3 files changed, 124 insertions, 2 deletions

diff --git a/kernel/Makefile b/kernel/Makefile
index 58c6f111267e..111a845460c9 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -55,7 +55,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o
 obj-$(CONFIG_PROVE_LOCKING) += spinlock.o
 obj-$(CONFIG_UID16) += uid16.o
 obj-$(CONFIG_MODULES) += module.o
-obj-$(CONFIG_MODULE_SIG) += module_signing.o
+obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o
 obj-$(CONFIG_KALLSYMS) += kallsyms.o
 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
 obj-$(CONFIG_KEXEC) += kexec.o
@@ -134,6 +134,13 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE
         $(call if_changed,timeconst)
 
 ifeq ($(CONFIG_MODULE_SIG),y)
+#
+# Pull the signing certificate and any extra certificates into the kernel
+#
+extra_certificates:
+        touch $@
+
+kernel/modsign_pubkey.o: signing_key.x509 extra_certificates
 
 ###############################################################################
 #
@@ -180,4 +187,4 @@ x509.genkey:
         @echo >>x509.genkey "subjectKeyIdentifier=hash"
         @echo >>x509.genkey "authorityKeyIdentifier=keyid"
 endif
-CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey
+CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey extra_certificates
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
new file mode 100644
index 000000000000..4646eb2c3820
--- /dev/null
+++ b/kernel/modsign_pubkey.c
@@ -0,0 +1,113 @@
+/* Public keys for module signature verification
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <keys/asymmetric-type.h>
+#include "module-internal.h"
+
+struct key *modsign_keyring;
+
+extern __initdata const u8 modsign_certificate_list[];
+extern __initdata const u8 modsign_certificate_list_end[];
+asm(".section .init.data,\"aw\"\n"
+    "modsign_certificate_list:\n"
+    ".incbin \"signing_key.x509\"\n"
+    ".incbin \"extra_certificates\"\n"
+    "modsign_certificate_list_end:"
+    );
+
+/*
+ * We need to make sure ccache doesn't cache the .o file as it doesn't notice
+ * if modsign.pub changes.
+ */
+static __initdata const char annoy_ccache[] = __TIME__ "foo";
+
+/*
+ * Load the compiled-in keys
+ */
+static __init int module_verify_init(void)
+{
+        pr_notice("Initialise module verification\n");
+
+        modsign_keyring = key_alloc(&key_type_keyring, ".module_sign",
+                                    KUIDT_INIT(0), KGIDT_INIT(0),
+                                    current_cred(),
+                                    (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                    KEY_USR_VIEW | KEY_USR_READ,
+                                    KEY_ALLOC_NOT_IN_QUOTA);
+        if (IS_ERR(modsign_keyring))
+                panic("Can't allocate module signing keyring\n");
+
+        if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
+                panic("Can't instantiate module signing keyring\n");
+
+        return 0;
+}
+
+/*
+ * Must be initialised before we try and load the keys into the keyring.
+ */
+device_initcall(module_verify_init);
+
+/*
+ * Load the compiled-in keys
+ */
+static __init int load_module_signing_keys(void)
+{
+        key_ref_t key;
+        const u8 *p, *end;
+        size_t plen;
+
+        pr_notice("Loading module verification certificates\n");
+
+        end = modsign_certificate_list_end;
+        p = modsign_certificate_list;
+        while (p < end) {
+                /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
+                 * than 256 bytes in size.
+                 */
+                if (end - p < 4)
+                        goto dodgy_cert;
+                if (p[0] != 0x30 &&
+                    p[1] != 0x82)
+                        goto dodgy_cert;
+                plen = (p[2] << 8) | p[3];
+                plen += 4;
+                if (plen > end - p)
+                        goto dodgy_cert;
+
+                key = key_create_or_update(make_key_ref(modsign_keyring, 1),
+                                           "asymmetric",
+                                           NULL,
+                                           p,
+                                           plen,
+                                           (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+                                           KEY_USR_VIEW,
+                                           KEY_ALLOC_NOT_IN_QUOTA);
+                if (IS_ERR(key))
+                        pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n",
+                               PTR_ERR(key));
+                else
+                        pr_notice("MODSIGN: Loaded cert '%s'\n",
+                                  key_ref_to_ptr(key)->description);
+                p += plen;
+        }
+
+        return 0;
+
+dodgy_cert:
+        pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n");
+        return 0;
+}
+late_initcall(load_module_signing_keys);
diff --git a/kernel/module-internal.h b/kernel/module-internal.h
index 033c17fd70ef..6114a13419bd 100644
--- a/kernel/module-internal.h
+++ b/kernel/module-internal.h
@@ -9,5 +9,7 @@
  * 2 of the Licence, or (at your option) any later version.
  */
 
+extern struct key *modsign_keyring;
+
 extern int mod_verify_sig(const void *mod, unsigned long modlen,
                           const void *sig, unsigned long siglen);