[linux-block.git] / certs / system_keyring.c

// SPDX-License-Identifier: GPL-2.0-or-later
/* System trusted keyring for trusted public keys
 *
 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 */

#include <linux/export.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/slab.h>
#include <linux/uidgid.h>
#include <linux/verification.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>

static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
static struct key *secondary_trusted_keys;
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
static struct key *machine_trusted_keys;
#endif
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
static struct key *platform_trusted_keys;
#endif

extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
extern __initconst const unsigned long module_cert_size;

/**
 * restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
 * @dest_keyring: Keyring being linked to.
 * @type: The type of key being added.
 * @payload: The payload of the new key.
 * @restriction_key: A ring of keys that can be used to vouch for the new cert.
 *
 * Restrict the addition of keys into a keyring based on the key-to-be-added
 * being vouched for by a key in the built in system keyring.
 */
int restrict_link_by_builtin_trusted(struct key *dest_keyring,
				     const struct key_type *type,
				     const union key_payload *payload,
				     struct key *restriction_key)
{
	return restrict_link_by_signature(dest_keyring, type, payload,
					  builtin_trusted_keys);
}

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
/**
 * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
 *   addition by both built-in and secondary keyrings.
 * @dest_keyring: Keyring being linked to.
 * @type: The type of key being added.
 * @payload: The payload of the new key.
 * @restrict_key: A ring of keys that can be used to vouch for the new cert.
 *
 * Restrict the addition of keys into a keyring based on the key-to-be-added
 * being vouched for by a key in either the built-in or the secondary system
 * keyrings.
 */
int restrict_link_by_builtin_and_secondary_trusted(
	struct key *dest_keyring,
	const struct key_type *type,
	const union key_payload *payload,
	struct key *restrict_key)
{
	/* If we have a secondary trusted keyring, then that contains a link
	 * through to the builtin keyring and the search will follow that link.
	 */
	if (type == &key_type_keyring &&
	    dest_keyring == secondary_trusted_keys &&
	    payload == &builtin_trusted_keys->payload)
		/* Allow the builtin keyring to be added to the secondary */
		return 0;

	return restrict_link_by_signature(dest_keyring, type, payload,
					  secondary_trusted_keys);
}

/*
 * Allocate a struct key_restriction for the "builtin and secondary trust"
 * keyring. Only for use in system_trusted_keyring_init().
 */
static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
{
	struct key_restriction *restriction;

	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);

	if (!restriction)
		panic("Can't allocate secondary trusted keyring restriction\n");

	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
		restriction->check = restrict_link_by_builtin_secondary_and_machine;
	else
		restriction->check = restrict_link_by_builtin_and_secondary_trusted;

	return restriction;
}
#endif
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
void __init set_machine_trusted_keys(struct key *keyring)
{
	machine_trusted_keys = keyring;

	if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
		panic("Can't link (machine) trusted keyrings\n");
}

/**
 * restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
 * @dest_keyring: Keyring being linked to.
 * @type: The type of key being added.
 * @payload: The payload of the new key.
 * @restrict_key: A ring of keys that can be used to vouch for the new cert.
 *
 * Restrict the addition of keys into a keyring based on the key-to-be-added
 * being vouched for by a key in either the built-in, the secondary, or
 * the machine keyrings.
 */
int restrict_link_by_builtin_secondary_and_machine(
	struct key *dest_keyring,
	const struct key_type *type,
	const union key_payload *payload,
	struct key *restrict_key)
{
	if (machine_trusted_keys && type == &key_type_keyring &&
	    dest_keyring == secondary_trusted_keys &&
	    payload == &machine_trusted_keys->payload)
		/* Allow the machine keyring to be added to the secondary */
		return 0;

	return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
							      payload, restrict_key);
}
#endif

/*
 * Create the trusted keyrings
 */
static __init int system_trusted_keyring_init(void)
{
	pr_notice("Initialise system trusted keyrings\n");

	builtin_trusted_keys =
		keyring_alloc(".builtin_trusted_keys",
			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
			      KEY_ALLOC_NOT_IN_QUOTA,
			      NULL, NULL);
	if (IS_ERR(builtin_trusted_keys))
		panic("Can't allocate builtin trusted keyring\n");

#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
	secondary_trusted_keys =
		keyring_alloc(".secondary_trusted_keys",
			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
			       KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |
			       KEY_USR_WRITE),
			      KEY_ALLOC_NOT_IN_QUOTA,
			      get_builtin_and_secondary_restriction(),
			      NULL);
	if (IS_ERR(secondary_trusted_keys))
		panic("Can't allocate secondary trusted keyring\n");

	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
		panic("Can't link trusted keyrings\n");
#endif

	return 0;
}

/*
 * Must be initialised before we try and load the keys into the keyring.
 */
device_initcall(system_trusted_keyring_init);

__init int load_module_cert(struct key *keyring)
{
	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
		return 0;

	pr_notice("Loading compiled-in module X.509 certificates\n");

	return x509_load_certificate_list(system_certificate_list,
					  module_cert_size, keyring);
}

/*
 * Load the compiled-in list of X.509 certificates.
 */
static __init int load_system_certificate_list(void)
{
	const u8 *p;
	unsigned long size;

	pr_notice("Loading compiled-in X.509 certificates\n");

#ifdef CONFIG_MODULE_SIG
	p = system_certificate_list;
	size = system_certificate_list_size;
#else
	p = system_certificate_list + module_cert_size;
	size = system_certificate_list_size - module_cert_size;
#endif

	return x509_load_certificate_list(p, size, builtin_trusted_keys);
}
late_initcall(load_system_certificate_list);

#ifdef CONFIG_SYSTEM_DATA_VERIFICATION

/**
 * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
 * @data: The data to be verified (NULL if expecting internal data).
 * @len: Size of @data.
 * @pkcs7: The PKCS#7 message that is the signature.
 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
 *					(void *)1UL for all trusted keys).
 * @usage: The use to which the key is being put.
 * @view_content: Callback to gain access to content.
 * @ctx: Context for callback.
 */
int verify_pkcs7_message_sig(const void *data, size_t len,
			     struct pkcs7_message *pkcs7,
			     struct key *trusted_keys,
			     enum key_being_used_for usage,
			     int (*view_content)(void *ctx,
						 const void *data, size_t len,
						 size_t asn1hdrlen),
			     void *ctx)
{
	int ret;

	/* The data should be detached - so we need to supply it. */
	if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
		pr_err("PKCS#7 signature with non-detached data\n");
		ret = -EBADMSG;
		goto error;
	}

	ret = pkcs7_verify(pkcs7, usage);
	if (ret < 0)
		goto error;

	if (!trusted_keys) {
		trusted_keys = builtin_trusted_keys;
	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
		trusted_keys = secondary_trusted_keys;
#else
		trusted_keys = builtin_trusted_keys;
#endif
	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
		trusted_keys = platform_trusted_keys;
#else
		trusted_keys = NULL;
#endif
		if (!trusted_keys) {
			ret = -ENOKEY;
			pr_devel("PKCS#7 platform keyring is not available\n");
			goto error;
		}

		ret = is_key_on_revocation_list(pkcs7);
		if (ret != -ENOKEY) {
			pr_devel("PKCS#7 platform key is on revocation list\n");
			goto error;
		}
	}
	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
	if (ret < 0) {
		if (ret == -ENOKEY)
			pr_devel("PKCS#7 signature not signed with a trusted key\n");
		goto error;
	}

	if (view_content) {
		size_t asn1hdrlen;

		ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
		if (ret < 0) {
			if (ret == -ENODATA)
				pr_devel("PKCS#7 message does not contain data\n");
			goto error;
		}

		ret = view_content(ctx, data, len, asn1hdrlen);
	}

error:
	pr_devel("<==%s() = %d\n", __func__, ret);
	return ret;
}

/**
 * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
 * @data: The data to be verified (NULL if expecting internal data).
 * @len: Size of @data.
 * @raw_pkcs7: The PKCS#7 message that is the signature.
 * @pkcs7_len: The size of @raw_pkcs7.
 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
 *					(void *)1UL for all trusted keys).
 * @usage: The use to which the key is being put.
 * @view_content: Callback to gain access to content.
 * @ctx: Context for callback.
 */
int verify_pkcs7_signature(const void *data, size_t len,
			   const void *raw_pkcs7, size_t pkcs7_len,
			   struct key *trusted_keys,
			   enum key_being_used_for usage,
			   int (*view_content)(void *ctx,
					       const void *data, size_t len,
					       size_t asn1hdrlen),
			   void *ctx)
{
	struct pkcs7_message *pkcs7;
	int ret;

	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
	if (IS_ERR(pkcs7))
		return PTR_ERR(pkcs7);

	ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
				       view_content, ctx);

	pkcs7_free_message(pkcs7);
	pr_devel("<==%s() = %d\n", __func__, ret);
	return ret;
}
EXPORT_SYMBOL_GPL(verify_pkcs7_signature);

#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */

#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
void __init set_platform_trusted_keys(struct key *keyring)
{
	platform_trusted_keys = keyring;
}
#endif
Commit	Line	Data
b4d0d230	1	// SPDX-License-Identifier: GPL-2.0-or-later
b56e5a17 DH	2	/* System trusted keyring for trusted public keys
	3	*
	4	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
	5	* Written by David Howells (dhowells@redhat.com)
b56e5a17 DH	6	*/
	7
	8	#include <linux/export.h>
	9	#include <linux/kernel.h>
	10	#include <linux/sched.h>
	11	#include <linux/cred.h>
	12	#include <linux/err.h>
2b6aa412	13	#include <linux/slab.h>
a6cb0ab7	14	#include <linux/uidgid.h>
817aef26	15	#include <linux/verification.h>
b56e5a17 DH	16	#include <keys/asymmetric-type.h>
b56e5a17 DH	17	#include <keys/system_keyring.h>
091f6e26	18	#include <crypto/pkcs7.h>
b56e5a17	19
d3bfe841 DH	20	static struct key *builtin_trusted_keys;
	21	#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
	22	static struct key *secondary_trusted_keys;
	23	#endif
56edb6c2 ES	24	#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
	25	static struct key *machine_trusted_keys;
	26	#endif
219a3e86 KS	27	#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
	28	static struct key *platform_trusted_keys;
	29	#endif
b56e5a17 DH	30
b56e5a17 DH	31	extern __initconst const u8 system_certificate_list[];
62226983	32	extern __initconst const unsigned long system_certificate_list_size;
6cbdfb3d	33	extern __initconst const unsigned long module_cert_size;
b56e5a17	34
a511e1af	35	/**
ef97e774 ES	36	* restrict_link_by_builtin_trusted - Restrict keyring addition by built-in CA
	37	* @dest_keyring: Keyring being linked to.
	38	* @type: The type of key being added.
	39	* @payload: The payload of the new key.
	40	* @restriction_key: A ring of keys that can be used to vouch for the new cert.
a511e1af DH	41	*
a511e1af DH	42	* Restrict the addition of keys into a keyring based on the key-to-be-added
d3bfe841	43	* being vouched for by a key in the built in system keyring.
a511e1af	44	*/
aaf66c88	45	int restrict_link_by_builtin_trusted(struct key *dest_keyring,
a511e1af	46	const struct key_type *type,
aaf66c88 MM	47	const union key_payload *payload,
aaf66c88 MM	48	struct key *restriction_key)
a511e1af	49	{
aaf66c88 MM	50	return restrict_link_by_signature(dest_keyring, type, payload,
aaf66c88 MM	51	builtin_trusted_keys);
a511e1af DH	52	}
a511e1af DH	53
d3bfe841 DH	54	#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
	55	/**
	56	* restrict_link_by_builtin_and_secondary_trusted - Restrict keyring
ef97e774 ES	57	* addition by both built-in and secondary keyrings.
	58	* @dest_keyring: Keyring being linked to.
	59	* @type: The type of key being added.
	60	* @payload: The payload of the new key.
	61	* @restrict_key: A ring of keys that can be used to vouch for the new cert.
d3bfe841 DH	62	*
	63	* Restrict the addition of keys into a keyring based on the key-to-be-added
	64	* being vouched for by a key in either the built-in or the secondary system
	65	* keyrings.
	66	*/
	67	int restrict_link_by_builtin_and_secondary_trusted(
aaf66c88	68	struct key *dest_keyring,
d3bfe841	69	const struct key_type *type,
aaf66c88 MM	70	const union key_payload *payload,
aaf66c88 MM	71	struct key *restrict_key)
d3bfe841 DH	72	{
	73	/* If we have a secondary trusted keyring, then that contains a link
	74	* through to the builtin keyring and the search will follow that link.
	75	*/
	76	if (type == &key_type_keyring &&
aaf66c88	77	dest_keyring == secondary_trusted_keys &&
d3bfe841 DH	78	payload == &builtin_trusted_keys->payload)
	79	/* Allow the builtin keyring to be added to the secondary */
	80	return 0;
	81
aaf66c88 MM	82	return restrict_link_by_signature(dest_keyring, type, payload,
aaf66c88 MM	83	secondary_trusted_keys);
d3bfe841	84	}
2b6aa412	85
ef97e774	86	/*
2b6aa412 MM	87	* Allocate a struct key_restriction for the "builtin and secondary trust"
	88	* keyring. Only for use in system_trusted_keyring_init().
	89	*/
	90	static __init struct key_restriction *get_builtin_and_secondary_restriction(void)
	91	{
	92	struct key_restriction *restriction;
	93
	94	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
	95
	96	if (!restriction)
	97	panic("Can't allocate secondary trusted keyring restriction\n");
	98
087aa4ed ES	99	if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
	100	restriction->check = restrict_link_by_builtin_secondary_and_machine;
	101	else
	102	restriction->check = restrict_link_by_builtin_and_secondary_trusted;
2b6aa412 MM	103
	104	return restriction;
	105	}
d3bfe841	106	#endif
56edb6c2 ES	107	#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
	108	void __init set_machine_trusted_keys(struct key *keyring)
	109	{
	110	machine_trusted_keys = keyring;
087aa4ed ES	111
	112	if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0)
	113	panic("Can't link (machine) trusted keyrings\n");
	114	}
	115
	116	/**
	117	* restrict_link_by_builtin_secondary_and_machine - Restrict keyring addition.
	118	* @dest_keyring: Keyring being linked to.
	119	* @type: The type of key being added.
	120	* @payload: The payload of the new key.
	121	* @restrict_key: A ring of keys that can be used to vouch for the new cert.
	122	*
	123	* Restrict the addition of keys into a keyring based on the key-to-be-added
	124	* being vouched for by a key in either the built-in, the secondary, or
	125	* the machine keyrings.
	126	*/
	127	int restrict_link_by_builtin_secondary_and_machine(
	128	struct key *dest_keyring,
	129	const struct key_type *type,
	130	const union key_payload *payload,
	131	struct key *restrict_key)
	132	{
	133	if (machine_trusted_keys && type == &key_type_keyring &&
	134	dest_keyring == secondary_trusted_keys &&
	135	payload == &machine_trusted_keys->payload)
	136	/* Allow the machine keyring to be added to the secondary */
	137	return 0;
	138
	139	return restrict_link_by_builtin_and_secondary_trusted(dest_keyring, type,
	140	payload, restrict_key);
56edb6c2 ES	141	}
56edb6c2 ES	142	#endif
d3bfe841	143
b56e5a17	144	/*
d3bfe841	145	* Create the trusted keyrings
b56e5a17 DH	146	*/
	147	static __init int system_trusted_keyring_init(void)
	148	{
d3bfe841	149	pr_notice("Initialise system trusted keyrings\n");
b56e5a17	150
d3bfe841 DH	151	builtin_trusted_keys =
d3bfe841 DH	152	keyring_alloc(".builtin_trusted_keys",
a6cb0ab7	153	GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
028db3e2 LT	154	((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	155	KEY_USR_VIEW \| KEY_USR_READ \| KEY_USR_SEARCH),
	156	KEY_ALLOC_NOT_IN_QUOTA,
d3bfe841 DH	157	NULL, NULL);
	158	if (IS_ERR(builtin_trusted_keys))
	159	panic("Can't allocate builtin trusted keyring\n");
	160
	161	#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
	162	secondary_trusted_keys =
	163	keyring_alloc(".secondary_trusted_keys",
a6cb0ab7	164	GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
028db3e2 LT	165	((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
	166	KEY_USR_VIEW \| KEY_USR_READ \| KEY_USR_SEARCH \|
	167	KEY_USR_WRITE),
	168	KEY_ALLOC_NOT_IN_QUOTA,
2b6aa412	169	get_builtin_and_secondary_restriction(),
d3bfe841 DH	170	NULL);
	171	if (IS_ERR(secondary_trusted_keys))
	172	panic("Can't allocate secondary trusted keyring\n");
	173
	174	if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
	175	panic("Can't link trusted keyrings\n");
	176	#endif
	177
b56e5a17 DH	178	return 0;
	179	}
	180
	181	/*
	182	* Must be initialised before we try and load the keys into the keyring.
	183	*/
	184	device_initcall(system_trusted_keyring_init);
	185
6cbdfb3d NJ	186	__init int load_module_cert(struct key *keyring)
6cbdfb3d NJ	187	{
6cbdfb3d NJ	188	if (!IS_ENABLED(CONFIG_IMA_APPRAISE_MODSIG))
	189	return 0;
	190
	191	pr_notice("Loading compiled-in module X.509 certificates\n");
	192
60050ffe DH	193	return x509_load_certificate_list(system_certificate_list,
60050ffe DH	194	module_cert_size, keyring);
6cbdfb3d NJ	195	}
6cbdfb3d NJ	196
b56e5a17 DH	197	/*
	198	* Load the compiled-in list of X.509 certificates.
	199	*/
	200	static __init int load_system_certificate_list(void)
	201	{
e6f0bf09	202	const u8 *p;
6cbdfb3d NJ	203	unsigned long size;
6cbdfb3d NJ	204
b56e5a17 DH	205	pr_notice("Loading compiled-in X.509 certificates\n");
b56e5a17 DH	206
6cbdfb3d NJ	207	#ifdef CONFIG_MODULE_SIG
	208	p = system_certificate_list;
	209	size = system_certificate_list_size;
	210	#else
	211	p = system_certificate_list + module_cert_size;
	212	size = system_certificate_list_size - module_cert_size;
	213	#endif
	214
60050ffe	215	return x509_load_certificate_list(p, size, builtin_trusted_keys);
b56e5a17 DH	216	}
b56e5a17 DH	217	late_initcall(load_system_certificate_list);
091f6e26 DH	218
	219	#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
	220
	221	/**
2a7bf671	222	* verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
e68503bd	223	* @data: The data to be verified (NULL if expecting internal data).
091f6e26	224	* @len: Size of @data.
2a7bf671	225	* @pkcs7: The PKCS#7 message that is the signature.
d3bfe841 DH	226	* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
d3bfe841 DH	227	* (void *)1UL for all trusted keys).
99db4435	228	* @usage: The use to which the key is being put.
e68503bd DH	229	* @view_content: Callback to gain access to content.
e68503bd DH	230	* @ctx: Context for callback.
091f6e26	231	*/
2a7bf671 TJB	232	int verify_pkcs7_message_sig(const void *data, size_t len,
	233	struct pkcs7_message *pkcs7,
	234	struct key *trusted_keys,
	235	enum key_being_used_for usage,
	236	int (view_content)(void ctx,
	237	const void *data, size_t len,
	238	size_t asn1hdrlen),
	239	void *ctx)
091f6e26	240	{
091f6e26 DH	241	int ret;
091f6e26 DH	242
091f6e26	243	/* The data should be detached - so we need to supply it. */
e68503bd	244	if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
091f6e26 DH	245	pr_err("PKCS#7 signature with non-detached data\n");
	246	ret = -EBADMSG;
	247	goto error;
	248	}
	249
99db4435	250	ret = pkcs7_verify(pkcs7, usage);
091f6e26 DH	251	if (ret < 0)
	252	goto error;
	253
d3bfe841 DH	254	if (!trusted_keys) {
d3bfe841 DH	255	trusted_keys = builtin_trusted_keys;
817aef26	256	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
d3bfe841 DH	257	#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
	258	trusted_keys = secondary_trusted_keys;
	259	#else
	260	trusted_keys = builtin_trusted_keys;
	261	#endif
278311e4 KS	262	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
	263	#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
	264	trusted_keys = platform_trusted_keys;
	265	#else
	266	trusted_keys = NULL;
	267	#endif
	268	if (!trusted_keys) {
	269	ret = -ENOKEY;
	270	pr_devel("PKCS#7 platform keyring is not available\n");
	271	goto error;
	272	}
56c58126 ES	273
	274	ret = is_key_on_revocation_list(pkcs7);
	275	if (ret != -ENOKEY) {
	276	pr_devel("PKCS#7 platform key is on revocation list\n");
	277	goto error;
	278	}
d3bfe841	279	}
bda850cd DH	280	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
	281	if (ret < 0) {
	282	if (ret == -ENOKEY)
278311e4	283	pr_devel("PKCS#7 signature not signed with a trusted key\n");
e68503bd DH	284	goto error;
	285	}
	286
	287	if (view_content) {
	288	size_t asn1hdrlen;
	289
	290	ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
	291	if (ret < 0) {
	292	if (ret == -ENODATA)
	293	pr_devel("PKCS#7 message does not contain data\n");
	294	goto error;
	295	}
	296
	297	ret = view_content(ctx, data, len, asn1hdrlen);
091f6e26 DH	298	}
	299
	300	error:
2a7bf671 TJB	301	pr_devel("<==%s() = %d\n", __func__, ret);
	302	return ret;
	303	}
	304
	305	/**
	306	* verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
	307	* @data: The data to be verified (NULL if expecting internal data).
	308	* @len: Size of @data.
	309	* @raw_pkcs7: The PKCS#7 message that is the signature.
	310	* @pkcs7_len: The size of @raw_pkcs7.
	311	* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
	312	* (void *)1UL for all trusted keys).
	313	* @usage: The use to which the key is being put.
	314	* @view_content: Callback to gain access to content.
	315	* @ctx: Context for callback.
	316	*/
	317	int verify_pkcs7_signature(const void *data, size_t len,
	318	const void *raw_pkcs7, size_t pkcs7_len,
	319	struct key *trusted_keys,
	320	enum key_being_used_for usage,
	321	int (view_content)(void ctx,
	322	const void *data, size_t len,
	323	size_t asn1hdrlen),
	324	void *ctx)
	325	{
	326	struct pkcs7_message *pkcs7;
	327	int ret;
	328
	329	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
	330	if (IS_ERR(pkcs7))
	331	return PTR_ERR(pkcs7);
	332
	333	ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
	334	view_content, ctx);
	335
091f6e26 DH	336	pkcs7_free_message(pkcs7);
	337	pr_devel("<==%s() = %d\n", __func__, ret);
	338	return ret;
	339	}
e68503bd	340	EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
091f6e26 DH	341
091f6e26 DH	342	#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
219a3e86 KS	343
	344	#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
	345	void __init set_platform_trusted_keys(struct key *keyring)
	346	{
	347	platform_trusted_keys = keyring;
	348	}
	349	#endif