[linux-block.git] / fs / verity / signature.c

// SPDX-License-Identifier: GPL-2.0
/*
 * Verification of builtin signatures
 *
 * Copyright 2019 Google LLC
 */

#include "fsverity_private.h"

#include <linux/cred.h>
#include <linux/key.h>
#include <linux/slab.h>
#include <linux/verification.h>

/*
 * /proc/sys/fs/verity/require_signatures
 * If 1, all verity files must have a valid builtin signature.
 */
static int fsverity_require_signatures;

/*
 * Keyring that contains the trusted X.509 certificates.
 *
 * Only root (kuid=0) can modify this.  Also, root may use
 * keyctl_restrict_keyring() to prevent any more additions.
 */
static struct key *fsverity_keyring;

/**
 * fsverity_verify_signature() - check a verity file's signature
 * @vi: the file's fsverity_info
 * @signature: the file's built-in signature
 * @sig_size: size of signature in bytes, or 0 if no signature
 *
 * If the file includes a signature of its fs-verity file digest, verify it
 * against the certificates in the fs-verity keyring.
 *
 * Return: 0 on success (signature valid or not required); -errno on failure
 */
int fsverity_verify_signature(const struct fsverity_info *vi,
			      const u8 *signature, size_t sig_size)
{
	const struct inode *inode = vi->inode;
	const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
	struct fsverity_formatted_digest *d;
	int err;

	if (sig_size == 0) {
		if (fsverity_require_signatures) {
			fsverity_err(inode,
				     "require_signatures=1, rejecting unsigned file!");
			return -EPERM;
		}
		return 0;
	}

	d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
	if (!d)
		return -ENOMEM;
	memcpy(d->magic, "FSVerity", 8);
	d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
	d->digest_size = cpu_to_le16(hash_alg->digest_size);
	memcpy(d->digest, vi->file_digest, hash_alg->digest_size);

	err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
				     signature, sig_size, fsverity_keyring,
				     VERIFYING_UNSPECIFIED_SIGNATURE,
				     NULL, NULL);
	kfree(d);

	if (err) {
		if (err == -ENOKEY)
			fsverity_err(inode,
				     "File's signing cert isn't in the fs-verity keyring");
		else if (err == -EKEYREJECTED)
			fsverity_err(inode, "Incorrect file signature");
		else if (err == -EBADMSG)
			fsverity_err(inode, "Malformed file signature");
		else
			fsverity_err(inode, "Error %d verifying file signature",
				     err);
		return err;
	}

	return 0;
}

#ifdef CONFIG_SYSCTL
static struct ctl_table_header *fsverity_sysctl_header;

static struct ctl_table fsverity_sysctl_table[] = {
	{
		.procname       = "require_signatures",
		.data           = &fsverity_require_signatures,
		.maxlen         = sizeof(int),
		.mode           = 0644,
		.proc_handler   = proc_dointvec_minmax,
		.extra1         = SYSCTL_ZERO,
		.extra2         = SYSCTL_ONE,
	},
	{ }
};

static int __init fsverity_sysctl_init(void)
{
	fsverity_sysctl_header = register_sysctl("fs/verity", fsverity_sysctl_table);
	if (!fsverity_sysctl_header) {
		pr_err("sysctl registration failed!\n");
		return -ENOMEM;
	}
	return 0;
}
#else /* !CONFIG_SYSCTL */
static inline int __init fsverity_sysctl_init(void)
{
	return 0;
}
#endif /* !CONFIG_SYSCTL */

int __init fsverity_init_signature(void)
{
	struct key *ring;
	int err;

	ring = keyring_alloc(".fs-verity", KUIDT_INIT(0), KGIDT_INIT(0),
			     current_cred(), KEY_POS_SEARCH |
				KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE |
				KEY_USR_SEARCH | KEY_USR_SETATTR,
			     KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
	if (IS_ERR(ring))
		return PTR_ERR(ring);

	err = fsverity_sysctl_init();
	if (err)
		goto err_put_ring;

	fsverity_keyring = ring;
	return 0;

err_put_ring:
	key_put(ring);
	return err;
}
Commit	Line	Data
432434c9 EB	1	// SPDX-License-Identifier: GPL-2.0
432434c9 EB	2	/*
7bf765dd	3	* Verification of builtin signatures
432434c9 EB	4	*
	5	* Copyright 2019 Google LLC
	6	*/
	7
	8	#include "fsverity_private.h"
	9
	10	#include <linux/cred.h>
	11	#include <linux/key.h>
	12	#include <linux/slab.h>
	13	#include <linux/verification.h>
	14
	15	/*
	16	* /proc/sys/fs/verity/require_signatures
	17	* If 1, all verity files must have a valid builtin signature.
	18	*/
	19	static int fsverity_require_signatures;
	20
	21	/*
	22	* Keyring that contains the trusted X.509 certificates.
	23	*
	24	* Only root (kuid=0) can modify this. Also, root may use
	25	* keyctl_restrict_keyring() to prevent any more additions.
	26	*/
	27	static struct key *fsverity_keyring;
	28
	29	/**
	30	* fsverity_verify_signature() - check a verity file's signature
6377a38b	31	* @vi: the file's fsverity_info
fab634c4 EB	32	* @signature: the file's built-in signature
fab634c4 EB	33	* @sig_size: size of signature in bytes, or 0 if no signature
432434c9	34	*
fab634c4 EB	35	* If the file includes a signature of its fs-verity file digest, verify it
fab634c4 EB	36	* against the certificates in the fs-verity keyring.
432434c9 EB	37	*
	38	* Return: 0 on success (signature valid or not required); -errno on failure
	39	*/
	40	int fsverity_verify_signature(const struct fsverity_info *vi,
fab634c4	41	const u8 *signature, size_t sig_size)
432434c9 EB	42	{
	43	const struct inode *inode = vi->inode;
	44	const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
9e90f30e	45	struct fsverity_formatted_digest *d;
432434c9 EB	46	int err;
	47
	48	if (sig_size == 0) {
	49	if (fsverity_require_signatures) {
	50	fsverity_err(inode,
	51	"require_signatures=1, rejecting unsigned file!");
	52	return -EPERM;
	53	}
	54	return 0;
	55	}
	56
432434c9 EB	57	d = kzalloc(sizeof(*d) + hash_alg->digest_size, GFP_KERNEL);
	58	if (!d)
	59	return -ENOMEM;
	60	memcpy(d->magic, "FSVerity", 8);
	61	d->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
	62	d->digest_size = cpu_to_le16(hash_alg->digest_size);
ed45e201	63	memcpy(d->digest, vi->file_digest, hash_alg->digest_size);
432434c9 EB	64
432434c9 EB	65	err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
fab634c4	66	signature, sig_size, fsverity_keyring,
432434c9 EB	67	VERIFYING_UNSPECIFIED_SIGNATURE,
	68	NULL, NULL);
	69	kfree(d);
	70
	71	if (err) {
	72	if (err == -ENOKEY)
	73	fsverity_err(inode,
	74	"File's signing cert isn't in the fs-verity keyring");
	75	else if (err == -EKEYREJECTED)
	76	fsverity_err(inode, "Incorrect file signature");
	77	else if (err == -EBADMSG)
	78	fsverity_err(inode, "Malformed file signature");
	79	else
	80	fsverity_err(inode, "Error %d verifying file signature",
	81	err);
	82	return err;
	83	}
	84
432434c9 EB	85	return 0;
	86	}
	87
	88	#ifdef CONFIG_SYSCTL
	89	static struct ctl_table_header *fsverity_sysctl_header;
	90
432434c9 EB	91	static struct ctl_table fsverity_sysctl_table[] = {
	92	{
	93	.procname = "require_signatures",
	94	.data = &fsverity_require_signatures,
	95	.maxlen = sizeof(int),
	96	.mode = 0644,
	97	.proc_handler = proc_dointvec_minmax,
	98	.extra1 = SYSCTL_ZERO,
	99	.extra2 = SYSCTL_ONE,
	100	},
	101	{ }
	102	};
	103
	104	static int __init fsverity_sysctl_init(void)
	105	{
1238c8b9	106	fsverity_sysctl_header = register_sysctl("fs/verity", fsverity_sysctl_table);
432434c9 EB	107	if (!fsverity_sysctl_header) {
	108	pr_err("sysctl registration failed!\n");
	109	return -ENOMEM;
	110	}
	111	return 0;
	112	}
	113	#else /* !CONFIG_SYSCTL */
	114	static inline int __init fsverity_sysctl_init(void)
	115	{
	116	return 0;
	117	}
	118	#endif /* !CONFIG_SYSCTL */
	119
	120	int __init fsverity_init_signature(void)
	121	{
	122	struct key *ring;
	123	int err;
	124
	125	ring = keyring_alloc(".fs-verity", KUIDT_INIT(0), KGIDT_INIT(0),
	126	current_cred(), KEY_POS_SEARCH \|
	127	KEY_USR_VIEW \| KEY_USR_READ \| KEY_USR_WRITE \|
	128	KEY_USR_SEARCH \| KEY_USR_SETATTR,
	129	KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);
	130	if (IS_ERR(ring))
	131	return PTR_ERR(ring);
	132
	133	err = fsverity_sysctl_init();
	134	if (err)
	135	goto err_put_ring;
	136
	137	fsverity_keyring = ring;
	138	return 0;
	139
	140	err_put_ring:
	141	key_put(ring);
	142	return err;
	143	}