search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 4.9.199
[linux/fpc-iii.git] / security / integrity / digsig.c
blob95433acde1c1ffafcd7c90b7e226432532cb895e
1 /*
2 * Copyright (C) 2011 Intel Corporation
3 *
4 * Author:
5 * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2 of the License.
10 *
11 */
12
13 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15 #include <linux/err.h>
16 #include <linux/sched.h>
17 #include <linux/slab.h>
18 #include <linux/cred.h>
19 #include <linux/key-type.h>
20 #include <linux/digsig.h>
21 #include <linux/vmalloc.h>
22 #include <crypto/public_key.h>
23 #include <keys/system_keyring.h>
24
25 #include "integrity.h"
26
27 static struct key *keyring[INTEGRITY_KEYRING_MAX];
28
29 static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
30 #ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
31 "_evm",
32 "_ima",
33 #else
34 ".evm",
35 ".ima",
36 #endif
37 "_module",
38 };
39
40 #ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
41 static bool init_keyring __initdata = true;
42 #else
43 static bool init_keyring __initdata;
44 #endif
45
46 #ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
47 #define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
48 #else
49 #define restrict_link_to_ima restrict_link_by_builtin_trusted
50 #endif
51
52 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
53 const char *digest, int digestlen)
54 {
55 if (id >= INTEGRITY_KEYRING_MAX)
56 return -EINVAL;
57
58 if (!keyring[id]) {
59 keyring[id] =
60 request_key(&key_type_keyring, keyring_name[id], NULL);
61 if (IS_ERR(keyring[id])) {
62 int err = PTR_ERR(keyring[id]);
63 pr_err("no %s keyring: %d\n", keyring_name[id], err);
64 keyring[id] = NULL;
65 return err;
66 }
67 }
68
69 switch (sig[1]) {
70 case 1:
71 /* v1 API expect signature without xattr type */
72 return digsig_verify(keyring[id], sig + 1, siglen - 1,
73 digest, digestlen);
74 case 2:
75 return asymmetric_verify(keyring[id], sig, siglen,
76 digest, digestlen);
77 }
78
79 return -EOPNOTSUPP;
80 }
81
82 int __init integrity_init_keyring(const unsigned int id)
83 {
84 const struct cred *cred = current_cred();
85 int err = 0;
86
87 if (!init_keyring)
88 return 0;
89
90 keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
91 KGIDT_INIT(0), cred,
92 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
93 KEY_USR_VIEW | KEY_USR_READ |
94 KEY_USR_WRITE | KEY_USR_SEARCH),
95 KEY_ALLOC_NOT_IN_QUOTA,
96 restrict_link_to_ima, NULL);
97 if (IS_ERR(keyring[id])) {
98 err = PTR_ERR(keyring[id]);
99 pr_info("Can't allocate %s keyring (%d)\n",
100 keyring_name[id], err);
101 keyring[id] = NULL;
102 }
103 return err;
104 }
105
106 int __init integrity_load_x509(const unsigned int id, const char *path)
107 {
108 key_ref_t key;
109 char *data;
110 int rc;
111
112 if (!keyring[id])
113 return -EINVAL;
114
115 rc = integrity_read_file(path, &data);
116 if (rc < 0)
117 return rc;
118
119 key = key_create_or_update(make_key_ref(keyring[id], 1),
120 "asymmetric",
121 NULL,
122 data,
123 rc,
124 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
125 KEY_USR_VIEW | KEY_USR_READ),
126 KEY_ALLOC_NOT_IN_QUOTA);
127 if (IS_ERR(key)) {
128 rc = PTR_ERR(key);
129 pr_err("Problem loading X.509 certificate (%d): %s\n",
130 rc, path);
131 } else {
132 pr_notice("Loaded X.509 cert '%s': %s\n",
133 key_ref_to_ptr(key)->description, path);
134 key_ref_put(key);
135 }
136 kfree(data);
137 return 0;
138 }
Linux with added FPC-III support