From patchwork Wed Oct 18 00:53:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thiago Jung Bauermann X-Patchwork-Id: 827399 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3yGvLb1J7wz9t3H for ; Wed, 18 Oct 2017 12:17:43 +1100 (AEDT) Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3yGvLZ75BbzDsWr for ; Wed, 18 Oct 2017 12:17:42 +1100 (AEDT) X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=linux.vnet.ibm.com (client-ip=148.163.158.5; helo=mx0a-001b2d01.pphosted.com; envelope-from=bauerman@linux.vnet.ibm.com; receiver=) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3yGtrZ69DpzDrJj for ; Wed, 18 Oct 2017 11:55:10 +1100 (AEDT) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id v9I0rVpE087152 for ; Tue, 17 Oct 2017 20:55:08 -0400 Received: from e11.ny.us.ibm.com (e11.ny.us.ibm.com [129.33.205.201]) by mx0a-001b2d01.pphosted.com with ESMTP id 2dnssnxkj5-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 17 Oct 2017 20:55:08 -0400 Received: from localhost by e11.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 17 Oct 2017 20:55:07 -0400 Received: from b01cxnp22035.gho.pok.ibm.com (9.57.198.25) by e11.ny.us.ibm.com (146.89.104.198) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 17 Oct 2017 20:55:03 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp22035.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id v9I0t2NF50266352; Wed, 18 Oct 2017 00:55:02 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 74D12112057; Tue, 17 Oct 2017 20:54:35 -0400 (EDT) Received: from morokweng.ibm.com (unknown [9.85.160.64]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP id E4D31112040; Tue, 17 Oct 2017 20:54:31 -0400 (EDT) From: Thiago Jung Bauermann To: linux-integrity@vger.kernel.org Subject: [PATCH v5 14/18] integrity: Introduce integrity_keyring_from_id Date: Tue, 17 Oct 2017 22:53:27 -0200 X-Mailer: git-send-email 2.14.2 In-Reply-To: <20171018005331.2688-1-bauerman@linux.vnet.ibm.com> References: <20171018005331.2688-1-bauerman@linux.vnet.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 17101800-2213-0000-0000-0000022D4FE1 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00007909; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000237; SDB=6.00932661; UDB=6.00469692; IPR=6.00712951; BA=6.00005643; NDR=6.00000001; ZLA=6.00000005; ZF=6.00000009; ZB=6.00000000; ZP=6.00000000; ZH=6.00000000; ZU=6.00000002; MB=3.00017583; XFM=3.00000015; UTC=2017-10-18 00:55:07 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17101800-2214-0000-0000-000057E379B4 Message-Id: <20171018005331.2688-15-bauerman@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-17_15:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710180012 X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.24 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jessica Yu , linuxppc-dev@lists.ozlabs.org, Rusty Russell , linux-kernel@vger.kernel.org, "David S. Miller" , David Howells , "AKASHI, Takahiro" , linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, James Morris , Dmitry Kasatkin , Thiago Jung Bauermann , Herbert Xu , Mimi Zohar , David Woodhouse , "Serge E. Hallyn" Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann --- security/integrity/digsig.c | 28 +++++++++++++++++++--------- security/integrity/integrity.h | 1 + 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 6f9e4ce568cd..935f1b3258e7 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -48,11 +48,10 @@ static bool init_keyring __initdata; #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif -int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, - const char *digest, int digestlen) +struct key *integrity_keyring_from_id(const unsigned int id) { - if (id >= INTEGRITY_KEYRING_MAX || siglen < 2) - return -EINVAL; + if (id >= INTEGRITY_KEYRING_MAX) + return ERR_PTR(-EINVAL); if (!keyring[id]) { keyring[id] = @@ -61,18 +60,29 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int err = PTR_ERR(keyring[id]); pr_err("no %s keyring: %d\n", keyring_name[id], err); keyring[id] = NULL; - return err; + return ERR_PTR(err); } } + return keyring[id]; +} + +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, + const char *digest, int digestlen) +{ + struct key *keyring = integrity_keyring_from_id(id); + + if (IS_ERR(keyring) || siglen < 2) + return PTR_ERR(keyring); + switch (sig[1]) { case 1: /* v1 API expect signature without xattr type */ - return digsig_verify(keyring[id], sig + 1, siglen - 1, - digest, digestlen); + return digsig_verify(keyring, sig + 1, siglen - 1, digest, + digestlen); case 2: - return asymmetric_verify(keyring[id], sig, siglen, - digest, digestlen); + return asymmetric_verify(keyring, sig, siglen, digest, + digestlen); } return -EOPNOTSUPP; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index dd7ac4bfc89a..657ce4558984 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -132,6 +132,7 @@ int integrity_kernel_read(struct file *file, loff_t offset, #ifdef CONFIG_INTEGRITY_SIGNATURE +struct key *integrity_keyring_from_id(const unsigned int id); int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen);