Eric Lee / smarc-ti-linux-kernel

Blame view

kernel/modsign_pubkey.c 2.57 KB
edit raw normal view history
631cc66eb   David Howells   MODSIGN: Provide ... 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 
  /* Public keys for module signature verification
   *
   * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
   * Written by David Howells (dhowells@redhat.com)
   *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public Licence
   * as published by the Free Software Foundation; either version
   * 2 of the Licence, or (at your option) any later version.
   */
  
  #include <linux/kernel.h>
  #include <linux/sched.h>
  #include <linux/cred.h>
  #include <linux/err.h>
  #include <keys/asymmetric-type.h>
  #include "module-internal.h"
  
  struct key *modsign_keyring;
  
  extern __initdata const u8 modsign_certificate_list[];
  extern __initdata const u8 modsign_certificate_list_end[];
631cc66eb   David Howells   MODSIGN: Provide ... 
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
  
  /*
   * We need to make sure ccache doesn't cache the .o file as it doesn't notice
   * if modsign.pub changes.
   */
  static __initdata const char annoy_ccache[] = __TIME__ "foo";
  
  /*
   * Load the compiled-in keys
   */
  static __init int module_verify_init(void)
  {
  	pr_notice("Initialise module verification
  ");
cfde81908   David Howells   keys: use keyring... 
37
38
39
40
41
42
 
  	modsign_keyring = keyring_alloc(".module_sign",
  					KUIDT_INIT(0), KGIDT_INIT(0),
  					current_cred(),
  					((KEY_POS_ALL & ~KEY_POS_SETATTR) |
  					 KEY_USR_VIEW | KEY_USR_READ),
  					KEY_ALLOC_NOT_IN_QUOTA, NULL);
631cc66eb   David Howells   MODSIGN: Provide ... 
43
44
45
 
  	if (IS_ERR(modsign_keyring))
  		panic("Can't allocate module signing keyring
  ");
631cc66eb   David Howells   MODSIGN: Provide ... 
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
  	return 0;
  }
  
  /*
   * Must be initialised before we try and load the keys into the keyring.
   */
  device_initcall(module_verify_init);
  
  /*
   * Load the compiled-in keys
   */
  static __init int load_module_signing_keys(void)
  {
  	key_ref_t key;
  	const u8 *p, *end;
  	size_t plen;
  
  	pr_notice("Loading module verification certificates
  ");
  
  	end = modsign_certificate_list_end;
  	p = modsign_certificate_list;
  	while (p < end) {
  		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
  		 * than 256 bytes in size.
  		 */
  		if (end - p < 4)
  			goto dodgy_cert;
  		if (p[0] != 0x30 &&
  		    p[1] != 0x82)
  			goto dodgy_cert;
  		plen = (p[2] << 8) | p[3];
  		plen += 4;
  		if (plen > end - p)
  			goto dodgy_cert;
  
  		key = key_create_or_update(make_key_ref(modsign_keyring, 1),
  					   "asymmetric",
  					   NULL,
  					   p,
  					   plen,
  					   (KEY_POS_ALL & ~KEY_POS_SETATTR) |
  					   KEY_USR_VIEW,
  					   KEY_ALLOC_NOT_IN_QUOTA);
  		if (IS_ERR(key))
  			pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)
  ",
  			       PTR_ERR(key));
  		else
  			pr_notice("MODSIGN: Loaded cert '%s'
  ",
  				  key_ref_to_ptr(key)->description);
  		p += plen;
  	}
  
  	return 0;
  
  dodgy_cert:
  	pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list
  ");
  	return 0;
  }
  late_initcall(load_module_signing_keys);