aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto/asymmetric_keys/Kconfig11
-rw-r--r--crypto/asymmetric_keys/Makefile15
-rw-r--r--crypto/asymmetric_keys/mscode.asn128
-rw-r--r--crypto/asymmetric_keys/mscode_parser.c126
-rw-r--r--crypto/asymmetric_keys/verify_pefile.c457
-rw-r--r--crypto/asymmetric_keys/verify_pefile.h42
-rw-r--r--include/linux/oid_registry.h7
-rw-r--r--include/linux/pe.h448
-rw-r--r--include/linux/verify_pefile.h18
9 files changed, 1150 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index b6df198d1b6f..ca41be5631c7 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -33,7 +33,7 @@ config X509_CERTIFICATE_PARSER
33 select ASN1 33 select ASN1
34 select OID_REGISTRY 34 select OID_REGISTRY
35 help 35 help
36 This option procides support for parsing X.509 format blobs for key 36 This option provides support for parsing X.509 format blobs for key
37 data and provides the ability to instantiate a crypto key from a 37 data and provides the ability to instantiate a crypto key from a
38 public key packet found inside the certificate. 38 public key packet found inside the certificate.
39 39
@@ -59,4 +59,13 @@ config PKCS7_TEST_KEY
59 59
60 This is intended for testing the PKCS#7 parser. 60 This is intended for testing the PKCS#7 parser.
61 61
62config SIGNED_PE_FILE_VERIFICATION
63 bool "Support for PE file signature verification"
64 depends on PKCS7_MESSAGE_PARSER=y
65 select ASN1
66 select OID_REGISTRY
67 help
68 This option provides support for verifying the signature(s) on a
69 signed PE binary.
70
62endif # ASYMMETRIC_KEY_TYPE 71endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 92d0e9af24d5..e47fcd9ac5e8 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -47,3 +47,18 @@ clean-files += pkcs7-asn1.c pkcs7-asn1.h
47obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o 47obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
48pkcs7_test_key-y := \ 48pkcs7_test_key-y := \
49 pkcs7_key_type.o 49 pkcs7_key_type.o
50
51#
52# Signed PE binary-wrapped key handling
53#
54obj-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o
55
56verify_signed_pefile-y := \
57 verify_pefile.o \
58 mscode_parser.o \
59 mscode-asn1.o
60
61$(obj)/mscode_parser.o: $(obj)/mscode-asn1.h $(obj)/mscode-asn1.h
62$(obj)/mscode-asn1.o: $(obj)/mscode-asn1.c $(obj)/mscode-asn1.h
63
64clean-files += mscode-asn1.c mscode-asn1.h
diff --git a/crypto/asymmetric_keys/mscode.asn1 b/crypto/asymmetric_keys/mscode.asn1
new file mode 100644
index 000000000000..6d09ba48c41c
--- /dev/null
+++ b/crypto/asymmetric_keys/mscode.asn1
@@ -0,0 +1,28 @@
1--- Microsoft individual code signing data blob parser
2---
3--- Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4--- Written by David Howells (dhowells@redhat.com)
5---
6--- This program is free software; you can redistribute it and/or
7--- modify it under the terms of the GNU General Public Licence
8--- as published by the Free Software Foundation; either version
9--- 2 of the Licence, or (at your option) any later version.
10---
11
12MSCode ::= SEQUENCE {
13 type SEQUENCE {
14 contentType ContentType,
15 parameters ANY
16 },
17 content SEQUENCE {
18 digestAlgorithm DigestAlgorithmIdentifier,
19 digest OCTET STRING ({ mscode_note_digest })
20 }
21}
22
23ContentType ::= OBJECT IDENTIFIER ({ mscode_note_content_type })
24
25DigestAlgorithmIdentifier ::= SEQUENCE {
26 algorithm OBJECT IDENTIFIER ({ mscode_note_digest_algo }),
27 parameters ANY OPTIONAL
28}
diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
new file mode 100644
index 000000000000..214a992123cd
--- /dev/null
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -0,0 +1,126 @@
1/* Parse a Microsoft Individual Code Signing blob
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#define pr_fmt(fmt) "MSCODE: "fmt
13#include <linux/kernel.h>
14#include <linux/slab.h>
15#include <linux/err.h>
16#include <linux/oid_registry.h>
17#include <crypto/pkcs7.h>
18#include "verify_pefile.h"
19#include "mscode-asn1.h"
20
21/*
22 * Parse a Microsoft Individual Code Signing blob
23 */
24int mscode_parse(struct pefile_context *ctx)
25{
26 const void *content_data;
27 size_t data_len;
28 int ret;
29
30 ret = pkcs7_get_content_data(ctx->pkcs7, &content_data, &data_len, 1);
31
32 if (ret) {
33 pr_debug("PKCS#7 message does not contain data\n");
34 return ret;
35 }
36
37 pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
38 content_data);
39
40 return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len);
41}
42
43/*
44 * Check the content type OID
45 */
46int mscode_note_content_type(void *context, size_t hdrlen,
47 unsigned char tag,
48 const void *value, size_t vlen)
49{
50 enum OID oid;
51
52 oid = look_up_OID(value, vlen);
53 if (oid == OID__NR) {
54 char buffer[50];
55
56 sprint_oid(value, vlen, buffer, sizeof(buffer));
57 pr_err("Unknown OID: %s\n", buffer);
58 return -EBADMSG;
59 }
60
61 /*
62 * pesign utility had a bug where it was putting
63 * OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId
64 * So allow both OIDs.
