KEYS: Add a system blacklist keyring

Add the following: (1) A new system keyring that is used to store information about blacklisted certificates and signatures. (2) A new key type (called 'blacklist') that is used to store a blacklisted hash in its description as a hex string. The key accepts no payload. (3) The ability to configure a list of blacklisted hashes into the kernel at build time. This is done by setting CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes that are in the form: "<hash>", "<hash>", ..., "<hash>" where each <hash> is a hex string representation of the hash and must include all necessary leading zeros to pad the hash to the right size. The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING. Once the kernel is booted, the blacklist keyring can be listed: root@andromeda ~]# keyctl show %:.blacklist Keyring 723359729 ---lswrv 0 0 keyring: .blacklist 676257228 ---lswrv 0 0 \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 The blacklist cannot currently be modified by userspace, but it will be possible to load it, for example, from the UEFI blacklist database. A later commit will make it possible to load blacklisted asymmetric keys in here too. Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2017-04-03 11:07:24 -0400
committer: David Howells <dhowells@redhat.com> 2017-04-03 11:07:24 -0400
commit: 734114f8782f6c3398762f2353fe9101d87b6d06 (patch)
tree: e16e165dc33f7d1becfcb1f5d79c90e0e3c4e248 /certs/blacklist.c
parent: ddb99e118e37f324a4be65a411bb60ae62795cf9 (diff)
1 files changed, 174 insertions, 0 deletions
diff --git a/certs/blacklist.c b/certs/blacklist.c
new file mode 100644
index 000000000000..3eddce0e307a
--- /dev/null
+++ b/certs/blacklist.c
@@ -0,0 +1,174 @@
+/* System hash blacklist.
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define pr_fmt(fmt) "blacklist: "fmt
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/sched.h>
+#include <linux/ctype.h>
+#include <linux/err.h>
+#include <linux/seq_file.h>
+#include <keys/system_keyring.h>
+#include "blacklist.h"
+static struct key *blacklist_keyring;
+/*
+ * The description must be a type prefix, a colon and then an even number of
+ * hex digits.  The hash is kept in the description.
+ */
+static int blacklist_vet_description(const char *desc)
+{
+        int n = 0;
+        if (*desc == ':')
+                return -EINVAL;
+        for (; *desc; desc++)
+                if (*desc == ':')
+                        goto found_colon;
+        return -EINVAL;
+found_colon:
+        desc++;
+        for (; *desc; desc++) {
+                if (!isxdigit(*desc))
+                        return -EINVAL;
+                n++;
+        }
+        if (n == 0 || n & 1)
+                return -EINVAL;
+        return 0;
+}
+/*
+ * The hash to be blacklisted is expected to be in the description.  There will
+ * be no payload.
+ */
+static int blacklist_preparse(struct key_preparsed_payload *prep)
+{
+        if (prep->datalen > 0)
+                return -EINVAL;
+        return 0;
+}
+static void blacklist_free_preparse(struct key_preparsed_payload *prep)
+{
+}
+static void blacklist_describe(const struct key *key, struct seq_file *m)
+{
+        seq_puts(m, key->description);
+}
+static struct key_type key_type_blacklist = {
+        .name                   = "blacklist",
+        .vet_description        = blacklist_vet_description,
+        .preparse               = blacklist_preparse,
+        .free_preparse          = blacklist_free_preparse,
+        .instantiate            = generic_key_instantiate,
+        .describe               = blacklist_describe,
+};
+/**
+ * mark_hash_blacklisted - Add a hash to the system blacklist
+ * @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
+ */
+int mark_hash_blacklisted(const char *hash)
+{
+        key_ref_t key;
+        key = key_create_or_update(make_key_ref(blacklist_keyring, true),
+                                   "blacklist",
+                                   hash,
+                                   NULL,
+                                   0,
+                                   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                    KEY_USR_VIEW),
+                                   KEY_ALLOC_NOT_IN_QUOTA |
+                                   KEY_ALLOC_BUILT_IN);
+        if (IS_ERR(key)) {
+                pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
+                return PTR_ERR(key);
+        }
+        return 0;
+}
+/**
+ * is_hash_blacklisted - Determine if a hash is blacklisted
+ * @hash: The hash to be checked as a binary blob
+ * @hash_len: The length of the binary hash
+ * @type: Type of hash
+ */
+int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
+{
+        key_ref_t kref;
+        size_t type_len = strlen(type);
+        char *buffer, *p;
+        int ret = 0;
+        buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
+        if (!buffer)
+                return -ENOMEM;
+        p = memcpy(buffer, type, type_len);
+        p += type_len;
+        *p++ = ':';
+        bin2hex(p, hash, hash_len);
+        p += hash_len * 2;
+        *p = 0;
+        kref = keyring_search(make_key_ref(blacklist_keyring, true),
+                              &key_type_blacklist, buffer);
+        if (!IS_ERR(kref)) {
+                key_ref_put(kref);
+                ret = -EKEYREJECTED;
+        }
+        kfree(buffer);
+        return ret;
+}
+EXPORT_SYMBOL_GPL(is_hash_blacklisted);
+/*
+ * Intialise the blacklist
+ */
+static int __init blacklist_init(void)
+{
+        const char *const *bl;
+        if (register_key_type(&key_type_blacklist) < 0)
+                panic("Can't allocate system blacklist key type\n");
+        blacklist_keyring =
+                keyring_alloc(".blacklist",
+                              KUIDT_INIT(0), KGIDT_INIT(0),
+                              current_cred(),
+                              (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                              KEY_USR_VIEW | KEY_USR_READ |
+                              KEY_USR_SEARCH,
+                              KEY_ALLOC_NOT_IN_QUOTA |
+                              KEY_FLAG_KEEP,
+                              NULL, NULL);
+        if (IS_ERR(blacklist_keyring))
+                panic("Can't allocate system blacklist keyring\n");
+        for (bl = blacklist_hashes; *bl; bl++)
+                if (mark_hash_blacklisted(*bl) < 0)
+                        pr_err("- blacklisting failed\n");
+        return 0;
+}
+/*
+ * Must be initialised before we try and load the keys into the keyring.
+ */
+device_initcall(blacklist_init);
author	David Howells <dhowells@redhat.com>	2017-04-03 11:07:24 -0400
committer	David Howells <dhowells@redhat.com>	2017-04-03 11:07:24 -0400
commit	734114f8782f6c3398762f2353fe9101d87b6d06 (patch)
tree	e16e165dc33f7d1becfcb1f5d79c90e0e3c4e248 /certs/blacklist.c
parent	ddb99e118e37f324a4be65a411bb60ae62795cf9 (diff)

diff --git a/certs/blacklist.c b/certs/blacklist.c new file mode 100644 index 000000000000..3eddce0e307a --- /dev/null +++ b/certs/blacklist.c
@@ -0,0 +1,174 @@
	1	/* System hash blacklist.
	2	*
	3	* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
	4	* Written by David Howells (dhowells@redhat.com)
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public Licence
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the Licence, or (at your option) any later version.
	10	*/
	11
	12	#define pr_fmt(fmt) "blacklist: "fmt
	13	#include <linux/module.h>
	14	#include <linux/slab.h>
	15	#include <linux/key.h>
	16	#include <linux/key-type.h>
	17	#include <linux/sched.h>
	18	#include <linux/ctype.h>
	19	#include <linux/err.h>
	20	#include <linux/seq_file.h>
	21	#include <keys/system_keyring.h>
	22	#include "blacklist.h"
	23
	24	static struct key *blacklist_keyring;
	25
	26	/*
	27	* The description must be a type prefix, a colon and then an even number of
	28	* hex digits. The hash is kept in the description.
	29	*/
	30	static int blacklist_vet_description(const char *desc)
	31	{
	32	int n = 0;
	33
	34	if (*desc == ':')
	35	return -EINVAL;
	36	for (; *desc; desc++)
	37	if (*desc == ':')
	38	goto found_colon;
	39	return -EINVAL;
	40
	41	found_colon:
	42	desc++;
	43	for (; *desc; desc++) {
	44	if (!isxdigit(*desc))
	45	return -EINVAL;
	46	n++;
	47	}
	48
	49	if (n == 0 \|\| n & 1)
	50	return -EINVAL;
	51	return 0;
	52	}
	53
	54	/*
	55	* The hash to be blacklisted is expected to be in the description. There will
	56	* be no payload.
