MODSIGN: Export module signature definitions

IMA will use the module_signature format for append signatures, so export
the relevant definitions and factor out the code which verifies that the
appended signature trailer is valid.

Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it
and be able to use mod_check_sig() without having to depend on either
CONFIG_MODULE_SIG or CONFIG_MODULES.

s390 duplicated the definition of struct module_signature so now they can
use the new <linux/module_signature.h> header instead.

Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Acked-by: Jessica Yu <jeyu@kernel.org>
Reviewed-by: Philipp Rudo <prudo@linux.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Thiago Jung Bauermann 2019-07-04 15:57:34 -03:00 committed by Mimi Zohar
parent b36f281f4a
commit c8424e776b
10 changed files with 108 additions and 77 deletions

View File

@ -538,7 +538,7 @@ config ARCH_HAS_KEXEC_PURGATORY
config KEXEC_VERIFY_SIG config KEXEC_VERIFY_SIG
bool "Verify kernel signature during kexec_file_load() syscall" bool "Verify kernel signature during kexec_file_load() syscall"
depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION depends on KEXEC_FILE && MODULE_SIG_FORMAT
help help
This option makes kernel signature verification mandatory for This option makes kernel signature verification mandatory for
the kexec_file_load() syscall. the kexec_file_load() syscall.

View File

@ -10,7 +10,7 @@
#include <linux/elf.h> #include <linux/elf.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/kexec.h> #include <linux/kexec.h>
#include <linux/module.h> #include <linux/module_signature.h>
#include <linux/verification.h> #include <linux/verification.h>
#include <asm/boot_data.h> #include <asm/boot_data.h>
#include <asm/ipl.h> #include <asm/ipl.h>
@ -23,28 +23,6 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
}; };
#ifdef CONFIG_KEXEC_VERIFY_SIG #ifdef CONFIG_KEXEC_VERIFY_SIG
/*
* Module signature information block.
*
* The constituents of the signature section are, in order:
*
* - Signer's name
* - Key identifier
* - Signature data
* - Information block
*/
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
u8 signer_len; /* Length of signer's name [0] */
u8 key_id_len; /* Length of key identifier [0] */
u8 __pad[3];
__be32 sig_len; /* Length of signature data */
};
#define PKEY_ID_PKCS7 2
int s390_verify_sig(const char *kernel, unsigned long kernel_len) int s390_verify_sig(const char *kernel, unsigned long kernel_len)
{ {
const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;

View File

@ -26,9 +26,6 @@
#include <linux/percpu.h> #include <linux/percpu.h>
#include <asm/module.h> #include <asm/module.h>
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
#define MODULE_SIG_STRING "~Module signature appended~\n"
/* Not Yet Implemented */ /* Not Yet Implemented */
#define MODULE_SUPPORTED_DEVICE(name) #define MODULE_SUPPORTED_DEVICE(name)

View File

@ -0,0 +1,44 @@
/* SPDX-License-Identifier: GPL-2.0+ */
/*
* Module signature handling.
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#ifndef _LINUX_MODULE_SIGNATURE_H
#define _LINUX_MODULE_SIGNATURE_H
/* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
#define MODULE_SIG_STRING "~Module signature appended~\n"
enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
};
/*
* Module signature information block.
*
* The constituents of the signature section are, in order:
*
* - Signer's name
* - Key identifier
* - Signature data
* - Information block
*/
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
u8 signer_len; /* Length of signer's name [0] */
u8 key_id_len; /* Length of key identifier [0] */
u8 __pad[3];
__be32 sig_len; /* Length of signature data */
};
int mod_check_sig(const struct module_signature *ms, size_t file_len,
const char *name);
#endif /* _LINUX_MODULE_SIGNATURE_H */

View File

@ -1930,6 +1930,10 @@ config BASE_SMALL
default 0 if BASE_FULL default 0 if BASE_FULL
default 1 if !BASE_FULL default 1 if !BASE_FULL
config MODULE_SIG_FORMAT
def_bool n
select SYSTEM_DATA_VERIFICATION
menuconfig MODULES menuconfig MODULES
bool "Enable loadable module support" bool "Enable loadable module support"
option modules option modules
@ -2007,7 +2011,7 @@ config MODULE_SRCVERSION_ALL
config MODULE_SIG config MODULE_SIG
bool "Module signature verification" bool "Module signature verification"
depends on MODULES depends on MODULES
select SYSTEM_DATA_VERIFICATION select MODULE_SIG_FORMAT
help help
Check modules for valid signatures upon load: the signature Check modules for valid signatures upon load: the signature
is simply appended to the module. For more information see is simply appended to the module. For more information see

View File

@ -58,6 +58,7 @@ endif
obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o obj-$(CONFIG_MODULE_SIG) += module_signing.o
obj-$(CONFIG_MODULE_SIG_FORMAT) += module_signature.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
obj-$(CONFIG_CRASH_CORE) += crash_core.o obj-$(CONFIG_CRASH_CORE) += crash_core.o

View File

@ -7,6 +7,7 @@
#include <linux/export.h> #include <linux/export.h>
#include <linux/extable.h> #include <linux/extable.h>
#include <linux/moduleloader.h> #include <linux/moduleloader.h>
#include <linux/module_signature.h>
#include <linux/trace_events.h> #include <linux/trace_events.h>
#include <linux/init.h> #include <linux/init.h>
#include <linux/kallsyms.h> #include <linux/kallsyms.h>

46
kernel/module_signature.c Normal file
View File

@ -0,0 +1,46 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* Module signature checker
*
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#include <linux/errno.h>
#include <linux/printk.h>
#include <linux/module_signature.h>
#include <asm/byteorder.h>
/**
* mod_check_sig - check that the given signature is sane
*
* @ms: Signature to check.
* @file_len: Size of the file to which @ms is appended.
* @name: What is being checked. Used for error messages.
*/
int mod_check_sig(const struct module_signature *ms, size_t file_len,
const char *name)
{
if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
return -EBADMSG;
if (ms->id_type != PKEY_ID_PKCS7) {
pr_err("%s: Module is not signed with expected PKCS#7 message\n",
name);
return -ENOPKG;
}
if (ms->algo != 0 ||
ms->hash != 0 ||
ms->signer_len != 0 ||
ms->key_id_len != 0 ||
ms->__pad[0] != 0 ||
ms->__pad[1] != 0 ||
ms->__pad[2] != 0) {
pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
name);
return -EBADMSG;
}
return 0;
}

View File

@ -7,37 +7,13 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/module.h>
#include <linux/module_signature.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/verification.h> #include <linux/verification.h>
#include <crypto/public_key.h> #include <crypto/public_key.h>
#include "module-internal.h" #include "module-internal.h"
enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
};
/*
* Module signature information block.
*
* The constituents of the signature section are, in order:
*
* - Signer's name
* - Key identifier
* - Signature data
* - Information block
*/
struct module_signature {
u8 algo; /* Public-key crypto algorithm [0] */
u8 hash; /* Digest algorithm [0] */
u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */
u8 signer_len; /* Length of signer's name [0] */
u8 key_id_len; /* Length of key identifier [0] */
u8 __pad[3];
__be32 sig_len; /* Length of signature data */
};
/* /*
* Verify the signature on a module. * Verify the signature on a module.
*/ */
@ -45,6 +21,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
{ {
struct module_signature ms; struct module_signature ms;
size_t sig_len, modlen = info->len; size_t sig_len, modlen = info->len;
int ret;
pr_devel("==>%s(,%zu)\n", __func__, modlen); pr_devel("==>%s(,%zu)\n", __func__, modlen);
@ -52,32 +29,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
return -EBADMSG; return -EBADMSG;
memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
modlen -= sizeof(ms);
ret = mod_check_sig(&ms, modlen, info->name);
if (ret)
return ret;
sig_len = be32_to_cpu(ms.sig_len); sig_len = be32_to_cpu(ms.sig_len);
if (sig_len >= modlen) modlen -= sig_len + sizeof(ms);
return -EBADMSG;
modlen -= sig_len;
info->len = modlen; info->len = modlen;
if (ms.id_type != PKEY_ID_PKCS7) {
pr_err("%s: Module is not signed with expected PKCS#7 message\n",
info->name);
return -ENOPKG;
}
if (ms.algo != 0 ||
ms.hash != 0 ||
ms.signer_len != 0 ||
ms.key_id_len != 0 ||
ms.__pad[0] != 0 ||
ms.__pad[1] != 0 ||
ms.__pad[2] != 0) {
pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
info->name);
return -EBADMSG;
}
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFY_USE_SECONDARY_KEYRING, VERIFY_USE_SECONDARY_KEYRING,
VERIFYING_MODULE_SIGNATURE, VERIFYING_MODULE_SIGNATURE,

View File

@ -17,7 +17,7 @@ hostprogs-$(CONFIG_VT) += conmakehash
hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount hostprogs-$(BUILD_C_RECORDMCOUNT) += recordmcount
hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable hostprogs-$(CONFIG_BUILDTIME_EXTABLE_SORT) += sortextable
hostprogs-$(CONFIG_ASN1) += asn1_compiler hostprogs-$(CONFIG_ASN1) += asn1_compiler
hostprogs-$(CONFIG_MODULE_SIG) += sign-file hostprogs-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert