Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757607Ab2HPBiI (ORCPT ); Wed, 15 Aug 2012 21:38:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:6607 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757344Ab2HPBiB (ORCPT ); Wed, 15 Aug 2012 21:38:01 -0400 From: David Howells Subject: [PATCH 20/25] MODSIGN: Provide module signing public keys to the kernel To: rusty@rustcorp.com.au Cc: dhowells@redhat.com, dmitry.kasatkin@intel.com, zohar@linux.vnet.ibm.com, jmorris@namei.org, keyrings@linux-nfs.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 16 Aug 2012 02:37:51 +0100 Message-ID: <20120816013751.872.688.stgit@warthog.procyon.org.uk> In-Reply-To: <20120816013405.872.42381.stgit@warthog.procyon.org.uk> References: <20120816013405.872.42381.stgit@warthog.procyon.org.uk> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4806 Lines: 150 Include a PGP keyring containing the public keys required to perform module verification in the kernel image during build and create a special keyring during boot which is then populated with keys of crypto type holding the public keys found in the PGP keyring. These can be seen by root: [root@andromeda ~]# cat /proc/keys 07ad4ee0 I----- 1 perm 3f010000 0 0 crypto modsign.0: RSA 87b9b3bd [] 15c7f8c3 I----- 1 perm 1f030000 0 0 keyring .module_sign: 1/4 ... It is probably worth permitting root to invalidate these keys, resulting in their removal and preventing further modules from being loaded with that key. Signed-off-by: David Howells --- kernel/Makefile | 3 ++ kernel/modsign-pubkey.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++ kernel/module-verify.h | 14 +++++++++ 3 files changed, 91 insertions(+) create mode 100644 kernel/modsign-pubkey.c create mode 100644 kernel/module-verify.h diff --git a/kernel/Makefile b/kernel/Makefile index c0cc67a..84f6c04 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -55,6 +55,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o obj-$(CONFIG_PROVE_LOCKING) += spinlock.o obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o +obj-$(CONFIG_MODULE_SIG) += modsign-pubkey.o obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC) += kexec.o @@ -131,3 +132,5 @@ quiet_cmd_timeconst = TIMEC $@ targets += timeconst.h $(obj)/timeconst.h: $(src)/timeconst.pl FORCE $(call if_changed,timeconst) + +kernel/modsign-pubkey.o: modsign.pub diff --git a/kernel/modsign-pubkey.c b/kernel/modsign-pubkey.c new file mode 100644 index 0000000..ce14c9a --- /dev/null +++ b/kernel/modsign-pubkey.c @@ -0,0 +1,74 @@ +/* Public keys for module signature verification + * + * Copyright (C) 2011 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include +#include +#include "module-verify.h" + +struct key *modsign_keyring; + +extern __initdata const u8 modsign_public_keys[]; +extern __initdata const u8 modsign_public_keys_end[]; +asm(".section .init.data,\"aw\"\n" + "modsign_public_keys:\n" + ".incbin \"modsign.pub\"\n" + "modsign_public_keys_end:" + ); + +/* + * We need to make sure ccache doesn't cache the .o file as it doesn't notice + * if modsign.pub changes. + */ +static __initdata const char annoy_ccache[] = __TIME__ "foo"; + +/* + * Load the compiled-in keys + */ +static __init int module_verify_init(void) +{ + pr_notice("Initialise module verification\n"); + + modsign_keyring = key_alloc(&key_type_keyring, ".module_sign", + 0, 0, current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(modsign_keyring)) + panic("Can't allocate module signing keyring\n"); + + if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0) + panic("Can't instantiate module signing keyring\n"); + + return 0; +} + +/* + * Must be initialised before we try and load the keys into the keyring. + */ +device_initcall(module_verify_init); + +/* + * Load the compiled-in keys + */ +static __init int modsign_pubkey_init(void) +{ + pr_notice("Load module verification keys\n"); + + if (preload_pgp_keys(modsign_public_keys, + modsign_public_keys_end - modsign_public_keys, + modsign_keyring) < 0) + panic("Can't load module signing keys\n"); + + return 0; +} +late_initcall(modsign_pubkey_init); diff --git a/kernel/module-verify.h b/kernel/module-verify.h new file mode 100644 index 0000000..2f6cc16 --- /dev/null +++ b/kernel/module-verify.h @@ -0,0 +1,14 @@ +/* Module verification definitions + * + * Copyright (C) 2004, 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#ifdef CONFIG_MODULE_SIG +extern struct key *modsign_keyring; +#endif -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/