Received: by 10.213.65.68 with SMTP id h4csp263363imn; Tue, 13 Mar 2018 03:41:29 -0700 (PDT) X-Google-Smtp-Source: AG47ELsoWKjvDWOikFGvSPrTUxJJ4plQMQjHk8tzIfJ+qoq2Njix9rqMMsGBTThTgiW5NtPt10ee X-Received: by 10.99.115.68 with SMTP id d4mr84715pgn.145.1520937689041; Tue, 13 Mar 2018 03:41:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520937689; cv=none; d=google.com; s=arc-20160816; b=UI56R9Zih86uQL2F8QBkas6XkMikXzqhbhw0XCl4nlghOD5CgzU9AnlmGkj8ViuH1X u14eTRwE5wgsKQoVXlj9Bo/Q15k4+Z/g1DiSAIsLguITkGlH0g/RKM0hXnLzlOg3Fv22 5Tjli6pbiifen2TM5AepOruY/nybSdlDms2gFIaddMacA0mqHg+M6DqpSqb4csQ3u9WD n5tqkjWRnLbkAw8UCrK/9MKTFc4jF8h5peRyYAfx2RxcxlE2EYahGxwVSgxOavjDo6ZX vFIl5HjvpoxS7ef/PwM3vBZJdUTZZHtjoB1Oci5qUBnm7ItUbm2x0PEbD1hMjdeeUlRU nVdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=cBGmwfSr8lPBciJuO8v+C1Erlzol8gwvHTNOSeOcdQg=; b=g60SaSzoSa+EJSdGkTBV98Hef4HZKyYwt7bVt87Usd5PW9NMgCIsmbhP+OZ6VO+1xn o1fHEyuEF/dY2Ibh3fEp9xX9pWl/N2ANsFBIaSP7eaK6oVZy8JdE/TPUeb6RHSP4oAGb EhjeXQCBDK2UtoL+r7lqAd3PKJ4plbmP80Qk7JX3myDoart9kI6mGsWUpVtTV2latIKk wpI/MvCpARFQaVjWB3HMg8HuiTPaS1RvQIBNLFJbHXGbwByHZDkYIgJOwu/4yOe5aYNr sp9LmrGkenWcrNkeItFGa9CCVLuWUxVfcWwXkj3cktaFOZ0enCGU/dTOb4dlMikB52hg nWYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XsqZIuJJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3si25023pgo.349.2018.03.13.03.41.14; Tue, 13 Mar 2018 03:41:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XsqZIuJJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932940AbeCMKid (ORCPT + 99 others); Tue, 13 Mar 2018 06:38:33 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:52634 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932843AbeCMKi3 (ORCPT ); Tue, 13 Mar 2018 06:38:29 -0400 Received: by mail-it0-f66.google.com with SMTP id k135so15146462ite.2; Tue, 13 Mar 2018 03:38:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=cBGmwfSr8lPBciJuO8v+C1Erlzol8gwvHTNOSeOcdQg=; b=XsqZIuJJS8+3Iu+60Sin6smSpxXCB0za/aBBf/y0V99Kc7sq9QIwAH4PNlY9QpDRWe AcnYXQYI6Peya25bGS6XwOYVzMhQRXjaAEsj24WYwt2hmvmxqqfy30WhcGCK1kR7FMNl BTzQqjZkEQj3ms3i0PoL3UivFg0x/KvC0ySW2C56sNp7k+pGsxBvEd5rYEoEHILjS/G7 Y3ISQM2CezdWINrvd71p2JetXYFEI2bP/a2XrCPCpl2oxAww5ufQ6/sIrfsqGXbSsJGx h1PO4jb6ANJwrfMH1IXDLjCJtf++dTHL4tHrzkcpVLBy37icdKm98bpmejdOQJoK28Qx Gpxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=cBGmwfSr8lPBciJuO8v+C1Erlzol8gwvHTNOSeOcdQg=; b=A4M8ZDWSHgP6b3hWEexoGmeM7lYhy1oxATSeqbE/EZ88mcEe+ommzYqdxcc9t21kRz OWtL7I9tDcIkLXRJIYV6uspRi3+OEQ8+0YieMMgNAzP/gOlzWBXBQNoceyFnplQBkV3f O8UQ82OcloQwoA5mYtfxA1ElbnlyblTAFTiZHQaNgjxcvPTRQ+COOyAOvppKGVG/qpV0 CJ+xSsDVqR+AFnMXsIv04TvHt6gdYZXaFtzrMWbvUeuPhEir9P8vdRGviupDgE1MAoRA g3WfklZbkQBzA0CRlHz/RbkIxbAyPpOl7n+k+3vUvWYa6Pjr+OVXqQE78oqzEoBEubNN u35Q== X-Gm-Message-State: AElRT7HPR1cq1pzzYdHmRulfIBIFj3vfyZzfs+0zOzWTDJMN7IwcJ6Jr fd9YVe8PI5lfbAyqK0/soe4= X-Received: by 10.36.243.68 with SMTP id t4mr327127iti.0.1520937509121; Tue, 13 Mar 2018 03:38:29 -0700 (PDT) Received: from linux-l9pv.suse ([134.159.103.118]) by smtp.gmail.com with ESMTPSA id y128sm282657itb.39.2018.03.13.03.38.