NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:
https://www.niap-ccevs.org/MMO/PP/-442-/
FIA_X509_EXT.1.1
This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying
signature of kernel module or kexec PE binary in PKCS#7.
v6:
- Add more length checking when parsing extKeyUsage and EKU's OID blob.
- Add 'usage' parameter to the comment of pkcs7_validate_trust function.
v5:
Fixed the wording in module-signing.rst.
v4:
Fixed the wording in patch description.
v3:
- Add codeSigning EKU to x509.genkey key generation config.
- Add openssl command option example for generating CodeSign EKU to
module-signing.rst document.
v2:
Changed the help wording in the Kconfig.
Lee, Chun-Yi (4):
X.509: Add CodeSigning extended key usage parsing
PKCS#7: Check codeSigning EKU for kernel module and kexec pe
verification
modsign: Add codeSigning EKU when generating X.509 key generation
config
Documentation/admin-guide/module-signing.rst: add openssl command
option example for CodeSign EKU
Documentation/admin-guide/module-signing.rst | 6 +++++
certs/Makefile | 1 +
certs/system_keyring.c | 2 +-
crypto/asymmetric_keys/Kconfig | 9 +++++++
crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++---
crypto/asymmetric_keys/x509_cert_parser.c | 24 ++++++++++++++++++
include/crypto/pkcs7.h | 3 ++-
include/crypto/public_key.h | 1 +
include/linux/oid_registry.h | 5 ++++
9 files changed, 83 insertions(+), 5 deletions(-)
--
2.16.4
This patch adds the logic for checking the CodeSigning extended
key usage when verifying signature of kernel module or
kexec PE binary in PKCS#7.
Signed-off-by: "Lee, Chun-Yi" <[email protected]>
---
certs/system_keyring.c | 2 +-
crypto/asymmetric_keys/Kconfig | 9 +++++++++
crypto/asymmetric_keys/pkcs7_trust.c | 38 +++++++++++++++++++++++++++++++++---
include/crypto/pkcs7.h | 3 ++-
4 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 0c9a4795e847..302ca0555e75 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -206,7 +206,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
goto error;
}
}
- ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage);
if (ret < 0) {
if (ret == -ENOKEY)
pr_devel("PKCS#7 signature not signed with a trusted key\n");
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 1f1f004dc757..1754812df989 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION
This option provides support for verifying the signature(s) on a
signed PE binary.
+config CHECK_CODESIGN_EKU
+ bool "Check codeSigning extended key usage"
+ depends on PKCS7_MESSAGE_PARSER=y
+ depends on SYSTEM_DATA_VERIFICATION
+ help
+ This option provides support for checking the codeSigning extended
+ key usage when verifying the signature in PKCS#7. It affects kernel
+ module verification and kexec PE binary verification.
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index b531df2013c4..7c27bf81aca9 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -16,12 +16,36 @@
#include <crypto/public_key.h>
#include "pkcs7_parser.h"
+#ifdef CONFIG_CHECK_CODESIGN_EKU
+static bool check_codesign_eku(struct key *key,
+ enum key_being_used_for usage)
+{
+ struct public_key *public_key = key->payload.data[asym_crypto];
+
+ switch (usage) {
+ case VERIFYING_MODULE_SIGNATURE:
+ case VERIFYING_KEXEC_PE_SIGNATURE:
+ return !!(public_key->eku & EKU_codeSigning);
+ default:
+ break;
+ }
+ return true;
+}
+#else
+static bool check_codesign_eku(struct key *key,
+ enum key_being_used_for usage)
+{
+ return true;
+}
+#endif
+
/*
* Check the trust on one PKCS#7 SignedInfo block.
*/
static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
struct pkcs7_signed_info *sinfo,
- struct key *trust_keyring)
+ struct key *trust_keyring,
+ enum key_being_used_for usage)
{
struct public_key_signature *sig = sinfo->sig;
struct x509_certificate *x509, *last = NULL, *p;
@@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
return -ENOKEY;
matched:
+ if (!check_codesign_eku(key, usage)) {
+ pr_warn("sinfo %u: The signer %x key is not CodeSigning\n",
+ sinfo->index, key_serial(key));
+ key_put(key);
+ return -ENOKEY;
+ }
ret = verify_signature(key, sig);
key_put(key);
if (ret < 0) {
@@ -135,6 +165,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
* pkcs7_validate_trust - Validate PKCS#7 trust chain
* @pkcs7: The PKCS#7 certificate to validate
* @trust_keyring: Signing certificates to use as starting points
+ * @usage: The use to which the key is being put.
*
* Validate that the certificate chain inside the PKCS#7 message intersects
* keys we already know and trust.
@@ -156,7 +187,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
* May also return -ENOMEM.
*/
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
- struct key *trust_keyring)
+ struct key *trust_keyring,
+ enum key_being_used_for usage)
{
struct pkcs7_signed_info *sinfo;
struct x509_certificate *p;
@@ -167,7 +199,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
p->seen = false;
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
- ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring);
+ ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage);
switch (ret) {
case -ENOKEY:
continue;
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 38ec7f5f9041..b3b48240ba73 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
* pkcs7_trust.c
*/
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
- struct key *trust_keyring);
+ struct key *trust_keyring,
+ enum key_being_used_for usage);
/*
* pkcs7_verify.c
--
2.16.4
Add codeSigning EKU to the X.509 key generation config for the build time
autogenerated kernel key.
Signed-off-by: "Lee, Chun-Yi" <[email protected]>
---
certs/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/certs/Makefile b/certs/Makefile
index b6db52ebf0be..d9515d68778f 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -89,6 +89,7 @@ $(obj)/x509.genkey:
@echo >>$@ "keyUsage=digitalSignature"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"
+ @echo >>$@ "extendedKeyUsage=codeSigning"
endif # CONFIG_MODULE_SIG_KEY
$(eval $(call config_filename,MODULE_SIG_KEY))
--
2.16.4
Hi Chun-Yi",
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on next-20210429]
[cannot apply to cryptodev/master crypto/master v5.12]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210429-153115
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d72cd4ad4174cfd2257c426ad51e4f53bcfde9c9
config: powerpc64-randconfig-m031-20210429 (attached as .config)
compiler: powerpc-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/63e6809a57ca114d297694a24283256990aa10df
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210429-153115
git checkout 63e6809a57ca114d297694a24283256990aa10df
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=powerpc64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All errors (new ones prefixed by >>):
certs/blacklist.c: In function 'is_key_on_revocation_list':
>> certs/blacklist.c:188:8: error: too few arguments to function 'pkcs7_validate_trust'
188 | ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
| ^~~~~~~~~~~~~~~~~~~~
In file included from certs/blacklist.h:3,
from certs/blacklist.c:19:
include/crypto/pkcs7.h:32:12: note: declared here
32 | extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
| ^~~~~~~~~~~~~~~~~~~~
vim +/pkcs7_validate_trust +188 certs/blacklist.c
56c5812623f953 Eric Snowberg 2021-01-22 179
56c5812623f953 Eric Snowberg 2021-01-22 180 /**
56c5812623f953 Eric Snowberg 2021-01-22 181 * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
56c5812623f953 Eric Snowberg 2021-01-22 182 * @pkcs7: The PKCS#7 message to check
56c5812623f953 Eric Snowberg 2021-01-22 183 */
56c5812623f953 Eric Snowberg 2021-01-22 184 int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
56c5812623f953 Eric Snowberg 2021-01-22 185 {
56c5812623f953 Eric Snowberg 2021-01-22 186 int ret;
56c5812623f953 Eric Snowberg 2021-01-22 187
56c5812623f953 Eric Snowberg 2021-01-22 @188 ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
56c5812623f953 Eric Snowberg 2021-01-22 189
56c5812623f953 Eric Snowberg 2021-01-22 190 if (ret == 0)
56c5812623f953 Eric Snowberg 2021-01-22 191 return -EKEYREJECTED;
56c5812623f953 Eric Snowberg 2021-01-22 192
56c5812623f953 Eric Snowberg 2021-01-22 193 return -ENOKEY;
56c5812623f953 Eric Snowberg 2021-01-22 194 }
56c5812623f953 Eric Snowberg 2021-01-22 195 #endif
56c5812623f953 Eric Snowberg 2021-01-22 196
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]