1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 2019 Microsoft Corporation.
5 * Author: Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
8 #include <linux/device-mapper.h>
9 #include <linux/verification.h>
10 #include <keys/user-type.h>
11 #include <linux/module.h>
12 #include "dm-verity.h"
13 #include "dm-verity-verify-sig.h"
15 #define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
17 static bool require_signatures
;
18 module_param(require_signatures
, bool, false);
19 MODULE_PARM_DESC(require_signatures
,
20 "Verify the roothash of dm-verity hash tree");
22 #define DM_VERITY_IS_SIG_FORCE_ENABLED() \
23 (require_signatures != false)
25 bool verity_verify_is_sig_opt_arg(const char *arg_name
)
27 return (!strcasecmp(arg_name
,
28 DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY
));
31 static int verity_verify_get_sig_from_key(const char *key_desc
,
32 struct dm_verity_sig_opts
*sig_opts
)
35 const struct user_key_payload
*ukp
;
38 key
= request_key(&key_type_user
,
45 ukp
= user_key_payload_locked(key
);
51 sig_opts
->sig
= kmalloc(ukp
->datalen
, GFP_KERNEL
);
56 sig_opts
->sig_size
= ukp
->datalen
;
58 memcpy(sig_opts
->sig
, ukp
->data
, sig_opts
->sig_size
);
67 int verity_verify_sig_parse_opt_args(struct dm_arg_set
*as
,
69 struct dm_verity_sig_opts
*sig_opts
,
73 struct dm_target
*ti
= v
->ti
;
75 const char *sig_key
= NULL
;
78 ti
->error
= DM_VERITY_VERIFY_ERR("Signature key not specified");
82 sig_key
= dm_shift_arg(as
);
85 ret
= verity_verify_get_sig_from_key(sig_key
, sig_opts
);
87 ti
->error
= DM_VERITY_VERIFY_ERR("Invalid key specified");
89 v
->signature_key_desc
= kstrdup(sig_key
, GFP_KERNEL
);
90 if (!v
->signature_key_desc
)
97 * verify_verify_roothash - Verify the root hash of the verity hash device
98 * using builtin trusted keys.
100 * @root_hash: For verity, the roothash/data to be verified.
101 * @root_hash_len: Size of the roothash/data to be verified.
102 * @sig_data: The trusted signature that verifies the roothash/data.
103 * @sig_len: Size of the signature.
106 int verity_verify_root_hash(const void *root_hash
, size_t root_hash_len
,
107 const void *sig_data
, size_t sig_len
)
111 if (!root_hash
|| root_hash_len
== 0)
114 if (!sig_data
|| sig_len
== 0) {
115 if (DM_VERITY_IS_SIG_FORCE_ENABLED())
121 ret
= verify_pkcs7_signature(root_hash
, root_hash_len
, sig_data
,
122 sig_len
, NULL
, VERIFYING_UNSPECIFIED_SIGNATURE
,
128 void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts
*sig_opts
)
130 kfree(sig_opts
->sig
);
131 sig_opts
->sig
= NULL
;
132 sig_opts
->sig_size
= 0;