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 13 Mar 2018 03:38:28 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer , James Bottomley Subject: [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module Date: Tue, 13 Mar 2018 18:38:02 +0800 Message-Id: <20180313103803.13388-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20180313103803.13388-1-jlee@suse.com> References: <20180313103803.13388-1-jlee@suse.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds the logic for checking the kernel module's hash base on blacklist. The hash must be generated by sha256 and enrolled to dbx/mokx. For example: sha256sum sample.ko mokutil --mokx --import-hash $HASH_RESULT Whether the signature on ko file is stripped or not, the hash can be compared by kernel. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" --- kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c index d3d6f95..d30ac74 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -11,9 +11,12 @@ #include #include +#include #include #include #include +#include +#include #include "module-internal.h" enum pkey_id_type { @@ -42,19 +45,67 @@ struct module_signature { __be32 sig_len; /* Length of signature data */ }; +static int mod_is_hash_blacklisted(const void *mod, size_t verifylen) +{ + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + u8 *digest; + int ret = 0; + + tfm = crypto_alloc_shash("sha256", 0, 0); + if (IS_ERR(tfm)) + goto error_return; + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) { + pr_err("digest memory buffer allocate fail\n"); + ret = -ENOMEM; + goto error_digest; + } + desc = (void *)digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + + ret = crypto_shash_finup(desc, mod, verifylen, digest); + if (ret < 0) + goto error_shash; + + pr_debug("%ld digest: %*phN\n", verifylen, (int) digest_size, digest); + + ret = is_hash_blacklisted(digest, digest_size, "bin"); + if (ret == -EKEYREJECTED) + pr_err("Module hash %*phN is blacklisted\n", + (int) digest_size, digest); + +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); +error_return: + return ret; +} + /* * Verify the signature on a module. */ int mod_verify_sig(const void *mod, unsigned long *_modlen) { struct module_signature ms; - size_t modlen = *_modlen, sig_len; + size_t modlen = *_modlen, sig_len, wholelen; + int ret; pr_devel("==>%s(,%zu)\n", __func__, modlen); if (modlen <= sizeof(ms)) return -EBADMSG; + wholelen = modlen + sizeof(MODULE_SIG_STRING) - 1; memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); modlen -= sizeof(ms); @@ -80,7 +131,14 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) return -EBADMSG; } - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, (void *)1UL, VERIFYING_MODULE_SIGNATURE, NULL, NULL); + pr_devel("verify_pkcs7_signature() = %d\n", ret); + + /* checking hash of module is in blacklist */ + if (!ret) + ret = mod_is_hash_blacklisted(mod, wholelen); + + return ret; } -- 2.10.2