Commit 73cdd290 authored by David Howells's avatar David Howells

Merge branch 'keys-blacklist' into keys-next

parents ddb99e11 03bb7931
...@@ -64,4 +64,22 @@ config SECONDARY_TRUSTED_KEYRING ...@@ -64,4 +64,22 @@ config SECONDARY_TRUSTED_KEYRING
those keys are not blacklisted and are vouched for by a key built those keys are not blacklisted and are vouched for by a key built
into the kernel or already in the secondary trusted keyring. into the kernel or already in the secondary trusted keyring.
config SYSTEM_BLACKLIST_KEYRING
bool "Provide system-wide ring of blacklisted keys"
depends on KEYS
help
Provide a system keyring to which blacklisted keys can be added.
Keys in the keyring are considered entirely untrusted. Keys in this
keyring are used by the module signature checking to reject loading
of modules signed with a blacklisted key.
config SYSTEM_BLACKLIST_HASH_LIST
string "Hashes to be preloaded into the system blacklist keyring"
depends on SYSTEM_BLACKLIST_KEYRING
help
If set, this option should be the filename of a list of hashes in the
form "<hash>", "<hash>", ... . This will be included into a C
wrapper to incorporate the list into the kernel. Each <hash> should
be a string of hex digits.
endmenu endmenu
...@@ -3,6 +3,12 @@ ...@@ -3,6 +3,12 @@
# #
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
else
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
endif
ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
......
/* System hash blacklist.
*
* Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public Licence
* as published by the Free Software Foundation; either version
* 2 of the Licence, or (at your option) any later version.
*/
#define pr_fmt(fmt) "blacklist: "fmt
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/key.h>
#include <linux/key-type.h>
#include <linux/sched.h>
#include <linux/ctype.h>
#include <linux/err.h>
#include <linux/seq_file.h>
#include <keys/system_keyring.h>
#include "blacklist.h"
static struct key *blacklist_keyring;
/*
* The description must be a type prefix, a colon and then an even number of
* hex digits. The hash is kept in the description.
*/
static int blacklist_vet_description(const char *desc)
{
int n = 0;
if (*desc == ':')
return -EINVAL;
for (; *desc; desc++)
if (*desc == ':')
goto found_colon;
return -EINVAL;
found_colon:
desc++;
for (; *desc; desc++) {
if (!isxdigit(*desc))
return -EINVAL;
n++;
}
if (n == 0 || n & 1)
return -EINVAL;
return 0;
}
/*
* The hash to be blacklisted is expected to be in the description. There will
* be no payload.
*/
static int blacklist_preparse(struct key_preparsed_payload *prep)
{
if (prep->datalen > 0)
return -EINVAL;
return 0;
}
static void blacklist_free_preparse(struct key_preparsed_payload *prep)
{
}
static void blacklist_describe(const struct key *key, struct seq_file *m)
{
seq_puts(m, key->description);
}
static struct key_type key_type_blacklist = {
.name = "blacklist",
.vet_description = blacklist_vet_description,
.preparse = blacklist_preparse,
.free_preparse = blacklist_free_preparse,
.instantiate = generic_key_instantiate,
.describe = blacklist_describe,
};
/**
* mark_hash_blacklisted - Add a hash to the system blacklist
* @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
*/
int mark_hash_blacklisted(const char *hash)
{
key_ref_t key;
key = key_create_or_update(make_key_ref(blacklist_keyring, true),
"blacklist",
hash,
NULL,
0,
((KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW),
KEY_ALLOC_NOT_IN_QUOTA |
KEY_ALLOC_BUILT_IN);
if (IS_ERR(key)) {
pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
return PTR_ERR(key);
}
return 0;
}
/**
* is_hash_blacklisted - Determine if a hash is blacklisted
* @hash: The hash to be checked as a binary blob
* @hash_len: The length of the binary hash
* @type: Type of hash
*/
int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
{
key_ref_t kref;
size_t type_len = strlen(type);
char *buffer, *p;
int ret = 0;
buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
if (!buffer)
return -ENOMEM;
p = memcpy(buffer, type, type_len);
p += type_len;
*p++ = ':';
bin2hex(p, hash, hash_len);
p += hash_len * 2;
*p = 0;
kref = keyring_search(make_key_ref(blacklist_keyring, true),
&key_type_blacklist, buffer);
if (!IS_ERR(kref)) {
key_ref_put(kref);
ret = -EKEYREJECTED;
}
kfree(buffer);
return ret;
}
EXPORT_SYMBOL_GPL(is_hash_blacklisted);
/*
* Intialise the blacklist
*/
static int __init blacklist_init(void)
{
const char *const *bl;
if (register_key_type(&key_type_blacklist) < 0)
panic("Can't allocate system blacklist key type\n");
blacklist_keyring =
keyring_alloc(".blacklist",
KUIDT_INIT(0), KGIDT_INIT(0),
current_cred(),
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_SEARCH,
KEY_ALLOC_NOT_IN_QUOTA |
KEY_FLAG_KEEP,
NULL, NULL);
if (IS_ERR(blacklist_keyring))
panic("Can't allocate system blacklist keyring\n");
for (bl = blacklist_hashes; *bl; bl++)
if (mark_hash_blacklisted(*bl) < 0)
pr_err("- blacklisting failed\n");
return 0;
}
/*
* Must be initialised before we try and load the keys into the keyring.
