Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 54b2b50c20
Branches Tags
linux-vybrid_pu...
/
security
/
integrity
/
digsig.c

digsig.c 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. /*
    2. 

  2.  * Copyright (C) 2011 Intel Corporation
    3. 

  3.  *
    4. 

  4.  * Author:
    5. 

  5.  * Dmitry Kasatkin <dmitry.kasatkin@intel.com>
    6. 

  6.  *
    7. 

  7.  * This program is free software; you can redistribute it and/or modify
    8. 

  8.  * it under the terms of the GNU General Public License as published by
    9. 

  9.  * the Free Software Foundation, version 2 of the License.
    10. 

  10.  *
    11. 

  11.  */
    12. 

  12. 

  13. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
    14. 

  14. 

  15. #include <linux/err.h>
    16. 

  16. #include <linux/sched.h>
    17. 

  17. #include <linux/rbtree.h>
    18. 

  18. #include <linux/cred.h>
    19. 

  19. #include <linux/key-type.h>
    20. 

  20. #include <linux/digsig.h>
    21. 

  21. 

  22. #include "integrity.h"
    23. 

  23. 

  24. static struct key *keyring[INTEGRITY_KEYRING_MAX];
    25. 

  25. 

  26. #ifdef CONFIG_IMA_TRUSTED_KEYRING
    27. 

  27. static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
    28. 

  28. 	".evm",
    29. 

  29. 	".module",
    30. 

  30. 	".ima",
    31. 

  31. };
    32. 

  32. #else
    33. 

  33. static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
    34. 

  34. 	"_evm",
    35. 

  35. 	"_module",
    36. 

  36. 	"_ima",
    37. 

  37. };
    38. 

  38. #endif
    39. 

  39. 

  40. int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
    41. 

  41. 			    const char *digest, int digestlen)
    42. 

  42. {
    43. 

  43. 	if (id >= INTEGRITY_KEYRING_MAX)
    44. 

  44. 		return -EINVAL;
    45. 

  45. 

  46. 	if (!keyring[id]) {
    47. 

  47. 		keyring[id] =
    48. 

  48. 		    request_key(&key_type_keyring, keyring_name[id], NULL);
    49. 

  49. 		if (IS_ERR(keyring[id])) {
    50. 

  50. 			int err = PTR_ERR(keyring[id]);
    51. 

  51. 			pr_err("no %s keyring: %d\n", keyring_name[id], err);
    52. 

  52. 			keyring[id] = NULL;
    53. 

  53. 			return err;
    54. 

  54. 		}
    55. 

  55. 	}
    56. 

  56. 

  57. 	switch (sig[1]) {
    58. 

  58. 	case 1:
    59. 

  59. 		/* v1 API expect signature without xattr type */
    60. 

  60. 		return digsig_verify(keyring[id], sig + 1, siglen - 1,
    61. 

  61. 				     digest, digestlen);
    62. 

  62. 	case 2:
    63. 

  63. 		return asymmetric_verify(keyring[id], sig, siglen,
    64. 

  64. 					 digest, digestlen);
    65. 

  65. 	}
    66. 

  66. 

  67. 	return -EOPNOTSUPP;
    68. 

  68. }
    69. 

  69. 

  70. int integrity_init_keyring(const unsigned int id)
    71. 

  71. {
    72. 

  72. 	const struct cred *cred = current_cred();
    73. 

  73. 	const struct user_struct *user = cred->user;
    74. 

  74. 

  75. 	keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
    76. 

  76. 				    KGIDT_INIT(0), cred,
    77. 

  77. 				    ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
    78. 

  78. 				     KEY_USR_VIEW | KEY_USR_READ),
    79. 

  79. 				    KEY_ALLOC_NOT_IN_QUOTA, user->uid_keyring);
    80. 

  80. 	if (!IS_ERR(keyring[id]))
    81. 

  81. 		set_bit(KEY_FLAG_TRUSTED_ONLY, &keyring[id]->flags);
    82. 

  82. 	else
    83. 

  83. 		pr_info("Can't allocate %s keyring (%ld)\n",
    84. 

  84. 			keyring_name[id], PTR_ERR(keyring[id]));
    85. 

  85. 	return 0;
    86. 

  86. }
    87.