1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (C) 2019 Microsoft Corporation.
*
* Author: Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
*
*/
#include <linux/device-mapper.h>
#include <linux/verification.h>
#include <linux/key.h>
#include <keys/user-type.h>
#include <linux/module.h>
#include "dm-verity.h"
#include "dm-verity-verify-sig.h"
#define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
static struct key *dm_verity_keyring;
static bool dm_verity_keyring_unsealed __ro_after_init;
module_param_named(keyring_unsealed, dm_verity_keyring_unsealed, bool, 0444);
MODULE_PARM_DESC(keyring_unsealed, "Leave the dm-verity keyring unsealed");
static bool require_signatures;
module_param(require_signatures, bool, 0444);
MODULE_PARM_DESC(require_signatures,
"Verify the roothash of dm-verity hash tree");
#define DM_VERITY_IS_SIG_FORCE_ENABLED() \
(require_signatures != false)
bool verity_verify_is_sig_opt_arg(const char *arg_name)
{
return (!strcasecmp(arg_name,
DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY));
}
static int verity_verify_get_sig_from_key(const char *key_desc,
struct dm_verity_sig_opts *sig_opts)
{
struct key *key;
const struct user_key_payload *ukp;
int ret = 0;
key = request_key(&key_type_user,
key_desc, NULL);
if (IS_ERR(key))
return PTR_ERR(key);
down_read(&key->sem);
ukp = user_key_payload_locked(key);
if (!ukp) {
ret = -EKEYREVOKED;
goto end;
}
sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
if (!sig_opts->sig) {
ret = -ENOMEM;
goto end;
}
sig_opts->sig_size = ukp->datalen;
memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
end:
up_read(&key->sem);
key_put(key);
return ret;
}
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
struct dm_verity *v,
struct dm_verity_sig_opts *sig_opts,
unsigned int *argc,
const char *arg_name)
{
struct dm_target *ti = v->ti;
int ret;
const char *sig_key = NULL;
if (v->signature_key_desc) {
ti->error = DM_VERITY_VERIFY_ERR("root_hash_sig_key_desc already specified");
return -EINVAL;
}
if (!*argc) {
ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
return -EINVAL;
}
sig_key = dm_shift_arg(as);
(*argc)--;
ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
if (ret < 0) {
ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
return ret;
}
v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
if (!v->signature_key_desc) {
ti->error = DM_VERITY_VERIFY_ERR("Could not allocate memory for signature key");
return -ENOMEM;
}
return 0;
}
/*
* verify_verify_roothash - Verify the root hash of the verity hash device
* using builtin trusted keys.
*
* @root_hash: For verity, the roothash/data to be verified.
* @root_hash_len: Size of the roothash/data to be verified.
* @sig_data: The trusted signature that verifies the roothash/data.
* @sig_len: Size of the signature.
*
*/
int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
const void *sig_data, size_t sig_len)
{
int ret;
if (!root_hash || root_hash_len == 0)
return -EINVAL;
if (!sig_data || sig_len == 0) {
if (DM_VERITY_IS_SIG_FORCE_ENABLED())
return -ENOKEY;
else
return 0;
}
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
sig_len,
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
VERIFY_USE_SECONDARY_KEYRING,
#else
NULL,
#endif
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
if (ret == -ENOKEY || ret == -EKEYREJECTED)
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
sig_len,
VERIFY_USE_PLATFORM_KEYRING,
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
#endif
if (ret != -ENOKEY && ret != -EKEYREJECTED)
return ret;
if (dm_verity_keyring->keys.nr_leaves_on_tree &&
dm_verity_keyring->restrict_link)
ret = verify_pkcs7_signature(root_hash, root_hash_len,
sig_data, sig_len,
dm_verity_keyring,
VERIFYING_UNSPECIFIED_SIGNATURE,
NULL, NULL);
return ret;
}
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
{
kfree(sig_opts->sig);
sig_opts->sig = NULL;
sig_opts->sig_size = 0;
}
int __init dm_verity_verify_sig_init(void)
{
dm_verity_keyring = keyring_alloc(".dm-verity",
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID,
current_cred(),
KEY_POS_SEARCH |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_WRITE | KEY_USR_SEARCH |
KEY_USR_SETATTR,
KEY_ALLOC_NOT_IN_QUOTA,
NULL, NULL);
if (IS_ERR(dm_verity_keyring))
panic("dm-verity can't allocate keyring\n");
if (!dm_verity_keyring_unsealed &&
keyring_restrict(make_key_ref(dm_verity_keyring, true), NULL, NULL))
panic("dm-verity can't seal keyring\n");
return 0;
}
void dm_verity_verify_sig_exit(void)
{
key_revoke(dm_verity_keyring);
key_put(dm_verity_keyring);
}
|
