1 files changed, 113 insertions, 0 deletions
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
new file mode 100644
index 000000000000..4646eb2c3820
--- /dev/null
+++ b/kernel/modsign_pubkey.c
@@ -0,0 +1,113 @@
+/* Public keys for module signature verification
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <keys/asymmetric-type.h>
+#include "module-internal.h"
+struct key *modsign_keyring;
+extern __initdata const u8 modsign_certificate_list[];
+extern __initdata const u8 modsign_certificate_list_end[];
+asm(".section .init.data,\"aw\"\n"
+    "modsign_certificate_list:\n"
+    ".incbin \"signing_key.x509\"\n"
+    ".incbin \"extra_certificates\"\n"
+    "modsign_certificate_list_end:"
+    );
+/*
+ * We need to make sure ccache doesn't cache the .o file as it doesn't notice
+ * if modsign.pub changes.
+ */
+static __initdata const char annoy_ccache[] = __TIME__ "foo";
+/*
+ * Load the compiled-in keys
+ */
+static __init int module_verify_init(void)
+{
+        pr_notice("Initialise module verification\n");
+        modsign_keyring = key_alloc(&key_type_keyring, ".module_sign",
+                                    KUIDT_INIT(0), KGIDT_INIT(0),
+                                    current_cred(),
+                                    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                    KEY_USR_VIEW | KEY_USR_READ,
+                                    KEY_ALLOC_NOT_IN_QUOTA);
+        if (IS_ERR(modsign_keyring))
+                panic("Can't allocate module signing keyring\n");
+        if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
+                panic("Can't instantiate module signing keyring\n");
+        return 0;
+}
+/*
+ * Must be initialised before we try and load the keys into the keyring.
+ */
+device_initcall(module_verify_init);
+/*
+ * Load the compiled-in keys
+ */
+static __init int load_module_signing_keys(void)
+{
+        key_ref_t key;
+        const u8 *p, *end;
+        size_t plen;
+        pr_notice("Loading module verification certificates\n");
+        end = modsign_certificate_list_end;
+        p = modsign_certificate_list;
+        while (p < end) {
+                /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
+                 * than 256 bytes in size.
+                 */
+                if (end - p < 4)
+                        goto dodgy_cert;
+                if (p[0] != 0x30 &&
+                    p[1] != 0x82)
+                        goto dodgy_cert;
+                plen = (p[2] << 8) | p[3];
+                plen += 4;
+                if (plen > end - p)
+                        goto dodgy_cert;
+                key = key_create_or_update(make_key_ref(modsign_keyring, 1),
+                                           "asymmetric",
+                                           NULL,
+                                           p,
+                                           plen,
+                                           (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                           KEY_USR_VIEW,
+                                           KEY_ALLOC_NOT_IN_QUOTA);
+                if (IS_ERR(key))
+                        pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
+                               PTR_ERR(key));
+                else
+                        pr_notice("MODSIGN: Loaded cert '%s'\n",
+                                  key_ref_to_ptr(key)->description);
+                p += plen;
+        }
+        return 0;
+dodgy_cert:
+        pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n");
+        return 0;
+}
+late_initcall(load_module_signing_keys);

diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c new file mode 100644 index 000000000000..4646eb2c3820 --- /dev/null +++ b/kernel/modsign_pubkey.c
@@ -0,0 +1,113 @@
	1	/* Public keys for module signature verification
	2	*
	3	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
	4	* Written by David Howells (dhowells@redhat.com)
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public Licence
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the Licence, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/kernel.h>
	13	#include <linux/sched.h>
	14	#include <linux/cred.h>
	15	#include <linux/err.h>
	16	#include <keys/asymmetric-type.h>
	17	#include "module-internal.h"
	18
	19	struct key *modsign_keyring;
	20
	21	extern __initdata const u8 modsign_certificate_list[];
	22	extern __initdata const u8 modsign_certificate_list_end[];
	23	asm(".section .init.data,\"aw\"\n"
	24	"modsign_certificate_list:\n"
	25	".incbin \"signing_key.x509\"\n"
	26	".incbin \"extra_certificates\"\n"
	27	"modsign_certificate_list_end:"
	28	);
	29
	30	/*
	31	* We need to make sure ccache doesn't cache the .o file as it doesn't notice
	32	* if modsign.pub changes.
	33	*/
	34	static __initdata const char annoy_ccache[] = __TIME__ "foo";
	35
	36	/*
	37	* Load the compiled-in keys
	38	*/
	39	static __init int module_verify_init(void)
	40	{
	41	pr_notice("Initialise module verification\n");
	42
	43	modsign_keyring = key_alloc(&key_type_keyring, ".module_sign",
	44	KUIDT_INIT(0), KGIDT_INIT(0),
	45	current_cred(),
	46	(KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	47	KEY_USR_VIEW \| KEY_USR_READ,
	48	KEY_ALLOC_NOT_IN_QUOTA);
	49	if (IS_ERR(modsign_keyring))
	50	panic("Can't allocate module signing keyring\n");
	51
	52	if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
	53	panic("Can't instantiate module signing keyring\n");
	54
	55	return 0;
	56	}
	57
	58	/*
	59	* Must be initialised before we try and load the keys into the keyring.
	60	*/
	61	device_initcall(module_verify_init);
	62
	63	/*
	64	* Load the compiled-in keys
	65	*/
	66	static __init int load_module_signing_keys(void)
	67	{
	68	key_ref_t key;
	69	const u8 p, end;
	70	size_t plen;
	71
	72	pr_notice("Loading module verification certificates\n");
	73
	74	end = modsign_certificate_list_end;
	75	p = modsign_certificate_list;
	76	while (p < end) {
	77	/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
	78	* than 256 bytes in size.
	79	*/
	80	if (end - p < 4)
	81	goto dodgy_cert;
	82	if (p[0] != 0x30 &&
	83	p[1] != 0x82)
	84	goto dodgy_cert;
	85	plen = (p[2] << 8) \| p[3];
	86	plen += 4;
	87	if (plen > end - p)
	88	goto dodgy_cert;
	89
	90	key = key_create_or_update(make_key_ref(modsign_keyring, 1),
	91	"asymmetric",
	92	NULL,
	93	p,
	94	plen,
	95	(KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	96	KEY_USR_VIEW,
	97	KEY_ALLOC_NOT_IN_QUOTA);
	98	if (IS_ERR(key))
	99	pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
	100	PTR_ERR(key));
	101	else
	102	pr_notice("MODSIGN: Loaded cert '%s'\n",
	103	key_ref_to_ptr(key)->description);
	104	p += plen;
	105	}
	106
	107	return 0;
	108
	109	dodgy_cert:
	110	pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n");
	111	return 0;
	112	}
	113	late_initcall(load_module_signing_keys);