2019-05-21 01:08:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2012-09-26 17:09:40 +08:00
|
|
|
/* Module signature checker
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
2015-10-21 21:04:48 +08:00
|
|
|
#include <linux/errno.h>
|
2019-07-05 02:57:34 +08:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/module_signature.h>
|
2016-03-01 18:36:07 +08:00
|
|
|
#include <linux/string.h>
|
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
2016-04-06 23:14:26 +08:00
|
|
|
#include <linux/verification.h>
|
2015-07-21 04:16:27 +08:00
|
|
|
#include <crypto/public_key.h>
|
2012-09-26 17:09:40 +08:00
|
|
|
#include "module-internal.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Verify the signature on a module.
|
|
|
|
*/
|
2018-06-29 22:37:08 +08:00
|
|
|
int mod_verify_sig(const void *mod, struct load_info *info)
|
2012-09-26 17:09:40 +08:00
|
|
|
{
|
2012-09-26 17:11:03 +08:00
|
|
|
struct module_signature ms;
|
2018-06-29 22:37:08 +08:00
|
|
|
size_t sig_len, modlen = info->len;
|
2019-07-05 02:57:34 +08:00
|
|
|
int ret;
|
2012-09-26 17:11:03 +08:00
|
|
|
|
2012-10-21 09:59:31 +08:00
|
|
|
pr_devel("==>%s(,%zu)\n", __func__, modlen);
|
2012-09-26 17:11:03 +08:00
|
|
|
|
2012-10-20 08:19:29 +08:00
|
|
|
if (modlen <= sizeof(ms))
|
2012-09-26 17:11:03 +08:00
|
|
|
return -EBADMSG;
|
|
|
|
|
2012-10-20 08:19:29 +08:00
|
|
|
memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
|
2019-07-05 02:57:34 +08:00
|
|
|
|
module: harden ELF info handling
5fdc7db644 ("module: setup load info before module_sig_check()")
moved the ELF setup, so that it was done before the signature
check. This made the module name available to signature error
messages.
However, the checks for ELF correctness in setup_load_info
are not sufficient to prevent bad memory references due to
corrupted offset fields, indices, etc.
So, there's a regression in behavior here: a corrupt and unsigned
(or badly signed) module, which might previously have been rejected
immediately, can now cause an oops/crash.
Harden ELF handling for module loading by doing the following:
- Move the signature check back up so that it comes before ELF
initialization. It's best to do the signature check to see
if we can trust the module, before using the ELF structures
inside it. This also makes checks against info->len
more accurate again, as this field will be reduced by the
length of the signature in mod_check_sig().
The module name is now once again not available for error
messages during the signature check, but that seems like
a fair tradeoff.
- Check if sections have offset / size fields that at least don't
exceed the length of the module.
- Check if sections have section name offsets that don't fall
outside the section name table.
- Add a few other sanity checks against invalid section indices,
etc.
This is not an exhaustive consistency check, but the idea is to
at least get through the signature and blacklist checks without
crashing because of corrupted ELF info, and to error out gracefully
for most issues that would have caused problems later on.
Fixes: 5fdc7db6448a ("module: setup load info before module_sig_check()")
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
2021-01-15 06:21:46 +08:00
|
|
|
ret = mod_check_sig(&ms, modlen, "module");
|
2019-07-05 02:57:34 +08:00
|
|
|
if (ret)
|
|
|
|
return ret;
|
2012-09-26 17:11:03 +08:00
|
|
|
|
|
|
|
sig_len = be32_to_cpu(ms.sig_len);
|
2019-07-05 02:57:34 +08:00
|
|
|
modlen -= sig_len + sizeof(ms);
|
2018-06-29 22:37:08 +08:00
|
|
|
info->len = modlen;
|
2012-09-26 17:11:03 +08:00
|
|
|
|
2016-04-06 23:14:24 +08:00
|
|
|
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
2018-11-07 07:21:30 +08:00
|
|
|
VERIFY_USE_SECONDARY_KEYRING,
|
|
|
|
VERIFYING_MODULE_SIGNATURE,
|
2016-04-06 23:14:24 +08:00
|
|
|
NULL, NULL);
|
2012-09-26 17:09:40 +08:00
|
|
|
}
|