Received: by 10.223.164.202 with SMTP id h10csp4696148wrb; Wed, 29 Nov 2017 10:19:07 -0800 (PST) X-Google-Smtp-Source: AGs4zMb+KYFF02m4VBDpTC3oMf6UN3ASyVGBMKbTa1Lx737zAwB0mXb0jL7FXFic5cKXcSRbq5es X-Received: by 10.84.177.129 with SMTP id x1mr3765646plb.217.1511979547032; Wed, 29 Nov 2017 10:19:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511979547; cv=none; d=google.com; s=arc-20160816; b=sc50HL4GqKtcfp5UjgVh1qL1zsZqquY9yV9pQhavHmk9Q4eBDBwMgkqBI+4rricAnn cG+KO9JcRKoR6Yt+MeyExBnpPtN5EafbmEkNwZ9NRnq1GcLnImCVaLCOQ0Fvcqmyz25m ItonInXXwbETOmvlr4A+CdjFqESYZIjrT7/3FV8u+f6VDFRi0UC0ihayj2TZsn7gVyli wgqeYVsvskbkoHkM8aFE1vMRtBLOOLqHwMFKsJJ4Mpz4DRrWk+laHoO+Au3lE+9Mirta uwVYEWl2Nh7kN/hubKr1fesbtm5V28454nPrVbK8FXJ4rKr52dVTmoqeOso8oP+dWhac hlZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=YQhDabv0ts8uJLklvU9MfBanTJTyGW66J4/HzEQAN1Q=; b=hXYsgT7OgqNBcn5Bs4RJ1rL4YRLqd6gI6YGiC/CA17i+BW4O7P6KvIIS4enivOcgrC zjzCxN6+kYB+y01ESn0Cn5gH4mgOY6nu+Qdwqyo+QUiWDyZr6qlIQS4BDa4erEJb7CPY 2RvtYHCFagMQBpg0VpzT8mB3b3Hw0gM/+oVcR2dgh7BFeLmn0468PydzqA6N8jgAvS7C 5NayNA5pliZOIsD25P2mIPKl0BCT2U/yZJzjD+rYRz3R5yw/Daiu6hVmEbUeUlMwigv3 fflZmWt0yziqsRklZZI18lHqDEtaZ+7j6WIQHW4PhgCEbUuEPY9urv7ckirgygXBy6og U1eA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=c3wMMowZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q5si1600363pgq.711.2017.11.29.10.18.56; Wed, 29 Nov 2017 10:19:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=c3wMMowZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755243AbdK2OMu (ORCPT + 70 others); Wed, 29 Nov 2017 09:12:50 -0500 Received: from mail-pl0-f67.google.com ([209.85.160.67]:39675 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755158AbdK2OMp (ORCPT ); Wed, 29 Nov 2017 09:12:45 -0500 Received: by mail-pl0-f67.google.com with SMTP id bi12so2154635plb.6; Wed, 29 Nov 2017 06:12:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YQhDabv0ts8uJLklvU9MfBanTJTyGW66J4/HzEQAN1Q=; b=c3wMMowZ5VwIazFYc2FenYnzwLS5UAvssBWFSrckrED/WORxcQT7gU3UanA9WUYVuO CDeD6/HtRueJbWN8hH2ciF4sqsxaQbBsxoP7eC9GLyGRFNlEkCeJZtDfK7sA8uF0XoBG kgxyMtMCyCEkpHtBZBsELAQSMzSUiJJOrCOIymGkZBtGCFHaBDr96m2w24+Qo+WX+ecE zLM1+Qt0rkamFxOaKkPNp8mG/523BRxtaCmb8DN6+u2ArSinMC/TLextVWNWaDl6Ch9V kGvHc/ovbw+m/g6jv6eWcshWyPVStpCsXYPz2AMvFgLsMCNjvGmWSocM4MHa9+M3CIqz E4Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YQhDabv0ts8uJLklvU9MfBanTJTyGW66J4/HzEQAN1Q=; b=Z3ViLTAIBLrizeDnidwhqP9C3PtuIosUUX+fn1rVEuIxGa/7MK1iO9cOY1En5zQjv1 X1nFWzfOZVDuEyXGAECbMQ3Ophw3FZtf9OLHaHL5/jbefjbx6I43QaGFRVsS5kXt1SoR uPwGvQggHztYZDp25FkMQ2KjAsdlwBRAUbZMw/RLpObApIF0/iaMBDx+jQDc/UYaC+rg 6jEnQKjiiteIwndu6eKFKxuMXuK3FqEMADIVMq93nWCKZpVft7xn6YnpQWxGiG1iQwHe +3yzgxqJI4dUzAJQWcQ0X6LhcbFvAqlaj3Ve/+E6NJzua1y7j8TXiONnrs58ICZzu7IJ AlTA== X-Gm-Message-State: AJaThX4w8rGmq4M19sut80MrpkDMrlYFTc3SDnoLPMhsDPE4E4KgRm0a OzX/Z6Euw75SkPZMUK6wYj0= X-Received: by 10.159.207.149 with SMTP id z21mr3150066plo.164.1511964764932; Wed, 29 Nov 2017 06:12:44 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id n12sm3481373pfb.5.2017.11.29.06.12.