	57	*/
	58	static int blacklist_preparse(struct key_preparsed_payload *prep)
	59	{
	60	if (prep->datalen > 0)
	61	return -EINVAL;
	62	return 0;
	63	}
	64
	65	static void blacklist_free_preparse(struct key_preparsed_payload *prep)
	66	{
	67	}
	68
	69	static void blacklist_describe(const struct key key, struct seq_file m)
	70	{
	71	seq_puts(m, key->description);
	72	}
	73
	74	static struct key_type key_type_blacklist = {
	75	.name = "blacklist",
	76	.vet_description = blacklist_vet_description,
	77	.preparse = blacklist_preparse,
	78	.free_preparse = blacklist_free_preparse,
	79	.instantiate = generic_key_instantiate,
	80	.describe = blacklist_describe,
	81	};
	82
	83	/**
	84	* mark_hash_blacklisted - Add a hash to the system blacklist
	85	* @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
	86	*/
	87	int mark_hash_blacklisted(const char *hash)
	88	{
	89	key_ref_t key;
	90
	91	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
	92	"blacklist",
	93	hash,
	94	NULL,
	95	0,
	96	((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	97	KEY_USR_VIEW),
	98	KEY_ALLOC_NOT_IN_QUOTA \|
	99	KEY_ALLOC_BUILT_IN);
	100	if (IS_ERR(key)) {
	101	pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
	102	return PTR_ERR(key);
	103	}
	104	return 0;
	105	}
	106
	107	/**
	108	* is_hash_blacklisted - Determine if a hash is blacklisted
	109	* @hash: The hash to be checked as a binary blob
	110	* @hash_len: The length of the binary hash
	111	* @type: Type of hash
	112	*/
	113	int is_hash_blacklisted(const u8 hash, size_t hash_len, const char type)
	114	{
	115	key_ref_t kref;
	116	size_t type_len = strlen(type);
	117	char buffer, p;
	118	int ret = 0;
	119
	120	buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
	121	if (!buffer)
	122	return -ENOMEM;
	123	p = memcpy(buffer, type, type_len);
	124	p += type_len;
	125	*p++ = ':';
	126	bin2hex(p, hash, hash_len);
	127	p += hash_len * 2;
	128	*p = 0;
	129
	130	kref = keyring_search(make_key_ref(blacklist_keyring, true),
	131	&key_type_blacklist, buffer);
	132	if (!IS_ERR(kref)) {
	133	key_ref_put(kref);
	134	ret = -EKEYREJECTED;
	135	}
	136
	137	kfree(buffer);
	138	return ret;
	139	}
	140	EXPORT_SYMBOL_GPL(is_hash_blacklisted);
	141
	142	/*
	143	* Intialise the blacklist
	144	*/
	145	static int __init blacklist_init(void)
	146	{
	147	const char const bl;
	148
	149	if (register_key_type(&key_type_blacklist) < 0)
	150	panic("Can't allocate system blacklist key type\n");
	151
	152	blacklist_keyring =
	153	keyring_alloc(".blacklist",
	154	KUIDT_INIT(0), KGIDT_INIT(0),
	155	current_cred(),
	156	(KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	157	KEY_USR_VIEW \| KEY_USR_READ \|
	158	KEY_USR_SEARCH,
	159	KEY_ALLOC_NOT_IN_QUOTA \|
	160	KEY_FLAG_KEEP,
	161	NULL, NULL);
	162	if (IS_ERR(blacklist_keyring))
	163	panic("Can't allocate system blacklist keyring\n");
	164
	165	for (bl = blacklist_hashes; *bl; bl++)
	166	if (mark_hash_blacklisted(*bl) < 0)
	167	pr_err("- blacklisting failed\n");
	168	return 0;
	169	}
	170
	171	/*
	172	* Must be initialised before we try and load the keys into the keyring.
	173	*/
	174	device_initcall(blacklist_init);