65 */
66 if (oid != OID_msPeImageDataObjId &&
67 oid != OID_msIndividualSPKeyPurpose) {
68 pr_err("Unexpected content type OID %u\n", oid);
69 return -EBADMSG;
70 }
71
72 return 0;
73}
74
75/*
76 * Note the digest algorithm OID
77 */
78int mscode_note_digest_algo(void *context, size_t hdrlen,
79 unsigned char tag,
80 const void *value, size_t vlen)
81{
82 struct pefile_context *ctx = context;
83 char buffer[50];
84 enum OID oid;
85
86 oid = look_up_OID(value, vlen);
87 switch (oid) {
88 case OID_md4:
89 ctx->digest_algo = HASH_ALGO_MD4;
90 break;
91 case OID_md5:
92 ctx->digest_algo = HASH_ALGO_MD5;
93 break;
94 case OID_sha1:
95 ctx->digest_algo = HASH_ALGO_SHA1;
96 break;
97 case OID_sha256:
98 ctx->digest_algo = HASH_ALGO_SHA256;
99 break;
100
101 case OID__NR:
102 sprint_oid(value, vlen, buffer, sizeof(buffer));
103 pr_err("Unknown OID: %s\n", buffer);
104 return -EBADMSG;
105
106 default:
107 pr_err("Unsupported content type: %u\n", oid);
108 return -ENOPKG;
109 }
110
111 return 0;
112}
113
114/*
115 * Note the digest we're guaranteeing with this certificate
116 */
117int mscode_note_digest(void *context, size_t hdrlen,
118 unsigned char tag,
119 const void *value, size_t vlen)
120{
121 struct pefile_context *ctx = context;
122
123 ctx->digest = value;
124 ctx->digest_len = vlen;
125 return 0;
126}
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
new file mode 100644
index 000000000000..79175e6ea0b2
--- /dev/null
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -0,0 +1,457 @@
1/* Parse a signed PE binary
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#define pr_fmt(fmt) "PEFILE: "fmt
13#include <linux/module.h>
14#include <linux/kernel.h>
15#include <linux/slab.h>
16#include <linux/err.h>
17#include <linux/pe.h>
18#include <linux/asn1.h>
19#include <crypto/pkcs7.h>
20#include <crypto/hash.h>
21#include "verify_pefile.h"
22
23/*
24 * Parse a PE binary.
25 */
26static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
27 struct pefile_context *ctx)
28{
29 const struct mz_hdr *mz = pebuf;
30 const struct pe_hdr *pe;
31 const struct pe32_opt_hdr *pe32;
32 const struct pe32plus_opt_hdr *pe64;
33 const struct data_directory *ddir;
34 const struct data_dirent *dde;
35 const struct section_header *secs, *sec;
36 size_t cursor, datalen = pelen;
37
38 kenter("");
39
40#define chkaddr(base, x, s) \
41 do { \
42 if ((x) < base || (s) >= datalen || (x) > datalen - (s)) \
43 return -ELIBBAD; \
44 } while (0)
45
46 chkaddr(0, 0, sizeof(*mz));
47 if (mz->magic != MZ_MAGIC)
48 return -ELIBBAD;
49 cursor = sizeof(*mz);
50
51 chkaddr(cursor, mz->peaddr, sizeof(*pe));
52 pe = pebuf + mz->peaddr;
53 if (pe->magic != PE_MAGIC)
54 return -ELIBBAD;
55 cursor = mz->peaddr + sizeof(*pe);
56
57 chkaddr(0, cursor, sizeof(pe32->magic));
58 pe32 = pebuf + cursor;
59 pe64 = pebuf + cursor;
60
61 switch (pe32->magic) {
62 case PE_OPT_MAGIC_PE32:
63 chkaddr(0, cursor, sizeof(*pe32));
64 ctx->image_checksum_offset =
65 (unsigned long)&pe32->csum - (unsigned long)pebuf;
66 ctx->header_size = pe32->header_size;
67 cursor += sizeof(*pe32);
68 ctx->n_data_dirents = pe32->data_dirs;
69 break;
70
71 case PE_OPT_MAGIC_PE32PLUS:
72 chkaddr(0, cursor, sizeof(*pe64));
73 ctx->image_checksum_offset =
74 (unsigned long)&pe64->csum - (unsigned long)pebuf;
75 ctx->header_size = pe64->header_size;
76 cursor += sizeof(*pe64);
77 ctx->n_data_dirents = pe64->data_dirs;
78 break;
79
80 default:
81 pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic);
82 return -ELIBBAD;
83 }
84
85 pr_debug("checksum @ %x\n", ctx->image_checksum_offset);
86 pr_debug("header size = %x\n", ctx->header_size);
87
88 if (cursor >= ctx->header_size || ctx->header_size >= datalen)
89 return -ELIBBAD;
90
91 if (ctx->n_data_dirents > (ctx->header_size - cursor) / sizeof(*dde))
92 return -ELIBBAD;
93
94 ddir = pebuf + cursor;
95 cursor += sizeof(*dde) * ctx->n_data_dirents;
96
97 ctx->cert_dirent_offset =
98 (unsigned long)&ddir->certs - (unsigned long)pebuf;
99 ctx->certs_size = ddir->certs.size;
100
101 if (!ddir->certs.virtual_address || !ddir->certs.size) {
102 pr_debug("Unsigned PE binary\n");
103 return -EKEYREJECTED;
104 }
105
106 chkaddr(ctx->header_size, ddir->certs.virtual_address,
107 ddir->certs.size);
108 ctx->sig_offset = ddir->certs.virtual_address;
109 ctx->sig_len = ddir->certs.size;
110 pr_debug("cert = %x @%x [%*ph]\n",
111 ctx->sig_len, ctx->sig_offset,
112 ctx->sig_len, pebuf + ctx->sig_offset);
113
114 ctx->n_sections = pe->sections;
115 if (ctx->n_sections > (ctx->header_size - cursor) / sizeof(*sec))
116 return -ELIBBAD;
117 ctx->secs = secs = pebuf + cursor;
118
119 return 0;
120}
121
122/*
123 * Check and strip the PE wrapper from around the signature and check that the
124 * remnant looks something like PKCS#7.
