diff options
Diffstat (limited to 'kernel/module_signing.c')
| -rw-r--r-- | kernel/module_signing.c | 56 |
1 files changed, 8 insertions, 48 deletions
diff --git a/kernel/module_signing.c b/kernel/module_signing.c index b10fb1986ca9..9d9fc678c91d 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c | |||
| @@ -7,37 +7,13 @@ | |||
| 7 | 7 | ||
| 8 | #include <linux/kernel.h> | 8 | #include <linux/kernel.h> |
| 9 | #include <linux/errno.h> | 9 | #include <linux/errno.h> |
| 10 | #include <linux/module.h> | ||
| 11 | #include <linux/module_signature.h> | ||
| 10 | #include <linux/string.h> | 12 | #include <linux/string.h> |
| 11 | #include <linux/verification.h> | 13 | #include <linux/verification.h> |
| 12 | #include <crypto/public_key.h> | 14 | #include <crypto/public_key.h> |
| 13 | #include "module-internal.h" | 15 | #include "module-internal.h" |
| 14 | 16 | ||
| 15 | enum pkey_id_type { | ||
| 16 | PKEY_ID_PGP, /* OpenPGP generated key ID */ | ||
| 17 | PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ | ||
| 18 | PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ | ||
| 19 | }; | ||
| 20 | |||
| 21 | /* | ||
| 22 | * Module signature information block. | ||
| 23 | * | ||
| 24 | * The constituents of the signature section are, in order: | ||
| 25 | * | ||
| 26 | * - Signer's name | ||
| 27 | * - Key identifier | ||
| 28 | * - Signature data | ||
| 29 | * - Information block | ||
| 30 | */ | ||
| 31 | struct module_signature { | ||
| 32 | u8 algo; /* Public-key crypto algorithm [0] */ | ||
| 33 | u8 hash; /* Digest algorithm [0] */ | ||
| 34 | u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */ | ||
| 35 | u8 signer_len; /* Length of signer's name [0] */ | ||
| 36 | u8 key_id_len; /* Length of key identifier [0] */ | ||
| 37 | u8 __pad[3]; | ||
| 38 | __be32 sig_len; /* Length of signature data */ | ||
| 39 | }; | ||
| 40 | |||
| 41 | /* | 17 | /* |
| 42 | * Verify the signature on a module. | 18 | * Verify the signature on a module. |
| 43 | */ | 19 | */ |
| @@ -45,6 +21,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) | |||
| 45 | { | 21 | { |
| 46 | struct module_signature ms; | 22 | struct module_signature ms; |
| 47 | size_t sig_len, modlen = info->len; | 23 | size_t sig_len, modlen = info->len; |
| 24 | int ret; | ||
| 48 | 25 | ||
| 49 | pr_devel("==>%s(,%zu)\n", __func__, modlen); | 26 | pr_devel("==>%s(,%zu)\n", __func__, modlen); |
| 50 | 27 | ||
| @@ -52,32 +29,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) | |||
| 52 | return -EBADMSG; | 29 | return -EBADMSG; |
| 53 | 30 | ||
| 54 | memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); | 31 | memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); |
| 55 | modlen -= sizeof(ms); | 32 | |
| 33 | ret = mod_check_sig(&ms, modlen, info->name); | ||
| 34 | if (ret) | ||
| 35 | return ret; | ||
| 56 | 36 | ||
| 57 | sig_len = be32_to_cpu(ms.sig_len); | 37 | sig_len = be32_to_cpu(ms.sig_len); |
| 58 | if (sig_len >= modlen) | 38 | modlen -= sig_len + sizeof(ms); |
| 59 | return -EBADMSG; | ||
| 60 | modlen -= sig_len; | ||
| 61 | info->len = modlen; | 39 | info->len = modlen; |
| 62 | 40 | ||
| 63 | if (ms.id_type != PKEY_ID_PKCS7) { | ||
| 64 | pr_err("%s: Module is not signed with expected PKCS#7 message\n", | ||
| 65 | info->name); | ||
| 66 | return -ENOPKG; | ||
| 67 | } | ||
| 68 | |||
| 69 | if (ms.algo != 0 || | ||
| 70 | ms.hash != 0 || | ||
| 71 | ms.signer_len != 0 || | ||
| 72 | ms.key_id_len != 0 || | ||
| 73 | ms.__pad[0] != 0 || | ||
| 74 | ms.__pad[1] != 0 || | ||
| 75 | ms.__pad[2] != 0) { | ||
| 76 | pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n", | ||
| 77 | info->name); | ||
| 78 | return -EBADMSG; | ||
| 79 | } | ||
| 80 | |||
| 81 | return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, | 41 | return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, |
| 82 | VERIFY_USE_SECONDARY_KEYRING, | 42 | VERIFY_USE_SECONDARY_KEYRING, |
| 83 | VERIFYING_MODULE_SIGNATURE, | 43 | VERIFYING_MODULE_SIGNATURE, |