2023-01-25 20:00:44 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2019-07-18 00:46:15 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2019 Microsoft Corporation.
|
|
|
|
*
|
|
|
|
* Author: Jaskaran Singh Khurana <jaskarankhurana@linux.microsoft.com>
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
#include <linux/device-mapper.h>
|
|
|
|
#include <linux/verification.h>
|
|
|
|
#include <keys/user-type.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include "dm-verity.h"
|
|
|
|
#include "dm-verity-verify-sig.h"
|
|
|
|
|
|
|
|
#define DM_VERITY_VERIFY_ERR(s) DM_VERITY_ROOT_HASH_VERIFICATION " " s
|
|
|
|
|
|
|
|
static bool require_signatures;
|
2021-05-12 11:14:21 +00:00
|
|
|
module_param(require_signatures, bool, 0444);
|
2019-07-18 00:46:15 +00:00
|
|
|
MODULE_PARM_DESC(require_signatures,
|
|
|
|
"Verify the roothash of dm-verity hash tree");
|
|
|
|
|
|
|
|
#define DM_VERITY_IS_SIG_FORCE_ENABLED() \
|
|
|
|
(require_signatures != false)
|
|
|
|
|
|
|
|
bool verity_verify_is_sig_opt_arg(const char *arg_name)
|
|
|
|
{
|
|
|
|
return (!strcasecmp(arg_name,
|
|
|
|
DM_VERITY_ROOT_HASH_VERIFICATION_OPT_SIG_KEY));
|
|
|
|
}
|
|
|
|
|
|
|
|
static int verity_verify_get_sig_from_key(const char *key_desc,
|
|
|
|
struct dm_verity_sig_opts *sig_opts)
|
|
|
|
{
|
|
|
|
struct key *key;
|
|
|
|
const struct user_key_payload *ukp;
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
key = request_key(&key_type_user,
|
|
|
|
key_desc, NULL);
|
|
|
|
if (IS_ERR(key))
|
|
|
|
return PTR_ERR(key);
|
|
|
|
|
|
|
|
down_read(&key->sem);
|
|
|
|
|
|
|
|
ukp = user_key_payload_locked(key);
|
|
|
|
if (!ukp) {
|
|
|
|
ret = -EKEYREVOKED;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
sig_opts->sig = kmalloc(ukp->datalen, GFP_KERNEL);
|
|
|
|
if (!sig_opts->sig) {
|
|
|
|
ret = -ENOMEM;
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
sig_opts->sig_size = ukp->datalen;
|
|
|
|
|
|
|
|
memcpy(sig_opts->sig, ukp->data, sig_opts->sig_size);
|
|
|
|
|
|
|
|
end:
|
|
|
|
up_read(&key->sem);
|
|
|
|
key_put(key);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int verity_verify_sig_parse_opt_args(struct dm_arg_set *as,
|
|
|
|
struct dm_verity *v,
|
|
|
|
struct dm_verity_sig_opts *sig_opts,
|
|
|
|
unsigned int *argc,
|
|
|
|
const char *arg_name)
|
|
|
|
{
|
|
|
|
struct dm_target *ti = v->ti;
|
|
|
|
int ret = 0;
|
|
|
|
const char *sig_key = NULL;
|
|
|
|
|
|
|
|
if (!*argc) {
|
|
|
|
ti->error = DM_VERITY_VERIFY_ERR("Signature key not specified");
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
sig_key = dm_shift_arg(as);
|
|
|
|
(*argc)--;
|
|
|
|
|
|
|
|
ret = verity_verify_get_sig_from_key(sig_key, sig_opts);
|
|
|
|
if (ret < 0)
|
|
|
|
ti->error = DM_VERITY_VERIFY_ERR("Invalid key specified");
|
|
|
|
|
|
|
|
v->signature_key_desc = kstrdup(sig_key, GFP_KERNEL);
|
|
|
|
if (!v->signature_key_desc)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* verify_verify_roothash - Verify the root hash of the verity hash device
|
|
|
|
* using builtin trusted keys.
|
|
|
|
*
|
|
|
|
* @root_hash: For verity, the roothash/data to be verified.
|
|
|
|
* @root_hash_len: Size of the roothash/data to be verified.
|
|
|
|
* @sig_data: The trusted signature that verifies the roothash/data.
|
|
|
|
* @sig_len: Size of the signature.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
|
|
|
|
const void *sig_data, size_t sig_len)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (!root_hash || root_hash_len == 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!sig_data || sig_len == 0) {
|
|
|
|
if (DM_VERITY_IS_SIG_FORCE_ENABLED())
|
|
|
|
return -ENOKEY;
|
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
|
2020-10-23 17:05:12 +00:00
|
|
|
sig_len,
|
|
|
|
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
|
|
|
|
VERIFY_USE_SECONDARY_KEYRING,
|
|
|
|
#else
|
|
|
|
NULL,
|
|
|
|
#endif
|
|
|
|
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
|
dm verity: add support for signature verification with platform keyring
Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
that enables verifying dm-verity signatures using the platform keyring,
which is populated using the UEFI DB certificates. This is useful for
self-enrolled systems that do not use MOK, as the secondary keyring which
is already used for verification, if the relevant kconfig is enabled, is
linked to the machine keyring, which gets its certificates loaded from MOK.
On datacenter/virtual/cloud deployments it is more common to deploy one's
own certificate chain directly in DB on first boot in unattended mode,
rather than relying on MOK, as the latter typically requires interactive
authentication to enroll, and is more suited for personal machines.
Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
if not otherwise specified, as it is likely that if one wants to use
MOK certificates to verify dm-verity volumes, DB certificates are
going to be used too. Keys in DB are allowed to load a full kernel
already anyway, so they are already highly privileged.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
2024-07-02 16:16:57 +00:00
|
|
|
#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
|
2024-09-22 16:17:53 +00:00
|
|
|
if (ret == -ENOKEY || ret == -EKEYREJECTED)
|
dm verity: add support for signature verification with platform keyring
Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
that enables verifying dm-verity signatures using the platform keyring,
which is populated using the UEFI DB certificates. This is useful for
self-enrolled systems that do not use MOK, as the secondary keyring which
is already used for verification, if the relevant kconfig is enabled, is
linked to the machine keyring, which gets its certificates loaded from MOK.
On datacenter/virtual/cloud deployments it is more common to deploy one's
own certificate chain directly in DB on first boot in unattended mode,
rather than relying on MOK, as the latter typically requires interactive
authentication to enroll, and is more suited for personal machines.
Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
if not otherwise specified, as it is likely that if one wants to use
MOK certificates to verify dm-verity volumes, DB certificates are
going to be used too. Keys in DB are allowed to load a full kernel
already anyway, so they are already highly privileged.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
2024-07-02 16:16:57 +00:00
|
|
|
ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
|
|
|
|
sig_len,
|
|
|
|
VERIFY_USE_PLATFORM_KEYRING,
|
|
|
|
VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
|
|
|
|
#endif
|
2019-07-18 00:46:15 +00:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
void verity_verify_sig_opts_cleanup(struct dm_verity_sig_opts *sig_opts)
|
|
|
|
{
|
|
|
|
kfree(sig_opts->sig);
|
|
|
|
sig_opts->sig = NULL;
|
|
|
|
sig_opts->sig_size = 0;
|
|
|
|
}
|