125 */
126static int pefile_strip_sig_wrapper(const void *pebuf,
127 struct pefile_context *ctx)
128{
129 struct win_certificate wrapper;
130 const u8 *pkcs7;
131
132 if (ctx->sig_len < sizeof(wrapper)) {
133 pr_debug("Signature wrapper too short\n");
134 return -ELIBBAD;
135 }
136
137 memcpy(&wrapper, pebuf + ctx->sig_offset, sizeof(wrapper));
138 pr_debug("sig wrapper = { %x, %x, %x }\n",
139 wrapper.length, wrapper.revision, wrapper.cert_type);
140
141 /* Both pesign and sbsign round up the length of certificate table
142 * (in optional header data directories) to 8 byte alignment.
143 */
144 if (round_up(wrapper.length, 8) != ctx->sig_len) {
145 pr_debug("Signature wrapper len wrong\n");
146 return -ELIBBAD;
147 }
148 if (wrapper.revision != WIN_CERT_REVISION_2_0) {
149 pr_debug("Signature is not revision 2.0\n");
150 return -ENOTSUPP;
151 }
152 if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
153 pr_debug("Signature certificate type is not PKCS\n");
154 return -ENOTSUPP;
155 }
156
157 /* Looks like actual pkcs signature length is in wrapper->length.
158 * size obtained from data dir entries lists the total size of
159 * certificate table which is also aligned to octawrod boundary.
160 *
161 * So set signature length field appropriately.
162 */
163 ctx->sig_len = wrapper.length;
164 ctx->sig_offset += sizeof(wrapper);
165 ctx->sig_len -= sizeof(wrapper);
166 if (ctx->sig_len == 0) {
167 pr_debug("Signature data missing\n");
168 return -EKEYREJECTED;
169 }
170
171 /* What's left should a PKCS#7 cert */
172 pkcs7 = pebuf + ctx->sig_offset;
173 if (pkcs7[0] == (ASN1_CONS_BIT | ASN1_SEQ)) {
174 if (pkcs7[1] == 0x82 &&
175 pkcs7[2] == (((ctx->sig_len - 4) >> 8) & 0xff) &&
176 pkcs7[3] == ((ctx->sig_len - 4) & 0xff))
177 return 0;
178 if (pkcs7[1] == 0x80)
179 return 0;
180 if (pkcs7[1] > 0x82)
181 return -EMSGSIZE;
182 }
183
184 pr_debug("Signature data not PKCS#7\n");
185 return -ELIBBAD;
186}
187
188/*
189 * Compare two sections for canonicalisation.
190 */
191static int pefile_compare_shdrs(const void *a, const void *b)
192{
193 const struct section_header *shdra = a;
194 const struct section_header *shdrb = b;
195 int rc;
196
197 if (shdra->data_addr > shdrb->data_addr)
198 return 1;
199 if (shdrb->data_addr > shdra->data_addr)
200 return -1;
201
202 if (shdra->virtual_address > shdrb->virtual_address)
203 return 1;
204 if (shdrb->virtual_address > shdra->virtual_address)
205 return -1;
206
207 rc = strcmp(shdra->name, shdrb->name);
208 if (rc != 0)
209 return rc;
210
211 if (shdra->virtual_size > shdrb->virtual_size)
212 return 1;
213 if (shdrb->virtual_size > shdra->virtual_size)
214 return -1;
215
216 if (shdra->raw_data_size > shdrb->raw_data_size)
217 return 1;
218 if (shdrb->raw_data_size > shdra->raw_data_size)
219 return -1;
220
221 return 0;
222}
223
224/*
225 * Load the contents of the PE binary into the digest, leaving out the image
226 * checksum and the certificate data block.
227 */
228static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
229 struct pefile_context *ctx,
230 struct shash_desc *desc)
231{
232 unsigned *canon, tmp, loop, i, hashed_bytes;
233 int ret;
234
235 /* Digest the header and data directory, but leave out the image
236 * checksum and the data dirent for the signature.
237 */
238 ret = crypto_shash_update(desc, pebuf, ctx->image_checksum_offset);
239 if (ret < 0)
240 return ret;
241
242 tmp = ctx->image_checksum_offset + sizeof(uint32_t);
243 ret = crypto_shash_update(desc, pebuf + tmp,
244 ctx->cert_dirent_offset - tmp);
245 if (ret < 0)
246 return ret;
247
248 tmp = ctx->cert_dirent_offset + sizeof(struct data_dirent);
249 ret = crypto_shash_update(desc, pebuf + tmp, ctx->header_size - tmp);
250 if (ret < 0)
251 return ret;
252
253 canon = kcalloc(ctx->n_sections, sizeof(unsigned), GFP_KERNEL);
254 if (!canon)
255 return -ENOMEM;
256
257 /* We have to canonicalise the section table, so we perform an
258 * insertion sort.
259 */
260 canon[0] = 0;
261 for (loop = 1; loop < ctx->n_sections; loop++) {
262 for (i = 0; i < loop; i++) {
263 if (pefile_compare_shdrs(&ctx->secs[canon[i]],
264 &ctx->secs[loop]) > 0) {
265 memmove(&canon[i + 1], &canon[i],
266 (loop - i) * sizeof(canon[0]));
267 break;
268 }
269 }
270 canon[i] = loop;
271 }
272
273 hashed_bytes = ctx->header_size;
274 for (loop = 0; loop < ctx->n_sections; loop++) {
275 i = canon[loop];
276 if (ctx->secs[i].raw_data_size == 0)
277 continue;
278 ret = crypto_shash_update(desc,
279 pebuf + ctx->secs[i].data_addr,
280 ctx->secs[i].raw_data_size);
281 if (ret < 0) {
282 kfree(canon);
283 return ret;
284 }
285 hashed_bytes += ctx->secs[i].raw_data_size;
286 }
287 kfree(canon);
288
289 if (pelen > hashed_bytes) {
290 tmp = hashed_bytes + ctx->certs_size;
291 ret = crypto_shash_update(desc,
292 pebuf + hashed_bytes,
293 pelen - tmp);
294 if (ret < 0)
295 return ret;
296 }
297
298 return 0;
299}
300
301/*
302 * Digest the contents of the PE binary, leaving out the image checksum and the
303 * certificate data block.
304 */
305static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
306 struct pefile_context *ctx)
307{
308 struct crypto_shash *tfm;
309 struct shash_desc *desc;
310 size_t digest_size, desc_size;
311 void *digest;
312 int ret;
313
314 kenter(",%u", ctx->digest_algo);
315
316 /* Allocate the hashing algorithm we're going to need and find out how
317 * big the hash operational data will be.
318 */
319 tfm = crypto_alloc_shash(hash_algo_name[ctx->digest_algo], 0, 0);
320 if (IS_ERR(tfm))
321 return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
322
323 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
324 digest_size = crypto_shash_digestsize(tfm);
325
326 if (digest_size != ctx->digest_len) {
327 pr_debug("Digest size mismatch (%zx != %x)\n",
328 digest_size, ctx->digest_len);
329 ret = -EBADMSG;
330 goto error_no_desc;
331 }
332 pr_debug("Digest: desc=%zu size=%zu\n", desc_size, digest_size);
333
334 ret = -ENOMEM;
335 desc = kzalloc(desc_size + digest_size, GFP_KERNEL);
336 if (!desc)
337 goto error_no_desc;
338
339 desc->tfm = tfm;
340 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
341 ret = crypto_shash_init(desc);
342 if (ret < 0)
343 goto error;
344
345 ret = pefile_digest_pe_contents(pebuf, pelen, ctx, desc);
346 if (ret < 0)
347 goto error;
348
349 digest = (void *)desc + desc_size;
350 ret = crypto_shash_final(desc, digest);
351 if (ret < 0)
352 goto error;
353
354 pr_debug("Digest calc = [%*ph]\n", ctx->digest_len, digest);
355
356 /* Check that the PE file digest matches that in the MSCODE part of the
357 * PKCS#7 certificate.
358 */
359 if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) {
360 pr_debug("Digest mismatch\n");
361 ret = -EKEYREJECTED;
362 } else {
363 pr_debug("The digests match!\n");
364 }
365
366error:
367 kfree(desc);
368error_no_desc:
369 crypto_free_shash(tfm);
370 kleave(" = %d", ret);
371 return ret;
372}
373
374/**
375 * verify_pefile_signature - Verify the signature on a PE binary image
376 * @pebuf: Buffer containing the PE binary image
377 * @pelen: Length of the binary image
378 * @trust_keyring: Signing certificates to use as starting points
379 * @_trusted: Set to true if trustworth, false otherwise
380 *
381 * Validate that the certificate chain inside the PKCS#7 message inside the PE
382 * binary image intersects keys we already know and trust.
383 *
384 * Returns, in order of descending priority:
385 *
386 * (*) -ELIBBAD if the image cannot be parsed, or:
387 *
388 * (*) -EKEYREJECTED if a signature failed to match for which we have a valid
389 * key, or:
390 *
391 * (*) 0 if at least one signature chain intersects with the keys in the trust
392 * keyring, or:
393 *
394 * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
395 * chain.
396 *
397 * (*) -ENOKEY if we couldn't find a match for any of the signature chains in
398 * the message.
399 *
400 * May also return -ENOMEM.
401 */
402int verify_pefile_signature(const void *pebuf, unsigned pelen,
403 struct key *trusted_keyring, bool *_trusted)
404{
405 struct pkcs7_message *pkcs7;
406 struct pefile_context ctx;
407 const void *data;
408 size_t datalen;
409 int ret;
410
411 kenter("");
412
413 memset(&ctx, 0, sizeof(ctx));
414 ret = pefile_parse_binary(pebuf, pelen, &ctx);
415 if (ret < 0)
416 return ret;
417
418 ret = pefile_strip_sig_wrapper(pebuf, &ctx);
419 if (ret < 0)
420 return ret;
421
422 pkcs7 = pkcs7_parse_message(pebuf + ctx.sig_offset, ctx.sig_len);
423 if (IS_ERR(pkcs7))
424 return PTR_ERR(pkcs7);
425 ctx.pkcs7 = pkcs7;
426
427 ret = pkcs7_get_content_data(ctx.pkcs7, &data, &datalen, false);
428 if (ret < 0 || datalen == 0) {
429 pr_devel("PKCS#7 message does not contain data\n");
430 ret = -EBADMSG;
431 goto error;
432 }
433
434 ret = mscode_parse(&ctx);
435 if (ret < 0)
436 goto error;
437
438 pr_debug("Digest: %u [%*ph]\n",
439 ctx.digest_len, ctx.digest_len, ctx.digest);
440
441 /* Generate the digest and check against the PKCS7 certificate
442 * contents.
443 */
444 ret = pefile_digest_pe(pebuf, pelen, &ctx);
445 if (ret < 0)
446 goto error;
447
448 ret = pkcs7_verify(pkcs7);
449 if (ret < 0)
450 goto error;
451
452 ret = pkcs7_validate_trust(pkcs7, trusted_keyring, _trusted);
453
454error:
455 pkcs7_free_message(ctx.pkcs7);
456 return ret;
457}
diff --git a/crypto/asymmetric_keys/verify_pefile.h b/crypto/asymmetric_keys/verify_pefile.h
new file mode 100644
index 000000000000..55d5f7ebc45a
--- /dev/null
+++ b/crypto/asymmetric_keys/verify_pefile.h
@@ -0,0 +1,42 @@
1/* PE Binary parser bits
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#include <linux/verify_pefile.h>
13#include <crypto/pkcs7.h>
14#include <crypto/hash_info.h>
15
16struct pefile_context {
17 unsigned header_size;
18 unsigned image_checksum_offset;
19 unsigned cert_dirent_offset;
20 unsigned n_data_dirents;
21 unsigned n_sections;
22 unsigned certs_size;
23 unsigned sig_offset;
24 unsigned sig_len;
25 const struct section_header *secs;
26 struct pkcs7_message *pkcs7;
27
28 /* PKCS#7 MS Individual Code Signing content */
29 const void *digest; /* Digest */
30 unsigned digest_len; /* Digest length */
31 enum hash_algo digest_algo; /* Digest algorithm */
32};
33
34#define kenter(FMT, ...) \
35 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
36#define kleave(FMT, ...) \
37 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
38
39/*
40 * mscode_parser.c
41 */
42extern int mscode_parse(struct pefile_context *ctx);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index edeff85cb1e8..c2bbf672b84e 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -52,8 +52,13 @@ enum OID {
52 OID_md4, /* 1.2.840.113549.2.4 */ 52 OID_md4, /* 1.2.840.113549.2.4 */
53 OID_md5, /* 1.2.840.113549.2.5 */ 53 OID_md5, /* 1.2.840.113549.2.5 */
54 54
55 OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ 55 /* Microsoft Authenticode & Software Publishing */
56 OID_msIndirectData, /* 1.3.6.1.4.1.311.2.1.4 */
57 OID_msPeImageDataObjId, /* 1.3.6.1.4.1.311.2.1.15 */
58 OID_msIndividualSPKeyPurpose, /* 1.3.6.1.4.1.311.2.1.21 */
56 OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */ 59 OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */
60
61 OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
57 OID_sha1, /* 1.3.14.3.2.26 */ 62 OID_sha1, /* 1.3.14.3.2.26 */
58 OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ 63 OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
59 64
diff --git a/include/linux/pe.h b/include/linux/pe.h
new file mode 100644
index 000000000000..e170b95e763b
--- /dev/null
+++ b/include/linux/pe.h
@@ -0,0 +1,448 @@
1/*
2 * Copyright 2011 Red Hat, Inc.
3 * All rights reserved.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; version 2 of the License.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
16 *
17 * Author(s): Peter Jones <pjones@redhat.com>
18 */
19#ifndef __LINUX_PE_H
20#define __LINUX_PE_H
21
22#include <linux/types.h>
23
24#define MZ_MAGIC 0x5a4d /* "MZ" */
25
26struct mz_hdr {
27 uint16_t magic; /* MZ_MAGIC */
28 uint16_t lbsize; /* size of last used block */
29 uint16_t blocks; /* pages in file, 0x3 */
30 uint16_t relocs; /* relocations */
31 uint16_t hdrsize; /* header size in "paragraphs" */
32 uint16_t min_extra_pps; /* .bss */
33 uint16_t max_extra_pps; /* runtime limit for the arena size */
34 uint16_t ss; /* relative stack segment */
35 uint16_t sp; /* initial %sp register */
36 uint16_t checksum; /* word checksum */
37 uint16_t ip; /* initial %ip register */
38 uint16_t cs; /* initial %cs relative to load segment */
39 uint16_t reloc_table_offset; /* offset of the first relocation */
40 uint16_t overlay_num; /* overlay number. set to 0. */
41 uint16_t reserved0[4]; /* reserved */
42 uint16_t oem_id; /* oem identifier */
43 uint16_t oem_info; /* oem specific */
44 uint16_t reserved1[10]; /* reserved */
45 uint32_t peaddr; /* address of pe header */
46 char message[64]; /* message to print */
47};
48
49struct mz_reloc {
50 uint16_t offset;
51 uint16_t segment;
52};
53
54#define PE_MAGIC 0x00004550 /* "PE\0\0" */
55#define PE_OPT_MAGIC_PE32 0x010b
56#define PE_OPT_MAGIC_PE32_ROM 0x0107
57#define PE_OPT_MAGIC_PE32PLUS 0x020b
58
59/* machine type */
60#define IMAGE_FILE_MACHINE_UNKNOWN 0x0000
61#define IMAGE_FILE_MACHINE_AM33 0x01d3
62#define IMAGE_FILE_MACHINE_AMD64 0x8664
63#define IMAGE_FILE_MACHINE_ARM 0x01c0
64#define IMAGE_FILE_MACHINE_ARMV7 0x01c4
65#define IMAGE_FILE_MACHINE_EBC 0x0ebc
66#define IMAGE_FILE_MACHINE_I386 0x014c
67#define IMAGE_FILE_MACHINE_IA64 0x0200
68#define IMAGE_FILE_MACHINE_M32R 0x9041
69#define IMAGE_FILE_MACHINE_MIPS16 0x0266
70#define IMAGE_FILE_MACHINE_MIPSFPU 0x0366
71#define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466
72#define IMAGE_FILE_MACHINE_POWERPC 0x01f0
73#define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
74#define IMAGE_FILE_MACHINE_R4000 0x0166
75#define IMAGE_FILE_MACHINE_SH3 0x01a2
76#define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
77#define IMAGE_FILE_MACHINE_SH3E 0x01a4
78#define IMAGE_FILE_MACHINE_SH4 0x01a6
79#define IMAGE_FILE_MACHINE_SH5 0x01a8
80#define IMAGE_FILE_MACHINE_THUMB 0x01c2
81#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
82
83/* flags */
84#define IMAGE_FILE_RELOCS_STRIPPED 0x0001
85#define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002
86#define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004
87#define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008
88#define IMAGE_FILE_AGGRESSIVE_WS_TRIM 0x0010
89#define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020
90#define IMAGE_FILE_16BIT_MACHINE 0x0040
91#define IMAGE_FILE_BYTES_REVERSED_LO 0x0080
92#define IMAGE_FILE_32BIT_MACHINE 0x0100
93#define IMAGE_FILE_DEBUG_STRIPPED 0x0200
94#define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400
95#define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800
96#define IMAGE_FILE_SYSTEM 0x1000
97#define IMAGE_FILE_DLL 0x2000
98#define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000
99#define IMAGE_FILE_BYTES_REVERSED_HI 0x8000
100
101struct pe_hdr {
102 uint32_t magic; /* PE magic */
103 uint16_t machine; /* machine type */
104 uint16_t sections; /* number of sections */
105 uint32_t timestamp; /* time_t */
106 uint32_t symbol_table; /* symbol table offset */
107 uint32_t symbols; /* number of symbols */
108 uint16_t opt_hdr_size; /* size of optional header */
109 uint16_t flags; /* flags */
110};
111
112#define IMAGE_FILE_OPT_ROM_MAGIC 0x107
113#define IMAGE_FILE_OPT_PE32_MAGIC 0x10b
114#define IMAGE_FILE_OPT_PE32_PLUS_MAGIC 0x20b
115
116#define IMAGE_SUBSYSTEM_UNKNOWN 0
117#define IMAGE_SUBSYSTEM_NATIVE 1
118#define IMAGE_SUBSYSTEM_WINDOWS_GUI 2
119#define IMAGE_SUBSYSTEM_WINDOWS_CUI 3
120#define IMAGE_SUBSYSTEM_POSIX_CUI 7
121#define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9
122#define IMAGE_SUBSYSTEM_EFI_APPLICATION 10
123#define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11
124#define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12
125#define IMAGE_SUBSYSTEM_EFI_ROM_IMAGE 13
126#define IMAGE_SUBSYSTEM_XBOX 14
127
128#define IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE 0x0040
129#define IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY 0x0080
130#define IMAGE_DLL_CHARACTERISTICS_NX_COMPAT 0x0100
131#define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200
132#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400
133#define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800
134#define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000
135#define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
136
137/* the fact that pe32 isn't padded where pe32+ is 64-bit means union won't
138 * work right. vomit. */
139struct pe32_opt_hdr {
140 /* "standard" header */
141 uint16_t magic; /* file type */
142 uint8_t ld_major; /* linker major version */
143 uint8_t ld_minor; /* linker minor version */
144 uint32_t text_size; /* size of text section(s) */
145 uint32_t data_size; /* size of data section(s) */
146 uint32_t bss_size; /* size of bss section(s) */
147 uint32_t entry_point; /* file offset of entry point */
148 uint32_t code_base; /* relative code addr in ram */
149 uint32_t data_base; /* relative data addr in ram */
150 /* "windows" header */
151 uint32_t image_base; /* preferred load address */
152 uint32_t section_align; /* alignment in bytes */
153 uint32_t file_align; /* file alignment in bytes */
154 uint16_t os_major; /* major OS version */
155 uint16_t os_minor; /* minor OS version */
156 uint16_t image_major; /* major image version */
157 uint16_t image_minor; /* minor image version */
158 uint16_t subsys_major; /* major subsystem version */
159 uint16_t subsys_minor; /* minor subsystem version */
160 uint32_t win32_version; /* reserved, must be 0 */
161 uint32_t image_size; /* image size */
162 uint32_t header_size; /* header size rounded up to
163 file_align */
164 uint32_t csum; /* checksum */
165 uint16_t subsys; /* subsystem */
166 uint16_t dll_flags; /* more flags! */
167 uint32_t stack_size_req;/* amt of stack requested */
168 uint32_t stack_size; /* amt of stack required */
169 uint32_t heap_size_req; /* amt of heap requested */
170 uint32_t heap_size; /* amt of heap required */
171 uint32_t loader_flags; /* reserved, must be 0 */
172 uint32_t data_dirs; /* number of data dir entries */
173};
174
175struct pe32plus_opt_hdr {
176 uint16_t magic; /* file type */
177 uint8_t ld_major; /* linker major version */
178 uint8_t ld_minor; /* linker minor version */
179 uint32_t text_size; /* size of text section(s) */
180 uint32_t data_size; /* size of data section(s) */
181 uint32_t bss_size; /* size of bss section(s) */
182 uint32_t entry_point; /* file offset of entry point */
183 uint32_t code_base; /* relative code addr in ram */
184 /* "windows" header */
185 uint64_t image_base; /* preferred load address */
186 uint32_t section_align; /* alignment in bytes */
187 uint32_t file_align; /* file alignment in bytes */
188 uint16_t os_major; /* major OS version */
189 uint16_t os_minor; /* minor OS version */
190 uint16_t image_major; /* major image version */
191 uint16_t image_minor; /* minor image version */
192 uint16_t subsys_major; /* major subsystem version */
193 uint16_t subsys_minor; /* minor subsystem version */
194 uint32_t win32_version; /* reserved, must be 0 */
195 uint32_t image_size; /* image size */
196 uint32_t header_size; /* header size rounded up to
197 file_align */
198 uint32_t csum; /* checksum */
199 uint16_t subsys; /* subsystem */
200 uint16_t dll_flags; /* more flags! */
201 uint64_t stack_size_req;/* amt of stack requested */
202 uint64_t stack_size; /* amt of stack required */
203 uint64_t heap_size_req; /* amt of heap requested */
204 uint64_t heap_size; /* amt of heap required */
205 uint32_t loader_flags; /* reserved, must be 0 */
206 uint32_t data_dirs; /* number of data dir entries */
207};
208
209struct data_dirent {
210 uint32_t virtual_address; /* relative to load address */
211 uint32_t size;
212};
213
214struct data_directory {
215 struct data_dirent exports; /* .edata */
216 struct data_dirent imports; /* .idata */
217 struct data_dirent resources; /* .rsrc */
218 struct data_dirent exceptions; /* .pdata */
219 struct data_dirent certs; /* certs */
220 struct data_dirent base_relocations; /* .reloc */
221 struct data_dirent debug; /* .debug */
222 struct data_dirent arch; /* reservered */
223 struct data_dirent global_ptr; /* global pointer reg. Size=0 */
224 struct data_dirent tls; /* .tls */
225 struct data_dirent load_config; /* load configuration structure */
226 struct data_dirent bound_imports; /* no idea */
227 struct data_dirent import_addrs; /* import address table */
228 struct data_dirent delay_imports; /* delay-load import table */
229 struct data_dirent clr_runtime_hdr; /* .cor (object only) */
230 struct data_dirent reserved;
231};
232
233struct section_header {
234 char name[8]; /* name or "/12\0" string tbl offset */
235 uint32_t virtual_size; /* size of loaded section in ram */
236 uint32_t virtual_address; /* relative virtual address */
237 uint32_t raw_data_size; /* size of the section */
238 uint32_t data_addr; /* file pointer to first page of sec */
239 uint32_t relocs; /* file pointer to relocation entries */
240 uint32_t line_numbers; /* line numbers! */
241 uint16_t num_relocs; /* number of relocations */
242 uint16_t num_lin_numbers; /* srsly. */
243 uint32_t flags;
244};
245
246/* they actually defined 0x00000000 as well, but I think we'll skip that one. */
247#define IMAGE_SCN_RESERVED_0 0x00000001
248#define IMAGE_SCN_RESERVED_1 0x00000002
249#define IMAGE_SCN_RESERVED_2 0x00000004
250#define IMAGE_SCN_TYPE_NO_PAD 0x00000008 /* don't pad - obsolete */
251#define IMAGE_SCN_RESERVED_3 0x00000010
252#define IMAGE_SCN_CNT_CODE 0x00000020 /* .text */
253#define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 /* .data */
254#define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 /* .bss */
255#define IMAGE_SCN_LNK_OTHER 0x00000100 /* reserved */
256#define IMAGE_SCN_LNK_INFO 0x00000200 /* .drectve comments */
257#define IMAGE_SCN_RESERVED_4 0x00000400
258#define IMAGE_SCN_LNK_REMOVE 0x00000800 /* .o only - scn to be rm'd*/
259#define IMAGE_SCN_LNK_COMDAT 0x00001000 /* .o only - COMDAT data */
260#define IMAGE_SCN_RESERVED_5 0x00002000 /* spec omits this */
261#define IMAGE_SCN_RESERVED_6 0x00004000 /* spec omits this */
262#define IMAGE_SCN_GPREL 0x00008000 /* global pointer referenced data */
263/* spec lists 0x20000 twice, I suspect they meant 0x10000 for one of them */
264#define IMAGE_SCN_MEM_PURGEABLE 0x00010000 /* reserved for "future" use */
265#define IMAGE_SCN_16BIT 0x00020000 /* reserved for "future" use */
266#define IMAGE_SCN_LOCKED 0x00040000 /* reserved for "future" use */
267#define IMAGE_SCN_PRELOAD 0x00080000 /* reserved for "future" use */
268/* and here they just stuck a 1-byte integer in the middle of a bitfield */
269#define IMAGE_SCN_ALIGN_1BYTES 0x00100000 /* it does what it says on the box */
270#define IMAGE_SCN_ALIGN_2BYTES 0x00200000
271#define IMAGE_SCN_ALIGN_4BYTES 0x00300000
272#define IMAGE_SCN_ALIGN_8BYTES 0x00400000
273#define IMAGE_SCN_ALIGN_16BYTES 0x00500000
274#define IMAGE_SCN_ALIGN_32BYTES 0x00600000
275#define IMAGE_SCN_ALIGN_64BYTES 0x00700000
276#define IMAGE_SCN_ALIGN_128BYTES 0x00800000
277#define IMAGE_SCN_ALIGN_256BYTES 0x00900000
278#define IMAGE_SCN_ALIGN_512BYTES 0x00a00000
279#define IMAGE_SCN_ALIGN_1024BYTES 0x00b00000
280#define IMAGE_SCN_ALIGN_2048BYTES 0x00c00000
281#define IMAGE_SCN_ALIGN_4096BYTES 0x00d00000
282#define IMAGE_SCN_ALIGN_8192BYTES 0x00e00000
283#define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 /* extended relocations */
284#define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 /* scn can be discarded */
285#define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 /* cannot be cached */
286#define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 /* not pageable */
287#define IMAGE_SCN_MEM_SHARED 0x10000000 /* can be shared */
288#define IMAGE_SCN_MEM_EXECUTE 0x20000000 /* can be executed as code */
289#define IMAGE_SCN_MEM_READ 0x40000000 /* readable */
290#define IMAGE_SCN_MEM_WRITE 0x80000000 /* writeable */
291
292enum x64_coff_reloc_type {
293 IMAGE_REL_AMD64_ABSOLUTE = 0,
294 IMAGE_REL_AMD64_ADDR64,
295 IMAGE_REL_AMD64_ADDR32,
296 IMAGE_REL_AMD64_ADDR32N,
297 IMAGE_REL_AMD64_REL32,
298 IMAGE_REL_AMD64_REL32_1,
299 IMAGE_REL_AMD64_REL32_2,
300 IMAGE_REL_AMD64_REL32_3,
301 IMAGE_REL_AMD64_REL32_4,
302 IMAGE_REL_AMD64_REL32_5,
303 IMAGE_REL_AMD64_SECTION,
304 IMAGE_REL_AMD64_SECREL,
305 IMAGE_REL_AMD64_SECREL7,
306 IMAGE_REL_AMD64_TOKEN,
307 IMAGE_REL_AMD64_SREL32,
308 IMAGE_REL_AMD64_PAIR,
309 IMAGE_REL_AMD64_SSPAN32,
310};
311
312enum arm_coff_reloc_type {
313 IMAGE_REL_ARM_ABSOLUTE,
314 IMAGE_REL_ARM_ADDR32,
315 IMAGE_REL_ARM_ADDR32N,
316 IMAGE_REL_ARM_BRANCH2,
317 IMAGE_REL_ARM_BRANCH1,
318 IMAGE_REL_ARM_SECTION,
319 IMAGE_REL_ARM_SECREL,
320};
321
322enum sh_coff_reloc_type {
323 IMAGE_REL_SH3_ABSOLUTE,
324 IMAGE_REL_SH3_DIRECT16,
325 IMAGE_REL_SH3_DIRECT32,
326 IMAGE_REL_SH3_DIRECT8,
327 IMAGE_REL_SH3_DIRECT8_WORD,
328 IMAGE_REL_SH3_DIRECT8_LONG,
329 IMAGE_REL_SH3_DIRECT4,
330 IMAGE_REL_SH3_DIRECT4_WORD,
331 IMAGE_REL_SH3_DIRECT4_LONG,
332 IMAGE_REL_SH3_PCREL8_WORD,
333 IMAGE_REL_SH3_PCREL8_LONG,
334 IMAGE_REL_SH3_PCREL12_WORD,
335 IMAGE_REL_SH3_STARTOF_SECTION,
336 IMAGE_REL_SH3_SIZEOF_SECTION,
337 IMAGE_REL_SH3_SECTION,
338 IMAGE_REL_SH3_SECREL,
339 IMAGE_REL_SH3_DIRECT32_NB,
340 IMAGE_REL_SH3_GPREL4_LONG,
341 IMAGE_REL_SH3_TOKEN,
342 IMAGE_REL_SHM_PCRELPT,
343 IMAGE_REL_SHM_REFLO,
344 IMAGE_REL_SHM_REFHALF,
345 IMAGE_REL_SHM_RELLO,
346 IMAGE_REL_SHM_RELHALF,
347 IMAGE_REL_SHM_PAIR,
348 IMAGE_REL_SHM_NOMODE,
349};
350
351enum ppc_coff_reloc_type {
352 IMAGE_REL_PPC_ABSOLUTE,
353 IMAGE_REL_PPC_ADDR64,
354 IMAGE_REL_PPC_ADDR32,
355 IMAGE_REL_PPC_ADDR24,
356 IMAGE_REL_PPC_ADDR16,
357 IMAGE_REL_PPC_ADDR14,
358 IMAGE_REL_PPC_REL24,
359 IMAGE_REL_PPC_REL14,
360 IMAGE_REL_PPC_ADDR32N,
361 IMAGE_REL_PPC_SECREL,
362 IMAGE_REL_PPC_SECTION,
363 IMAGE_REL_PPC_SECREL16,
364 IMAGE_REL_PPC_REFHI,
365 IMAGE_REL_PPC_REFLO,
366 IMAGE_REL_PPC_PAIR,
367 IMAGE_REL_PPC_SECRELLO,
368 IMAGE_REL_PPC_GPREL,
369 IMAGE_REL_PPC_TOKEN,
370};
371
372enum x86_coff_reloc_type {
373 IMAGE_REL_I386_ABSOLUTE,
374 IMAGE_REL_I386_DIR16,
375 IMAGE_REL_I386_REL16,
376 IMAGE_REL_I386_DIR32,
377 IMAGE_REL_I386_DIR32NB,
378 IMAGE_REL_I386_SEG12,
379 IMAGE_REL_I386_SECTION,
380 IMAGE_REL_I386_SECREL,
381 IMAGE_REL_I386_TOKEN,
382 IMAGE_REL_I386_SECREL7,
383 IMAGE_REL_I386_REL32,
384};
385
386enum ia64_coff_reloc_type {
387 IMAGE_REL_IA64_ABSOLUTE,
388 IMAGE_REL_IA64_IMM14,
389 IMAGE_REL_IA64_IMM22,
390 IMAGE_REL_IA64_IMM64,
391 IMAGE_REL_IA64_DIR32,
392 IMAGE_REL_IA64_DIR64,
393 IMAGE_REL_IA64_PCREL21B,
394 IMAGE_REL_IA64_PCREL21M,
395 IMAGE_REL_IA64_PCREL21F,
396 IMAGE_REL_IA64_GPREL22,
397 IMAGE_REL_IA64_LTOFF22,
398 IMAGE_REL_IA64_SECTION,
399 IMAGE_REL_IA64_SECREL22,
400 IMAGE_REL_IA64_SECREL64I,
401 IMAGE_REL_IA64_SECREL32,
402 IMAGE_REL_IA64_DIR32NB,
403 IMAGE_REL_IA64_SREL14,
404 IMAGE_REL_IA64_SREL22,
405 IMAGE_REL_IA64_SREL32,
406 IMAGE_REL_IA64_UREL32,
407 IMAGE_REL_IA64_PCREL60X,
408 IMAGE_REL_IA64_PCREL60B,
409 IMAGE_REL_IA64_PCREL60F,
410 IMAGE_REL_IA64_PCREL60I,
411 IMAGE_REL_IA64_PCREL60M,
412 IMAGE_REL_IA64_IMMGPREL6,
413 IMAGE_REL_IA64_TOKEN,
414 IMAGE_REL_IA64_GPREL32,
415 IMAGE_REL_IA64_ADDEND,
416};
417
418struct coff_reloc {
419 uint32_t virtual_address;
420 uint32_t symbol_table_index;
421 union {
422 enum x64_coff_reloc_type x64_type;
423 enum arm_coff_reloc_type arm_type;
424 enum sh_coff_reloc_type sh_type;
425 enum ppc_coff_reloc_type ppc_type;
426 enum x86_coff_reloc_type x86_type;
427 enum ia64_coff_reloc_type ia64_type;
428 uint16_t data;
429 };
430};
431
432/*
433 * Definitions for the contents of the certs data block
434 */
435#define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002
436#define WIN_CERT_TYPE_EFI_OKCS115 0x0EF0
437#define WIN_CERT_TYPE_EFI_GUID 0x0EF1
438
439#define WIN_CERT_REVISION_1_0 0x0100
440#define WIN_CERT_REVISION_2_0 0x0200
441
442struct win_certificate {
443 uint32_t length;
444 uint16_t revision;
445 uint16_t cert_type;
446};
447
448#endif /* __LINUX_PE_H */
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
new file mode 100644
index 000000000000..ac34819214f9
--- /dev/null
+++ b/include/linux/verify_pefile.h
@@ -0,0 +1,18 @@
1/* Signed PE file verification
2 *
3 * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#ifndef _LINUX_VERIFY_PEFILE_H
13#define _LINUX_VERIFY_PEFILE_H
14
15extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
16 struct key *trusted_keyring, bool *_trusted);
17
18#endif /* _LINUX_VERIFY_PEFILE_H */
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-02 22:42:38 -0500