2019-05-20 17:08:01 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2012-09-26 09:09:40 +00:00
|
|
|
/* Module signature checker
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
2015-10-21 13:04:48 +00:00
|
|
|
#include <linux/errno.h>
|
2019-07-04 18:57:34 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/module_signature.h>
|
2016-03-01 10:36:07 +00:00
|
|
|
#include <linux/string.h>
|
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to
__key_link() so that we use the contents of the keyring being linked in to
to determine whether the key being linked in is trusted or not.
What is 'trusted' then becomes a matter of what's in the keyring.
Currently, the test is done when the key is parsed, but given that at that
point we can only sensibly refer to the contents of the system trusted
keyring, we can only use that as the basis for working out the
trustworthiness of a new key.
With this change, a trusted keyring is a set of keys that once the
trusted-only flag is set cannot be added to except by verification through
one of the contained keys.
Further, adding a key into a trusted keyring, whilst it might grant
trustworthiness in the context of that keyring, does not automatically
grant trustworthiness in the context of a second keyring to which it could
be secondarily linked.
To accomplish this, the authentication data associated with the key source
must now be retained. For an X.509 cert, this means the contents of the
AuthorityKeyIdentifier and the signature data.
If system keyrings are disabled then restrict_link_by_builtin_trusted()
resolves to restrict_link_reject(). The integrity digital signature code
still works correctly with this as it was previously using
KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there
is no system keyring against which trust can be determined.
Signed-off-by: David Howells <dhowells@redhat.com>
2016-04-06 15:14:26 +00:00
|
|
|
#include <linux/verification.h>
|
2022-03-22 14:03:37 +00:00
|
|
|
#include <linux/security.h>
|
2015-07-20 20:16:27 +00:00
|
|
|
#include <crypto/public_key.h>
|
2022-03-22 14:03:37 +00:00
|
|
|
#include <uapi/linux/module.h>
|
2022-03-22 14:03:31 +00:00
|
|
|
#include "internal.h"
|
2012-09-26 09:09:40 +00:00
|
|
|
|
2022-06-02 03:56:52 +00:00
|
|
|
#undef MODULE_PARAM_PREFIX
|
|
|
|
#define MODULE_PARAM_PREFIX "module."
|
|
|
|
|
2022-03-22 14:03:37 +00:00
|
|
|
static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
|
|
|
|
module_param(sig_enforce, bool_enable_only, 0644);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Export sig_enforce kernel cmdline parameter to allow other subsystems rely
|
|
|
|
* on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
|
|
|
|
*/
|
|
|
|
bool is_module_sig_enforced(void)
|
|
|
|
{
|
|
|
|
return sig_enforce;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(is_module_sig_enforced);
|
|
|
|
|
|
|
|
void set_module_sig_enforced(void)
|
|
|
|
{
|
|
|
|
sig_enforce = true;
|
|
|
|
}
|
|
|
|
|
2012-09-26 09:09:40 +00:00
|
|
|
/*
|
|
|
|
* Verify the signature on a module.
|
|
|
|
*/
|
2018-06-29 14:37:08 +00:00
|
|
|
int mod_verify_sig(const void *mod, struct load_info *info)
|
2012-09-26 09:09:40 +00:00
|
|
|
{
|
2012-09-26 09:11:03 +00:00
|
|
|
struct module_signature ms;
|
2018-06-29 14:37:08 +00:00
|
|
|
size_t sig_len, modlen = info->len;
|
2019-07-04 18:57:34 +00:00
|
|
|
int ret;
|
2012-09-26 09:11:03 +00:00
|
|
|
|
2012-10-21 01:59:31 +00:00
|
|
|
pr_devel("==>%s(,%zu)\n", __func__, modlen);
|
2012-09-26 09:11:03 +00:00
|
|
|
|
2012-10-20 00:19:29 +00:00
|
|
|
if (modlen <= sizeof(ms))
|
2012-09-26 09:11:03 +00:00
|
|
|
return -EBADMSG;
|
|
|
|
|
2012-10-20 00:19:29 +00:00
|
|
|
memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
|
2019-07-04 18:57:34 +00:00
|
|
|
|
module: harden ELF info handling
5fdc7db644 ("module: setup load info before module_sig_check()")
moved the ELF setup, so that it was done before the signature
check. This made the module name available to signature error
messages.
However, the checks for ELF correctness in setup_load_info
are not sufficient to prevent bad memory references due to
corrupted offset fields, indices, etc.
So, there's a regression in behavior here: a corrupt and unsigned
(or badly signed) module, which might previously have been rejected
immediately, can now cause an oops/crash.
Harden ELF handling for module loading by doing the following:
- Move the signature check back up so that it comes before ELF
initialization. It's best to do the signature check to see
if we can trust the module, before using the ELF structures
inside it. This also makes checks against info->len
more accurate again, as this field will be reduced by the
length of the signature in mod_check_sig().
The module name is now once again not available for error
messages during the signature check, but that seems like
a fair tradeoff.
- Check if sections have offset / size fields that at least don't
exceed the length of the module.
- Check if sections have section name offsets that don't fall
outside the section name table.
- Add a few other sanity checks against invalid section indices,
etc.
This is not an exhaustive consistency check, but the idea is to
at least get through the signature and blacklist checks without
crashing because of corrupted ELF info, and to error out gracefully
for most issues that would have caused problems later on.
Fixes: 5fdc7db6448a ("module: setup load info before module_sig_check()")
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Jessica Yu <jeyu@kernel.org>
2021-01-14 22:21:46 +00:00
|
|
|
ret = mod_check_sig(&ms, modlen, "module");
|
2019-07-04 18:57:34 +00:00
|
|
|
if (ret)
|
|
|
|
return ret;
|
2012-09-26 09:11:03 +00:00
|
|
|
|
|
|
|
sig_len = be32_to_cpu(ms.sig_len);
|
2019-07-04 18:57:34 +00:00
|
|
|
modlen -= sig_len + sizeof(ms);
|
2018-06-29 14:37:08 +00:00
|
|
|
info->len = modlen;
|
2012-09-26 09:11:03 +00:00
|
|
|
|
2016-04-06 15:14:24 +00:00
|
|
|
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
2018-11-06 23:21:30 +00:00
|
|
|
VERIFY_USE_SECONDARY_KEYRING,
|
|
|
|
VERIFYING_MODULE_SIGNATURE,
|
2016-04-06 15:14:24 +00:00
|
|
|
NULL, NULL);
|
2012-09-26 09:09:40 +00:00
|
|
|
}
|
2022-03-22 14:03:37 +00:00
|
|
|
|
|
|
|
int module_sig_check(struct load_info *info, int flags)
|
|
|
|
{
|
|
|
|
int err = -ENODATA;
|
|
|
|
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
|
|
|
|
const char *reason;
|
|
|
|
const void *mod = info->hdr;
|
|
|
|
bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
|
|
|
|
MODULE_INIT_IGNORE_VERMAGIC);
|
|
|
|
/*
|
|
|
|
* Do not allow mangled modules as a module with version information
|
|
|
|
* removed is no longer the module that was signed.
|
|
|
|
*/
|
|
|
|
if (!mangled_module &&
|
|
|
|
info->len > markerlen &&
|
|
|
|
memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
|
|
|
|
/* We truncate the module to discard the signature */
|
|
|
|
info->len -= markerlen;
|
|
|
|
err = mod_verify_sig(mod, info);
|
|
|
|
if (!err) {
|
|
|
|
info->sig_ok = true;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't permit modules to be loaded into the trusted kernels
|
|
|
|
* without a valid signature on them, but if we're not enforcing,
|
|
|
|
* certain errors are non-fatal.
|
|
|
|
*/
|
|
|
|
switch (err) {
|
|
|
|
case -ENODATA:
|
|
|
|
reason = "unsigned module";
|
|
|
|
break;
|
|
|
|
case -ENOPKG:
|
|
|
|
reason = "module with unsupported crypto";
|
|
|
|
break;
|
|
|
|
case -ENOKEY:
|
|
|
|
reason = "module with unavailable key";
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
/*
|
|
|
|
* All other errors are fatal, including lack of memory,
|
|
|
|
* unparseable signatures, and signature check failures --
|
|
|
|
* even if signatures aren't required.
|
|
|
|
*/
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (is_module_sig_enforced()) {
|
|
|
|
pr_notice("Loading of %s is rejected\n", reason);
|
|
|
|
return -EKEYREJECTED;
|
|
|
|
}
|
|
|
|
|
|
|
|
return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
|
|
|
|
}
|