*/
device_initcall(blacklist_init);
#include <linux/kernel.h>
extern const char __initdata *const blacklist_hashes[];
#include "blacklist.h"
const char __initdata *const blacklist_hashes[] = {
#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST
, NULL
};
#include "blacklist.h"
const char __initdata *const blacklist_hashes[] = {
NULL
};
...@@ -23,6 +23,7 @@ struct pkcs7_signed_info { ...@@ -23,6 +23,7 @@ struct pkcs7_signed_info {
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
unsigned index; unsigned index;
bool unsupported_crypto; /* T if not usable due to missing crypto */ bool unsupported_crypto; /* T if not usable due to missing crypto */
bool blacklisted;
/* Message digest - the digest of the Content Data (or NULL) */ /* Message digest - the digest of the Content Data (or NULL) */
const void *msgdigest; const void *msgdigest;
......
...@@ -190,6 +190,18 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -190,6 +190,18 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
x509->subject, x509->subject,
x509->raw_serial_size, x509->raw_serial); x509->raw_serial_size, x509->raw_serial);
x509->seen = true; x509->seen = true;
if (x509->blacklisted) {
/* If this cert is blacklisted, then mark everything
* that depends on this as blacklisted too.
*/
sinfo->blacklisted = true;
for (p = sinfo->signer; p != x509; p = p->signer)
p->blacklisted = true;
pr_debug("- blacklisted\n");
return 0;
}
if (x509->unsupported_key) if (x509->unsupported_key)
goto unsupported_crypto_in_x509; goto unsupported_crypto_in_x509;
...@@ -357,17 +369,19 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, ...@@ -357,17 +369,19 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
* *
* (*) -EBADMSG if some part of the message was invalid, or: * (*) -EBADMSG if some part of the message was invalid, or:
* *
* (*) -ENOPKG if none of the signature chains are verifiable because suitable * (*) 0 if no signature chains were found to be blacklisted or to contain
* crypto modules couldn't be found, or: * unsupported crypto, or:
* *
* (*) 0 if all the signature chains that don't incur -ENOPKG can be verified * (*) -EKEYREJECTED if a blacklisted key was encountered, or:
* (note that a signature chain may be of zero length), or: *
* (*) -ENOPKG if none of the signature chains are verifiable because suitable
* crypto modules couldn't be found.
*/ */
int pkcs7_verify(struct pkcs7_message *pkcs7, int pkcs7_verify(struct pkcs7_message *pkcs7,
enum key_being_used_for usage) enum key_being_used_for usage)
{ {
struct pkcs7_signed_info *sinfo; struct pkcs7_signed_info *sinfo;
int enopkg = -ENOPKG; int actual_ret = -ENOPKG;
int ret; int ret;
kenter(""); kenter("");
...@@ -412,6 +426,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, ...@@ -412,6 +426,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
ret = pkcs7_verify_one(pkcs7, sinfo); ret = pkcs7_verify_one(pkcs7, sinfo);
if (sinfo->blacklisted && actual_ret == -ENOPKG)
actual_ret = -EKEYREJECTED;
if (ret < 0) { if (ret < 0) {
if (ret == -ENOPKG) { if (ret == -ENOPKG) {
sinfo->unsupported_crypto = true; sinfo->unsupported_crypto = true;
...@@ -420,11 +436,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7, ...@@ -420,11 +436,11 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
kleave(" = %d", ret); kleave(" = %d", ret);
return ret; return ret;
} }
enopkg = 0; actual_ret = 0;
} }
kleave(" = %d", enopkg); kleave(" = %d", actual_ret);
return enopkg; return actual_ret;
} }
EXPORT_SYMBOL_GPL(pkcs7_verify); EXPORT_SYMBOL_GPL(pkcs7_verify);
......
...@@ -42,6 +42,7 @@ struct x509_certificate { ...@@ -42,6 +42,7 @@ struct x509_certificate {
bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool self_signed; /* T if self-signed (check unsupported_sig too) */
bool unsupported_key; /* T if key uses unsupported crypto */ bool unsupported_key; /* T if key uses unsupported crypto */
bool unsupported_sig; /* T if signature uses unsupported crypto */ bool unsupported_sig; /* T if signature uses unsupported crypto */
bool blacklisted;
}; };
/* /*
......
...@@ -84,6 +84,16 @@ int x509_get_sig_params(struct x509_certificate *cert) ...@@ -84,6 +84,16 @@ int x509_get_sig_params(struct x509_certificate *cert)
goto error_2; goto error_2;
might_sleep(); might_sleep();
ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest);
if (ret < 0)
goto error_2;
ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs");
if (ret == -EKEYREJECTED) {
pr_err("Cert %*phN is blacklisted\n",
sig->digest_size, sig->digest);
cert->blacklisted = true;
ret = 0;
}
error_2: error_2:
kfree(desc); kfree(desc);
...@@ -186,6 +196,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -186,6 +196,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
cert->sig->pkey_algo, cert->sig->hash_algo); cert->sig->pkey_algo, cert->sig->hash_algo);
} }
/* Don't permit addition of blacklisted keys */
ret = -EKEYREJECTED;
if (cert->blacklisted)
goto error_free_cert;
/* Propose a description */ /* Propose a description */
sulen = strlen(cert->subject); sulen = strlen(cert->subject);
if (cert->raw_skid) { if (cert->raw_skid) {
......
...@@ -33,6 +33,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( ...@@ -33,6 +33,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
#endif #endif
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
extern int mark_hash_blacklisted(const char *hash);
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type);
#else
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type)
{
return 0;
}
#endif
#ifdef CONFIG_IMA_BLACKLIST_KEYRING #ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring; extern struct key *ima_blacklist_keyring;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment