switch (pe32
->magic
) {
58 case PE_OPT_MAGIC_PE32
:
59 chkaddr(0, cursor
, sizeof(*pe32
));
60 ctx
->image_checksum_offset
=
61 (unsigned long)&pe32
->csum
- (unsigned long)pebuf
;
62 ctx
->header_size
= pe32
->header_size
;
63 cursor
+= sizeof(*pe32
);
64 ctx
->n_data_dirents
= pe32
->data_dirs
;
67 case PE_OPT_MAGIC_PE32PLUS
:
68 chkaddr(0, cursor
, sizeof(*pe64
));
69 ctx
->image_checksum_offset
=
70 (unsigned long)&pe64
->csum
- (unsigned long)pebuf
;
71 ctx
->header_size
= pe64
->header_size
;
72 cursor
+= sizeof(*pe64
);
73 ctx
->n_data_dirents
= pe64
->data_dirs
;
77 pr_debug("Unknown PEOPT magic = %04hx\n", pe32
->magic
);
81 pr_debug("checksum @ %x\n", ctx
->image_checksum_offset
);
82 pr_debug("header size = %x\n", ctx
->header_size
);
84 if (cursor
>= ctx
->header_size
|| ctx
->header_size
>= datalen
)
87 if (ctx
->n_data_dirents
> (ctx
->header_size
- cursor
) / sizeof(*dde
))
90 ddir
= pebuf
+ cursor
;
91 cursor
+= sizeof(*dde
) * ctx
->n_data_dirents
;
93 ctx
->cert_dirent_offset
=
94 (unsigned long)&ddir
->certs
- (unsigned long)pebuf
;
95 ctx
->certs_size
= ddir
->certs
.size
;
97 if (!ddir
->certs
.virtual_address
|| !ddir
->certs
.size
) {
98 pr_debug("Unsigned PE binary\n");
102 chkaddr(ctx
->header_size
, ddir
->certs
.virtual_address
,
104 ctx
->sig_offset
= ddir
->certs
.virtual_address
;
105 ctx
->sig_len
= ddir
->certs
.size
;
106 pr_debug("cert = %x @%x [%*ph]\n",
107 ctx
->sig_len
, ctx
->sig_offset
,
108 ctx
->sig_len
, pebuf
+ ctx
->sig_offset
);
110 ctx
->n_sections
= pe
->sections
;
111 if (ctx
->n_sections
> (ctx
->header_size
- cursor
) / sizeof(*sec
))
113 ctx
->secs
= secs
= pebuf
+ cursor
;
119 * Check and strip the PE wrapper from around the signature and check that the
120 * remnant looks something like PKCS#7.
122 static int pefile_strip_sig_wrapper(const void *pebuf
,
123 struct pefile_context
*ctx
)
125 struct win_certificate wrapper
;
129 if (ctx
->sig_len
< sizeof(wrapper
)) {
130 pr_debug("Signature wrapper too short\n");
134 memcpy(&wrapper
, pebuf
+ ctx
->sig_offset
, sizeof(wrapper
));
135 pr_debug("sig wrapper = { %x, %x, %x }\n",
136 wrapper
.length
, wrapper
.revision
, wrapper
.cert_type
);
138 /* Both pesign and sbsign round up the length of certificate table
139 * (in optional header data directories) to 8 byte alignment.
141 if (round_up(wrapper
.length
, 8) != ctx
->sig_len
) {
142 pr_debug("Signature wrapper len wrong\n");
145 if (wrapper
.revision
!= WIN_CERT_REVISION_2_0
) {
146 pr_debug("Signature is not revision 2.0\n");
149 if (wrapper
.cert_type
!= WIN_CERT_TYPE_PKCS_SIGNED_DATA
) {
150 pr_debug("Signature certificate type is not PKCS\n");
154 /* It looks like the pkcs signature length in wrapper->length and the
155 * size obtained from the data dir entries, which lists the total size
156 * of certificate table, are both aligned to an octaword boundary, so
157 * we may have to deal with some padding.
159 ctx
->sig_len
= wrapper
.length
;
160 ctx
->sig_offset
+= sizeof(wrapper
);
161 ctx
->sig_len
-= sizeof(wrapper
);
162 if (ctx
->sig_len
< 4) {
163 pr_debug("Signature data missing\n");
164 return -EKEYREJECTED
;
167 /* What's left should be a PKCS#7 cert */
168 pkcs7
= pebuf
+ ctx
->sig_offset
;
169 if (pkcs7
[0] != (ASN1_CONS_BIT
| ASN1_SEQ
))
176 case ASN1_INDEFINITE_LENGTH
:
182 len
= ((pkcs7
[2] << 8) | pkcs7
[3]) + 4;
191 if (len
<= ctx
->sig_len
) {
192 /* There may be padding */
197 pr_debug("Signature data not PKCS#7\n");
202 * Compare two sections for canonicalisation.
204 static int pefile_compare_shdrs(const void *a
, const void *b
)
206 const struct section_header
*shdra
= a
;
207 const struct section_header
*shdrb
= b
;
210 if (shdra
->data_addr
> shdrb
->data_addr
)
212 if (shdrb
->data_addr
> shdra
->data_addr
)
215 if (shdra
->virtual_address
> shdrb
->virtual_address
)
217 if (shdrb
->virtual_address
> shdra
->virtual_address
)
220 rc
= strcmp(shdra
->name
, shdrb
->name
);
224 if (shdra
->virtual_size
> shdrb
->virtual_size
)
226 if (shdrb
->virtual_size
> shdra
->virtual_size
)
229 if (shdra
->raw_data_size
> shdrb
->raw_data_size
)
231 if (shdrb
->raw_data_size
> shdra
->raw_data_size
)
238 * Load the contents of the PE binary into the digest, leaving out the image
239 * checksum and the certificate data block.
241 static int pefile_digest_pe_contents(const void *pebuf
, unsigned int pelen
,
242 struct pefile_context
*ctx
,
243 struct shash_desc
*desc
)
245 unsigned *canon
, tmp
, loop
, i
, hashed_bytes
;
248 /* Digest the header and data directory, but leave out the image
249 * checksum and the data dirent for the signature.
251 ret
= crypto_shash_update(desc
, pebuf
, ctx
->image_checksum_offset
);
255 tmp
= ctx
->image_checksum_offset
+ sizeof(uint32_t);
256 ret
= crypto_shash_update(desc
, pebuf
+ tmp
,
257 ctx
->cert_dirent_offset
- tmp
);
261 tmp
= ctx
->cert_dirent_offset
+ sizeof(struct data_dirent
);
262 ret
= crypto_shash_update(desc
, pebuf
+ tmp
, ctx
->header_size
- tmp
);
266 canon
= kcalloc(ctx
->n_sections
, sizeof(unsigned), GFP_KERNEL
);
270 /* We have to canonicalise the section table, so we perform an
274 for (loop
= 1; loop
< ctx
->n_sections
; loop
++) {
275 for (i
= 0; i
< loop
; i
++) {
276 if (pefile_compare_shdrs(&ctx
->secs
[canon
[i
]],
277 &ctx
->secs
[loop
]) > 0) {
278 memmove(&canon
[i
+ 1], &canon
[i
],
279 (loop
- i
) * sizeof(canon
[0]));
286 hashed_bytes
= ctx
->header_size
;
287 for (loop
= 0; loop
< ctx
->n_sections
; loop
++) {
289 if (ctx
->secs
[i
].raw_data_size
== 0)
291 ret
= crypto_shash_update(desc
,
292 pebuf
+ ctx
->secs
[i
].data_addr
,
293 ctx
->secs
[i
].raw_data_size
);
298 hashed_bytes
+= ctx
->secs
[i
].raw_data_size
;
302 if (pelen
> hashed_bytes
) {
303 tmp
= hashed_bytes
+ ctx
->certs_size
;
304 ret
= crypto_shash_update(desc
,
305 pebuf
+ hashed_bytes
,
315 * Digest the contents of the PE binary, leaving out the image checksum and the
316 * certificate data block.
318 static int pefile_digest_pe(const void *pebuf
, unsigned int pelen
,
319 struct pefile_context
*ctx
)
321 struct crypto_shash
*tfm
;
322 struct shash_desc
*desc
;
323 size_t digest_size
, desc_size
;
327 kenter(",%s", ctx
->digest_algo
);
329 /* Allocate the hashing algorithm we're going to need and find out how
330 * big the hash operational data will be.
332 tfm
= crypto_alloc_shash(ctx
->digest_algo
, 0, 0);
334 return (PTR_ERR(tfm
) == -ENOENT
) ? -ENOPKG
: PTR_ERR(tfm
);
336 desc_size
= crypto_shash_descsize(tfm
) + sizeof(*desc
);
337 digest_size
= crypto_shash_digestsize(tfm
);
339 if (digest_size
!= ctx
->digest_len
) {
340 pr_debug("Digest size mismatch (%zx != %x)\n",
341 digest_size
, ctx
->digest_len
);
345 pr_debug("Digest: desc=%zu size=%zu\n", desc_size
, digest_size
);
348 desc
= kzalloc(desc_size
+ digest_size
, GFP_KERNEL
);
353 ret
= crypto_shash_init(desc
);
357 ret
= pefile_digest_pe_contents(pebuf
, pelen
, ctx
, desc
);
361 digest
= (void *)desc
+ desc_size
;
362 ret
= crypto_shash_final(desc
, digest
);
366 pr_debug("Digest calc = [%*ph]\n", ctx
->digest_len
, digest
);
368 /* Check that the PE file digest matches that in the MSCODE part of the
369 * PKCS#7 certificate.
371 if (memcmp(digest
, ctx
->digest
, ctx
->digest_len
) != 0) {
372 pr_debug("Digest mismatch\n");
375 pr_debug("The digests match!\n");
381 crypto_free_shash(tfm
);
382 kleave(" = %d", ret
);
387 * verify_pefile_signature - Verify the signature on a PE binary image
388 * @pebuf: Buffer containing the PE binary image
389 * @pelen: Length of the binary image
390 * @trust_keys: Signing certificate(s) to use as starting points
391 * @usage: The use to which the key is being put.
393 * Validate that the certificate chain inside the PKCS#7 message inside the PE
394 * binary image intersects keys we already know and trust.
396 * Returns, in order of descending priority:
398 * (*) -ELIBBAD if the image cannot be parsed, or:
400 * (*) -EKEYREJECTED if a signature failed to match for which we have a valid
403 * (*) 0 if at least one signature chain intersects with the keys in the trust
406 * (*) -ENODATA if there is no signature present.
408 * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
411 * (*) -ENOKEY if we couldn't find a match for any of the signature chains in
414 * May also return -ENOMEM.
416 int verify_pefile_signature(const void *pebuf
, unsigned pelen
,
417 struct key
*trusted_keys
,
418 enum key_being_used_for usage
)
420 struct pefile_context ctx
;
425 memset(&ctx
, 0, sizeof(ctx
));
426 ret
= pefile_parse_binary(pebuf
, pelen
, &ctx
);
430 ret
= pefile_strip_sig_wrapper(pebuf
, &ctx
);
434 ret
= verify_pkcs7_signature(NULL
, 0,
435 pebuf
+ ctx
.sig_offset
, ctx
.sig_len
,
441 pr_debug("Digest: %u [%*ph]\n",
442 ctx
.digest_len
, ctx
.digest_len
, ctx
.digest
);
444 /* Generate the digest and check against the PKCS7 certificate
447 ret
= pefile_digest_pe(pebuf
, pelen
, &ctx
);