|
|
48f65f6 |
From f630ce576114bfede02d8a0bafa97e4d6f978a74 Mon Sep 17 00:00:00 2001
|
|
|
6a91557 |
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
6a91557 |
Date: Fri, 26 Oct 2012 12:36:24 -0400
|
|
|
48f65f6 |
Subject: [PATCH 17/20] KEYS: Add a system blacklist keyring
|
|
|
6a91557 |
|
|
|
6a91557 |
This adds an additional keyring that is used to store certificates that
|
|
|
6a91557 |
are blacklisted. This keyring is searched first when loading signed modules
|
|
|
6a91557 |
and if the module's certificate is found, it will refuse to load. This is
|
|
|
6a91557 |
useful in cases where third party certificates are used for module signing.
|
|
|
6a91557 |
|
|
|
6a91557 |
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
|
6a91557 |
---
|
|
|
48f65f6 |
certs/system_keyring.c | 27 +++++++++++++++++++++++++++
|
|
|
6a91557 |
include/keys/system_keyring.h | 4 ++++
|
|
|
6a91557 |
init/Kconfig | 9 +++++++++
|
|
|
48f65f6 |
3 files changed, 40 insertions(+)
|
|
|
6a91557 |
|
|
|
48f65f6 |
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
|
|
48f65f6 |
index 2570598b784d..53733822993f 100644
|
|
|
48f65f6 |
--- a/certs/system_keyring.c
|
|
|
48f65f6 |
+++ b/certs/system_keyring.c
|
|
|
6a91557 |
@@ -20,6 +20,9 @@
|
|
|
6a91557 |
|
|
|
6a91557 |
struct key *system_trusted_keyring;
|
|
|
6a91557 |
EXPORT_SYMBOL_GPL(system_trusted_keyring);
|
|
|
6a91557 |
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
6a91557 |
+struct key *system_blacklist_keyring;
|
|
|
6a91557 |
+#endif
|
|
|
6a91557 |
|
|
|
6a91557 |
extern __initconst const u8 system_certificate_list[];
|
|
|
6a91557 |
extern __initconst const unsigned long system_certificate_list_size;
|
|
|
6a91557 |
@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void)
|
|
|
6a91557 |
panic("Can't allocate system trusted keyring\n");
|
|
|
6a91557 |
|
|
|
6a91557 |
set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags);
|
|
|
6a91557 |
+
|
|
|
48f65f6 |
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
6a91557 |
+ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring",
|
|
|
6a91557 |
+ KUIDT_INIT(0), KGIDT_INIT(0),
|
|
|
6a91557 |
+ current_cred(),
|
|
|
6a91557 |
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
|
6a91557 |
+ KEY_USR_VIEW | KEY_USR_READ,
|
|
|
6a91557 |
+ KEY_ALLOC_NOT_IN_QUOTA, NULL);
|
|
|
6a91557 |
+ if (IS_ERR(system_blacklist_keyring))
|
|
|
6a91557 |
+ panic("Can't allocate system blacklist keyring\n");
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags);
|
|
|
6a91557 |
+#endif
|
|
|
6a91557 |
+
|
|
|
6a91557 |
return 0;
|
|
|
6a91557 |
}
|
|
|
6a91557 |
|
|
|
48f65f6 |
@@ -138,6 +155,16 @@ int system_verify_data(const void *data, unsigned long len,
|
|
|
48f65f6 |
if (ret < 0)
|
|
|
48f65f6 |
goto error;
|
|
|
48f65f6 |
|
|
|
48f65f6 |
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
48f65f6 |
+ ret = pkcs7_validate_trust(pkcs7, system_blacklist_keyring, &trusted);
|
|
|
48f65f6 |
+ if (!ret) {
|
|
|
48f65f6 |
+ /* module is signed with a cert in the blacklist. reject */
|
|
|
48f65f6 |
+ pr_err("Module key is in the blacklist\n");
|
|
|
48f65f6 |
+ ret = -EKEYREJECTED;
|
|
|
48f65f6 |
+ goto error;
|
|
|
48f65f6 |
+ }
|
|
|
48f65f6 |
+#endif
|
|
|
48f65f6 |
+
|
|
|
48f65f6 |
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
|
|
|
48f65f6 |
if (ret < 0)
|
|
|
48f65f6 |
goto error;
|
|
|
48f65f6 |
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
|
|
48f65f6 |
index b20cd885c1fd..51d8ddc60e0f 100644
|
|
|
48f65f6 |
--- a/include/keys/system_keyring.h
|
|
|
48f65f6 |
+++ b/include/keys/system_keyring.h
|
|
|
48f65f6 |
@@ -35,4 +35,8 @@ extern int system_verify_data(const void *data, unsigned long len,
|
|
|
48f65f6 |
enum key_being_used_for usage);
|
|
|
48f65f6 |
#endif
|
|
|
48f65f6 |
|
|
|
48f65f6 |
+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
|
48f65f6 |
+extern struct key *system_blacklist_keyring;
|
|
|
48f65f6 |
+#endif
|
|
|
48f65f6 |
+
|
|
|
48f65f6 |
#endif /* _KEYS_SYSTEM_KEYRING_H */
|
|
|
48f65f6 |
diff --git a/init/Kconfig b/init/Kconfig
|
|
|
48f65f6 |
index 02da9f1fd9df..782d26f02885 100644
|
|
|
48f65f6 |
--- a/init/Kconfig
|
|
|
48f65f6 |
+++ b/init/Kconfig
|
|
|
48f65f6 |
@@ -1783,6 +1783,15 @@ config SYSTEM_DATA_VERIFICATION
|
|
|
48f65f6 |
module verification, kexec image verification and firmware blob
|
|
|
48f65f6 |
verification.
|
|
|
48f65f6 |
|
|
|
48f65f6 |
+config SYSTEM_BLACKLIST_KEYRING
|
|
|
48f65f6 |
+ bool "Provide system-wide ring of blacklisted keys"
|
|
|
48f65f6 |
+ depends on KEYS
|
|
|
48f65f6 |
+ help
|
|
|
48f65f6 |
+ Provide a system keyring to which blacklisted keys can be added.
|
|
|
48f65f6 |
+ Keys in the keyring are considered entirely untrusted. Keys in this
|
|
|
48f65f6 |
+ keyring are used by the module signature checking to reject loading
|
|
|
48f65f6 |
+ of modules signed with a blacklisted key.
|
|
|
48f65f6 |
+
|
|
|
48f65f6 |
config PROFILING
|
|
|
48f65f6 |
bool "Profiling support"
|
|
|
48f65f6 |
help
|
|
|
48f65f6 |
--
|
|
|
48f65f6 |
2.4.3
|
|
|
48f65f6 |
|