1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* System trusted keyring for trusted public keys
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #include <linux/export.h>
9 #include <linux/kernel.h>
10 #include <linux/sched.h>
11 #include <linux/cred.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/uidgid.h>
15 #include <linux/verification.h>
16 #include <keys/asymmetric-type.h>
17 #include <keys/system_keyring.h>
18 #include <crypto/pkcs7.h>
21 static struct key *builtin_trusted_keys;
22 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
23 static struct key *secondary_trusted_keys;
25 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
26 static struct key *platform_trusted_keys;
29 extern __initconst const u8 system_certificate_list[];
30 extern __initconst const unsigned long system_certificate_list_size;
33 * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
35 * Restrict the addition of keys into a keyring based on the key-to-be-added
36 * being vouched for by a key in the built in system keyring.
38 int restrict_link_by_builtin_trusted(struct key *dest_keyring,
39 const struct key_type *type,
40 const union key_payload *payload,
41 struct key *restriction_key)
43 return restrict_link_by_signature(dest_keyring, type, payload,
44 builtin_trusted_keys);
47 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
49 * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
50 * addition by both builtin and secondary keyrings
52 * Restrict the addition of keys into a keyring based on the key-to-be-added
53 * being vouched for by a key in either the built-in or the secondary system
56 int restrict_link_by_builtin_and_secondary_trusted(
57 struct key *dest_keyring,
58 const struct key_type *type,
59 const union key_payload *payload,
60 struct key *restrict_key)
62 /* If we have a secondary trusted keyring, then that contains a link
63 * through to the builtin keyring and the search will follow that link.
65 if (type == &key_type_keyring &&
66 dest_keyring == secondary_trusted_keys &&
67 payload == &builtin_trusted_keys->payload)
68 /* Allow the builtin keyring to be added to the secondary */
71 return restrict_link_by_signature(dest_keyring, type, payload,
72 secondary_trusted_keys);
76 * Allocate a struct key_restriction for the "builtin and secondary trust"
77 * keyring. Only for use in system_trusted_keyring_init().
79 static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
81 struct key_restriction *restriction;
83 restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
86 panic("Can't allocate secondary trusted keyring restriction\n");
88 restriction->check = restrict_link_by_builtin_and_secondary_trusted;
95 * Create the trusted keyrings
97 static __init int system_trusted_keyring_init(void)
99 pr_notice("Initialise system trusted keyrings\n");
101 builtin_trusted_keys =
102 keyring_alloc(".builtin_trusted_keys",
103 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
104 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
105 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
106 KEY_ALLOC_NOT_IN_QUOTA,
108 if (IS_ERR(builtin_trusted_keys))
109 panic("Can't allocate builtin trusted keyring\n");
111 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
112 secondary_trusted_keys =
113 keyring_alloc(".secondary_trusted_keys",
114 GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
115 ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
116 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
118 KEY_ALLOC_NOT_IN_QUOTA,
119 get_builtin_and_secondary_restriction(),
121 if (IS_ERR(secondary_trusted_keys))
122 panic("Can't allocate secondary trusted keyring\n");
124 if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
125 panic("Can't link trusted keyrings\n");
132 * Must be initialised before we try and load the keys into the keyring.
134 device_initcall(system_trusted_keyring_init);
137 * Load the compiled-in list of X.509 certificates.
139 static __init int load_system_certificate_list(void)
141 pr_notice("Loading compiled-in X.509 certificates\n");
143 return load_certificate_list(system_certificate_list, system_certificate_list_size,
144 builtin_trusted_keys);
146 late_initcall(load_system_certificate_list);
148 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
151 * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
152 * @data: The data to be verified (NULL if expecting internal data).
153 * @len: Size of @data.
154 * @pkcs7: The PKCS#7 message that is the signature.
155 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
156 * (void *)1UL for all trusted keys).
157 * @usage: The use to which the key is being put.
158 * @view_content: Callback to gain access to content.
159 * @ctx: Context for callback.
161 int verify_pkcs7_message_sig(const void *data, size_t len,
162 struct pkcs7_message *pkcs7,
163 struct key *trusted_keys,
164 enum key_being_used_for usage,
165 int (*view_content)(void *ctx,
166 const void *data, size_t len,
172 /* The data should be detached - so we need to supply it. */
173 if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
174 pr_err("PKCS#7 signature with non-detached data\n");
179 ret = pkcs7_verify(pkcs7, usage);
184 trusted_keys = builtin_trusted_keys;
185 } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
186 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
187 trusted_keys = secondary_trusted_keys;
189 trusted_keys = builtin_trusted_keys;
191 } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
192 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
193 trusted_keys = platform_trusted_keys;
199 pr_devel("PKCS#7 platform keyring is not available\n");
203 ret = is_key_on_revocation_list(pkcs7);
204 if (ret != -ENOKEY) {
205 pr_devel("PKCS#7 platform key is on revocation list\n");
209 ret = pkcs7_validate_trust(pkcs7, trusted_keys);
212 pr_devel("PKCS#7 signature not signed with a trusted key\n");
219 ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
222 pr_devel("PKCS#7 message does not contain data\n");
226 ret = view_content(ctx, data, len, asn1hdrlen);
230 pr_devel("<==%s() = %d\n", __func__, ret);
235 * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
236 * @data: The data to be verified (NULL if expecting internal data).
237 * @len: Size of @data.
238 * @raw_pkcs7: The PKCS#7 message that is the signature.
239 * @pkcs7_len: The size of @raw_pkcs7.
240 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
241 * (void *)1UL for all trusted keys).
242 * @usage: The use to which the key is being put.
243 * @view_content: Callback to gain access to content.
244 * @ctx: Context for callback.
246 int verify_pkcs7_signature(const void *data, size_t len,
247 const void *raw_pkcs7, size_t pkcs7_len,
248 struct key *trusted_keys,
249 enum key_being_used_for usage,
250 int (*view_content)(void *ctx,
251 const void *data, size_t len,
255 struct pkcs7_message *pkcs7;
258 pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
260 return PTR_ERR(pkcs7);
262 ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
265 pkcs7_free_message(pkcs7);
266 pr_devel("<==%s() = %d\n", __func__, ret);
269 EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
271 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
273 #ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
274 void __init set_platform_trusted_keys(struct key *keyring)
276 platform_trusted_keys = keyring;