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Nov 2017 06:12:44 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer Subject: [PATCH 4/4] MODSIGN: checking the blacklisted hash before loading a kernel module Date: Wed, 29 Nov 2017 22:11:39 +0800 Message-Id: <20171129141139.20088-5-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20171129141139.20088-1-jlee@suse.com> References: <20171129141139.20088-1-jlee@suse.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch adds the logic for checking the kernel module's hash base on blacklist. The hash must be generated by sha256 and enrolled to dbx/mokx. For example: sha256sum sample.ko mokutil --mokx --import-hash $HASH_RESULT Whether the signature on ko file is stripped or not, the hash can be compared by kernel. Cc: David Howells Cc: Josh Boyer Signed-off-by: "Lee, Chun-Yi" --- kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c index d3d6f95..d30ac74 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -11,9 +11,12 @@ #include #include +#include #include #include #include +#include +#include #include "module-internal.h" enum pkey_id_type { @@ -42,19 +45,67 @@ struct module_signature { __be32 sig_len; /* Length of signature data */ }; +static int mod_is_hash_blacklisted(const void *mod, size_t verifylen) +{ + struct crypto_shash *tfm; + struct shash_desc *desc; + size_t digest_size, desc_size; + u8 *digest; + int ret = 0; + + tfm = crypto_alloc_shash("sha256", 0, 0); + if (IS_ERR(tfm)) + goto error_return; + + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); + digest_size = crypto_shash_digestsize(tfm); + digest = kzalloc(digest_size + desc_size, GFP_KERNEL); + if (!digest) { + pr_err("digest memory buffer allocate fail\n"); + ret = -ENOMEM; + goto error_digest; + } + desc = (void *)digest + digest_size; + desc->tfm = tfm; + desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; + ret = crypto_shash_init(desc); + if (ret < 0) + goto error_shash; + + ret = crypto_shash_finup(desc, mod, verifylen, digest); + if (ret < 0) + goto error_shash; + + pr_debug("%ld digest: %*phN\n", verifylen, (int) digest_size, digest); + + ret = is_hash_blacklisted(digest, digest_size, "bin"); + if (ret == -EKEYREJECTED) + pr_err("Module hash %*phN is blacklisted\n", + (int) digest_size, digest); + +error_shash: + kfree(digest); +error_digest: + crypto_free_shash(tfm); +error_return: + return ret; +} + /* * Verify the signature on a module. */ int mod_verify_sig(const void *mod, unsigned long *_modlen) { struct module_signature ms; - size_t modlen = *_modlen, sig_len; + size_t modlen = *_modlen, sig_len, wholelen; + int ret; pr_devel("==>%s(,%zu)\n", __func__, modlen); if (modlen <= sizeof(ms)) return -EBADMSG; + wholelen = modlen + sizeof(MODULE_SIG_STRING) - 1; memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); modlen -= sizeof(ms); @@ -80,7 +131,14 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) return -EBADMSG; } - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, (void *)1UL, VERIFYING_MODULE_SIGNATURE, NULL, NULL); + pr_devel("verify_pkcs7_signature() = %d\n", ret); + + /* checking hash of module is in blacklist */ + if (!ret) + ret = mod_is_hash_blacklisted(mod, wholelen); + + return ret; } -- 2.10.2 From 1585502884546801051@xxx Thu Nov 30 14:49:39 +0000 2017 X-GM-THRID: 1585502884546801051 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread