diff options
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/.gitignore | 1 | ||||
| -rw-r--r-- | certs/Kconfig | 17 | ||||
| -rw-r--r-- | certs/Makefile | 14 | ||||
| -rw-r--r-- | certs/blacklist.c | 227 |
4 files changed, 207 insertions, 52 deletions
diff --git a/certs/.gitignore b/certs/.gitignore index 9e42fe3e02f56..56637aceaf81c 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,4 +1,5 @@ # SPDX-License-Identifier: GPL-2.0-only +/blacklist_hashes_checked /extract-cert /x509_certificate_list /x509_revocation_list diff --git a/certs/Kconfig b/certs/Kconfig index 73d1350c223a8..476755703cf8b 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -104,8 +104,11 @@ config SYSTEM_BLACKLIST_HASH_LIST help If set, this option should be the filename of a list of hashes in the form "<hash>", "<hash>", ... . This will be included into a C - wrapper to incorporate the list into the kernel. Each <hash> should - be a string of hex digits. + wrapper to incorporate the list into the kernel. Each <hash> must be a + string starting with a prefix ("tbs" or "bin"), then a colon (":"), and + finally an even number of hexadecimal lowercase characters (up to 128). + Certificate hashes can be generated with + tools/certs/print-cert-tbs-hash.sh . config SYSTEM_REVOCATION_LIST bool "Provide system-wide ring of revocation certificates" @@ -124,4 +127,14 @@ config SYSTEM_REVOCATION_KEYS containing X.509 certificates to be included in the default blacklist keyring. +config SYSTEM_BLACKLIST_AUTH_UPDATE + bool "Allow root to add signed blacklist keys" + depends on SYSTEM_BLACKLIST_KEYRING + depends on SYSTEM_DATA_VERIFICATION + help + If set, provide the ability to load new blacklist keys at run time if + they are signed and vouched by a certificate from the builtin trusted + keyring. The PKCS#7 signature of the description is set in the key + payload. Blacklist keys cannot be removed. + endmenu diff --git a/certs/Makefile b/certs/Makefile index e4a0488133f09..bb904f90f1394 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -7,6 +7,18 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o c obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) +quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) + cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ + +$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) + +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked + +CFLAGS_blacklist_hashes.o += -I$(srctree) + +targets += blacklist_hashes_checked +$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE + $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o @@ -21,7 +33,7 @@ $(obj)/system_certificates.o: $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE $(call if_changed,extract_certs) -targets += x509_certificate_list +targets += x509_certificate_list blacklist_hashes_checked # If module signing is requested, say by allyesconfig, but a key has not been # supplied, then one will need to be generated to make sure the build does not diff --git a/certs/blacklist.c b/certs/blacklist.c index c9a435b15af40..25094ea736007 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -15,10 +15,24 @@ #include <linux/err.h> #include <linux/seq_file.h> #include <linux/uidgid.h> +#include <linux/verification.h> #include <keys/system_keyring.h> #include "blacklist.h" #include "common.h" +/* + * According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(), + * the size of the currently longest supported hash algorithm is 512 bits, + * which translates into 128 hex characters. + */ +#define MAX_HASH_LEN 128 + +#define BLACKLIST_KEY_PERM (KEY_POS_SEARCH | KEY_POS_VIEW | \ + KEY_USR_SEARCH | KEY_USR_VIEW) + +static const char tbs_prefix[] = "tbs"; +static const char bin_prefix[] = "bin"; + static struct key *blacklist_keyring; #ifdef CONFIG_SYSTEM_REVOCATION_LIST @@ -32,41 +46,89 @@ extern __initconst const unsigned long revocation_certificate_list_size; */ static int blacklist_vet_description(const char *desc) { - int n = 0; - - if (*desc == ':') - return -EINVAL; - for (; *desc; desc++) - if (*desc == ':') - goto found_colon; + int i, prefix_len, tbs_step = 0, bin_step = 0; + + /* The following algorithm only works if prefix lengths match. */ + BUILD_BUG_ON(sizeof(tbs_prefix) != sizeof(bin_prefix)); + prefix_len = sizeof(tbs_prefix) - 1; + for (i = 0; *desc; desc++, i++) { + if (*desc == ':') { + if (tbs_step == prefix_len) + goto found_colon; + if (bin_step == prefix_len) + goto found_colon; + return -EINVAL; + } + if (i >= prefix_len) + return -EINVAL; + if (*desc == tbs_prefix[i]) + tbs_step++; + if (*desc == bin_prefix[i]) + bin_step++; + } return -EINVAL; found_colon: desc++; - for (; *desc; desc++) { + for (i = 0; *desc && i < MAX_HASH_LEN; desc++, i++) { if (!isxdigit(*desc) || isupper(*desc)) return -EINVAL; - n++; } + if (*desc) + /* The hash is greater than MAX_HASH_LEN. */ + return -ENOPKG; - if (n == 0 || n & 1) + /* Checks for an even number of hexadecimal characters. */ + if (i == 0 || i & 1) return -EINVAL; return 0; } -/* - * The hash to be blacklisted is expected to be in the description. There will - * be no payload. - */ -static int blacklist_preparse(struct key_preparsed_payload *prep) +static int blacklist_key_instantiate(struct key *key, + struct key_preparsed_payload *prep) { - if (prep->datalen > 0) - return -EINVAL; - return 0; +#ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE + int err; +#endif + + /* Sets safe default permissions for keys loaded by user space. */ + key->perm = BLACKLIST_KEY_PERM; + + /* + * Skips the authentication step for builtin hashes, they are not + * signed but still trusted. + */ + if (key->flags & (1 << KEY_FLAG_BUILTIN)) + goto out; + +#ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE + /* + * Verifies the description's PKCS#7 signature against the builtin + * trusted keyring. + */ + err = verify_pkcs7_signature(key->description, + strlen(key->description), prep->data, prep->datalen, + NULL, VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL); + if (err) + return err; +#else + /* + * It should not be possible to come here because the keyring doesn't + * have KEY_USR_WRITE and the only other way to call this function is + * for builtin hashes. + */ + WARN_ON_ONCE(1); + return -EPERM; +#endif + +out: + return generic_key_instantiate(key, prep); } -static void blacklist_free_preparse(struct key_preparsed_payload *prep) +static int blacklist_key_update(struct key *key, + struct key_preparsed_payload *prep) { + return -EPERM; } static void blacklist_describe(const struct key *key, struct seq_file *m) @@ -77,17 +139,48 @@ static void blacklist_describe(const struct key *key, struct seq_file *m) static struct key_type key_type_blacklist = { .name = "blacklist", .vet_description = blacklist_vet_description, - .preparse = blacklist_preparse, - .free_preparse = blacklist_free_preparse, - .instantiate = generic_key_instantiate, + .instantiate = blacklist_key_instantiate, + .update = blacklist_key_update, .describe = blacklist_describe, }; +static char *get_raw_hash(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + size_t type_len; + const char *type_prefix; + char *buffer, *p; + + switch (hash_type) { + case BLACKLIST_HASH_X509_TBS: + type_len = sizeof(tbs_prefix) - 1; + type_prefix = tbs_prefix; + break; + case BLACKLIST_HASH_BINARY: + type_len = sizeof(bin_prefix) - 1; + type_prefix = bin_prefix; + break; + default: + WARN_ON_ONCE(1); + return ERR_PTR(-EINVAL); + } + buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); + if (!buffer) + return ERR_PTR(-ENOMEM); + p = memcpy(buffer, type_prefix, type_len); + p += type_len; + *p++ = ':'; + bin2hex(p, hash, hash_len); + p += hash_len * 2; + *p = '\0'; + return buffer; +} + /** - * mark_hash_blacklisted - Add a hash to the system blacklist + * mark_raw_hash_blacklisted - Add a hash to the system blacklist * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783") */ -int mark_hash_blacklisted(const char *hash) +static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; @@ -96,8 +189,7 @@ int mark_hash_blacklisted(const char *hash) hash, NULL, 0, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW), + BLACKLIST_KEY_PERM, KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { @@ -107,29 +199,36 @@ int mark_hash_blacklisted(const char *hash) return 0; } +int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + const char *buffer; + int err; + + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); + err = mark_raw_hash_blacklisted(buffer); + kfree(buffer); + return err; +} + /** * is_hash_blacklisted - Determine if a hash is blacklisted * @hash: The hash to be checked as a binary blob * @hash_len: The length of the binary hash - * @type: Type of hash + * @hash_type: Type of hash */ -int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) +int is_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) { key_ref_t kref; - size_t type_len = strlen(type); - char *buffer, *p; + const char *buffer; int ret = 0; - buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); - if (!buffer) - return -ENOMEM; - p = memcpy(buffer, type, type_len); - p += type_len; - *p++ = ':'; - bin2hex(p, hash, hash_len); - p += hash_len * 2; - *p = 0; - + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); kref = keyring_search(make_key_ref(blacklist_keyring, true), &key_type_blacklist, buffer, false); if (!IS_ERR(kref)) { @@ -144,7 +243,8 @@ EXPORT_SYMBOL_GPL(is_hash_blacklisted); int is_binary_blacklisted(const u8 *hash, size_t hash_len) { - if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + if (is_hash_blacklisted(hash, hash_len, BLACKLIST_HASH_BINARY) == + -EKEYREJECTED) return -EPERM; return 0; @@ -166,8 +266,10 @@ int add_key_to_revocation_list(const char *data, size_t size) NULL, data, size, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), - KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH + | KEY_USR_VIEW, + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN + | KEY_ALLOC_BYPASS_RESTRICTION); if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); @@ -194,30 +296,57 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7) } #endif +static int restrict_link_for_blacklist(struct key *dest_keyring, + const struct key_type *type, const union key_payload *payload, + struct key *restrict_key) +{ + if (type == &key_type_blacklist) + return 0; + return -EOPNOTSUPP; +} + /* * Initialise the blacklist + * + * The blacklist_init() function is registered as an initcall via + * device_initcall(). As a result if the blacklist_init() function fails for + * any reason the kernel continues to execute. While cleanly returning -ENODEV + * could be acceptable for some non-critical kernel parts, if the blacklist + * keyring fails to load it defeats the certificate/key based deny list for + * signed modules. If a critical piece of security functionality that users + * expect to be present fails to initialize, panic()ing is likely the right + * thing to do. */ static int __init blacklist_init(void) { const char *const *bl; + struct key_restriction *restriction; if (register_key_type(&key_type_blacklist) < 0) panic("Can't allocate system blacklist key type\n"); + restriction = kzalloc(sizeof(*restriction), GFP_KERNEL); + if (!restriction) + panic("Can't allocate blacklist keyring restriction\n"); + restriction->check = restrict_link_for_blacklist; + blacklist_keyring = keyring_alloc(".blacklist", GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), - (KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ | - KEY_USR_SEARCH, - KEY_ALLOC_NOT_IN_QUOTA | + KEY_POS_VIEW | KEY_POS_READ | KEY_POS_SEARCH | + KEY_POS_WRITE | + KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH +#ifdef CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE + | KEY_USR_WRITE +#endif + , KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_SET_KEEP, - NULL, NULL); + restriction, NULL); if (IS_ERR(blacklist_keyring)) panic("Can't allocate system blacklist keyring\n"); for (bl = blacklist_hashes; *bl; bl++) - if (mark_hash_blacklisted(*bl) < 0) + if (mark_raw_hash_blacklisted(*bl) < 0) pr_err("- blacklisting failed\n"); return 0; } |