2016-10-27 14:49:53 +00:00
|
|
|
From 2a54526850121cd0d7cf649a321488b4dab5731d Mon Sep 17 00:00:00 2001
|
2014-08-20 17:22:24 +00:00
|
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
|
|
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
2016-10-27 14:49:53 +00:00
|
|
|
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
|
2014-08-20 17:22:24 +00:00
|
|
|
|
|
|
|
|
This adds an additional keyring that is used to store certificates that
|
|
|
|
|
are blacklisted. This keyring is searched first when loading signed modules
|
|
|
|
|
and if the module's certificate is found, it will refuse to load. This is
|
|
|
|
|
useful in cases where third party certificates are used for module signing.
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
|
|
---
|
2016-05-25 15:13:52 +00:00
|
|
|
certs/system_keyring.c | 22 ++++++++++++++++++++++
|
2014-08-20 17:22:24 +00:00
|
|
|
include/keys/system_keyring.h | 4 ++++
|
|
|
|
|
init/Kconfig | 9 +++++++++
|
2016-05-25 15:13:52 +00:00
|
|
|
3 files changed, 35 insertions(+)
|
2014-08-20 17:22:24 +00:00
|
|
|
|
2015-09-09 15:10:06 +00:00
|
|
|
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
2016-05-25 15:13:52 +00:00
|
|
|
index 50979d6dcecd..787eeead2f57 100644
|
2015-09-09 15:10:06 +00:00
|
|
|
--- a/certs/system_keyring.c
|
|
|
|
|
+++ b/certs/system_keyring.c
|
2016-05-25 15:13:52 +00:00
|
|
|
@@ -22,6 +22,9 @@ static struct key *builtin_trusted_keys;
|
|
|
|
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
|
|
|
|
static struct key *secondary_trusted_keys;
|
|
|
|
|
#endif
|
2014-08-20 17:22:24 +00:00
|
|
|
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
|
|
+struct key *system_blacklist_keyring;
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
|
|
extern __initconst const u8 system_certificate_list[];
|
|
|
|
|
extern __initconst const unsigned long system_certificate_list_size;
|
2016-05-25 15:13:52 +00:00
|
|
|
@@ -99,6 +102,16 @@ static __init int system_trusted_keyring_init(void)
|
|
|
|
|
if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0)
|
|
|
|
|
panic("Can't link trusted keyrings\n");
|
|
|
|
|
#endif
|
|
|
|
|
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
2014-08-20 17:22:24 +00:00
|
|
|
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
|
2016-05-25 15:13:52 +00:00
|
|
|
+ KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
|
|
|
|
|
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
|
|
|
+ KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
|
|
|
|
|
+ KEY_ALLOC_NOT_IN_QUOTA,
|
|
|
|
|
+ NULL, NULL);
|
2014-08-20 17:22:24 +00:00
|
|
|
+ if (IS_ERR(system_blacklist_keyring))
|
|
|
|
|
+ panic("Can't allocate system blacklist keyring\n");
|
|
|
|
|
+#endif
|
2016-05-25 15:13:52 +00:00
|
|
|
|
2014-08-20 17:22:24 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2016-05-25 15:13:52 +00:00
|
|
|
@@ -214,6 +227,15 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
|
|
|
|
trusted_keys = builtin_trusted_keys;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
2015-09-09 15:10:06 +00:00
|
|
|
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
2016-05-25 15:13:52 +00:00
|
|
|
+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring);
|
2015-09-09 15:10:06 +00:00
|
|
|
+ if (!ret) {
|
|
|
|
|
+ /* module is signed with a cert in the blacklist. reject */
|
|
|
|
|
+ pr_err("Module key is in the blacklist\n");
|
|
|
|
|
+ ret = -EKEYREJECTED;
|
|
|
|
|
+ goto error;
|
|
|
|
|
+ }
|
|
|
|
|
+#endif
|
2016-05-25 15:13:52 +00:00
|
|
|
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
if (ret == -ENOKEY)
|
2015-09-09 15:10:06 +00:00
|
|
|
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
2016-05-25 15:13:52 +00:00
|
|
|
index fbd4647767e9..5bc291a3d261 100644
|
2015-09-09 15:10:06 +00:00
|
|
|
--- a/include/keys/system_keyring.h
|
|
|
|
|
+++ b/include/keys/system_keyring.h
|
2016-05-25 15:13:52 +00:00
|
|
|
@@ -33,6 +33,10 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
|
|
|
|
|
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
2015-09-09 15:10:06 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
|
|
+extern struct key *system_blacklist_keyring;
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
2016-05-25 15:13:52 +00:00
|
|
|
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
2016-01-18 21:41:06 +00:00
|
|
|
extern struct key *ima_blacklist_keyring;
|
2016-05-25 15:13:52 +00:00
|
|
|
|
2015-09-09 15:10:06 +00:00
|
|
|
diff --git a/init/Kconfig b/init/Kconfig
|
2016-10-27 14:49:53 +00:00
|
|
|
index 34407f15e6d3..461ad575a608 100644
|
2015-09-09 15:10:06 +00:00
|
|
|
--- a/init/Kconfig
|
|
|
|
|
+++ b/init/Kconfig
|
2016-10-27 14:49:53 +00:00
|
|
|
@@ -1859,6 +1859,15 @@ config SYSTEM_DATA_VERIFICATION
|
2015-09-09 15:10:06 +00:00
|
|
|
module verification, kexec image verification and firmware blob
|
|
|
|
|
verification.
|
|
|
|
|
|
|
|
|
|
+config SYSTEM_BLACKLIST_KEYRING
|
|
|
|
|
+ bool "Provide system-wide ring of blacklisted keys"
|
|
|
|
|
+ depends on KEYS
|
|
|
|
|
+ help
|
|
|
|
|
+ Provide a system keyring to which blacklisted keys can be added.
|
|
|
|
|
+ Keys in the keyring are considered entirely untrusted. Keys in this
|
|
|
|
|
+ keyring are used by the module signature checking to reject loading
|
|
|
|
|
+ of modules signed with a blacklisted key.
|
|
|
|
|
+
|
|
|
|
|
config PROFILING
|
|
|
|
|
bool "Profiling support"
|
|
|
|
|
help
|
|
|
|
|
--
|
2016-10-27 14:49:53 +00:00
|
|
|
2.9.3
|
2015-09-09 15:10:06 +00:00
|
|
|
|
