Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1427856pxf; Fri, 12 Mar 2021 09:14:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJyGdGh2/y9tU4cK1g6xaBWbWsEf5OW1rVw3nM2JoIs16e9yPcPJlTmZVtO+xgwTiW5VArKA X-Received: by 2002:aa7:d2d5:: with SMTP id k21mr15119200edr.216.1615569290019; Fri, 12 Mar 2021 09:14:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615569290; cv=none; d=google.com; s=arc-20160816; b=rq6HNQd4BM+j5+uRMzTCfcmzzq8M+4b+WiGNH0ysOPoXAm+TwGarMXBkzynXd92oVR qTLmLqciuT/1KJMkb4YAnIF+nWike4rbDcAFvZ98OL8RW8OV7w7fPJ0SwArEbSkkFbbw LrDknWiK7LbuhiooI/Eka2NtyYSzOA3z8CBn2L2IKQZ/FWo/CtWr9qjUFucpN87Qe6Cc FDpMv75rEef+6hTRtsizfxNxP5jUcH4fwd7qHxS0NdHIxRgBPP21IzcVX5ds2Yaol+Ql DGvmZ6AUml5YElzfLEQd3Wen0i3Zvgqt/Gu+1pnLFVfVn+gIT7mIK93OAFMCPDrm12W+ LG1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=zKsWwI45z5cVR7aIy7TcV3CkUuR3Jct3TwBhqHvzReU=; b=WUqbLtOCpEeUl1KXlP+4D+gk6sdgpppcgFZZDE7Eay2dZqjl2jKdkWT75CGl/HQisQ 1A+IrRaMMMZhdUA//b9gFAQnQ3VupMt7BD0NoRmEp3UomxePsQdaCLWhQFB+u7Bmwjjh Ti47twRSZbcAl5QO+FfGXM5ij9GWM6w4UtoFkt0T1GRFSorbRVIT8uCxogsP3n2jauvP IsESeIofkibt1efL0ZLc4aCVXilXfOjTXXizMkGkBKGkEbudtuqRUvO869UhG/eQW6+M APp12MdE+yYoMRldwA+ey8B7VrM4juEvgXWNwa64pMecv32SPf1X09ptAb+Ocl/kytVA yFkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d24si4422494ejw.372.2021.03.12.09.14.25; Fri, 12 Mar 2021 09:14:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232398AbhCLRNx (ORCPT + 99 others); Fri, 12 Mar 2021 12:13:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38212 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232740AbhCLRNX (ORCPT ); Fri, 12 Mar 2021 12:13:23 -0500 Received: from smtp-1908.mail.infomaniak.ch (smtp-1908.mail.infomaniak.ch [IPv6:2001:1600:4:17::1908]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D1CBC061574 for ; Fri, 12 Mar 2021 09:13:23 -0800 (PST) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4DxspQ11zgzMq5Vl; Fri, 12 Mar 2021 18:13:18 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4DxspP5lvtzlh8TB; Fri, 12 Mar 2021 18:13:17 +0100 (CET) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , "David S . Miller" , Eric Snowberg , Herbert Xu , James Morris , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , Tyler Hicks , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v7 4/5] certs: Factor out the blacklist hash creation Date: Fri, 12 Mar 2021 18:12:31 +0100 Message-Id: <20210312171232.2681989-5-mic@digikod.net> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210312171232.2681989-1-mic@digikod.net> References: <20210312171232.2681989-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Mickaël Salaün Factor out the blacklist hash creation with the get_raw_hash() helper. This also centralize the "tbs" and "bin" prefixes and make them private, which help to manage them consistently. Cc: David Howells Cc: David S. Miller Cc: David Woodhouse Cc: Eric Snowberg Cc: Herbert Xu Cc: Jarkko Sakkinen Signed-off-by: Mickaël Salaün Link: https://lore.kernel.org/r/20210312171232.2681989-5-mic@digikod.net --- Changes since v6: * Rebase on keys-cve-2020-26541-v3: commit ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring"). Changes since v5: * Rebase on keys-next and fix conflict as previously done by David Howells. * Fix missing part to effectively handle UEFI DBX blacklisting. * Remove Jarkko's Acked-by because of the above changes. Changes since v2: * Add Jarkko's Acked-by. --- certs/blacklist.c | 76 ++++++++++++++----- crypto/asymmetric_keys/x509_public_key.c | 3 +- include/keys/system_keyring.h | 14 +++- .../platform_certs/keyring_handler.c | 26 +------ 4 files changed, 73 insertions(+), 46 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 97a35cf9a62c..b254c87ceb3a 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -109,11 +109,43 @@ static struct key_type key_type_blacklist = { .describe = blacklist_describe, }; +static char *get_raw_hash(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + size_t type_len; + const char *type_prefix; + char *buffer, *p; + + switch (hash_type) { + case BLACKLIST_HASH_X509_TBS: + type_len = sizeof(tbs_prefix) - 1; + type_prefix = tbs_prefix; + break; + case BLACKLIST_HASH_BINARY: + type_len = sizeof(bin_prefix) - 1; + type_prefix = bin_prefix; + break; + default: + WARN_ON_ONCE(1); + return ERR_PTR(-EINVAL); + } + buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); + if (!buffer) + return ERR_PTR(-ENOMEM); + p = memcpy(buffer, type_prefix, type_len); + p += type_len; + *p++ = ':'; + bin2hex(p, hash, hash_len); + p += hash_len * 2; + *p = '\0'; + return buffer; +} + /** - * mark_hash_blacklisted - Add a hash to the system blacklist + * mark_raw_hash_blacklisted - Add a hash to the system blacklist * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783") */ -int mark_hash_blacklisted(const char *hash) +static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; @@ -133,29 +165,36 @@ int mark_hash_blacklisted(const char *hash) return 0; } +int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + const char *buffer; + int err; + + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); + err = mark_raw_hash_blacklisted(buffer); + kfree(buffer); + return err; +} + /** * is_hash_blacklisted - Determine if a hash is blacklisted * @hash: The hash to be checked as a binary blob * @hash_len: The length of the binary hash - * @type: Type of hash + * @hash_type: Type of hash */ -int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) +int is_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) { key_ref_t kref; - size_t type_len = strlen(type); - char *buffer, *p; + const char *buffer; int ret = 0; - buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); - if (!buffer) - return -ENOMEM; - p = memcpy(buffer, type, type_len); - p += type_len; - *p++ = ':'; - bin2hex(p, hash, hash_len); - p += hash_len * 2; - *p = 0; - + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); kref = keyring_search(make_key_ref(blacklist_keyring, true), &key_type_blacklist, buffer, false); if (!IS_ERR(kref)) { @@ -170,7 +209,8 @@ EXPORT_SYMBOL_GPL(is_hash_blacklisted); int is_binary_blacklisted(const u8 *hash, size_t hash_len) { - if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + if (is_hash_blacklisted(hash, hash_len, BLACKLIST_HASH_BINARY) == + -EKEYREJECTED) return -EPERM; return 0; @@ -243,7 +283,7 @@ static int __init blacklist_init(void) panic("Can't allocate system blacklist keyring\n"); for (bl = blacklist_hashes; *bl; bl++) - if (mark_hash_blacklisted(*bl) < 0) + if (mark_raw_hash_blacklisted(*bl) < 0) pr_err("- blacklisting failed\n"); return 0; } diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index ae450eb8be14..3b7dba5e4cd9 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -81,7 +81,8 @@ int x509_get_sig_params(struct x509_certificate *cert) if (ret < 0) goto error_2; - ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs"); + ret = is_hash_blacklisted(sig->digest, sig->digest_size, + BLACKLIST_HASH_X509_TBS); if (ret == -EKEYREJECTED) { pr_err("Cert %*phN is blacklisted\n", sig->digest_size, sig->digest); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 875e002a4180..d2597f8d6d7e 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -10,6 +10,13 @@ #include +enum blacklist_hash_type { + /* TBSCertificate hash */ + BLACKLIST_HASH_X509_TBS = 1, + /* Raw data hash */ + BLACKLIST_HASH_BINARY = 2, +}; + #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING extern int restrict_link_by_builtin_trusted(struct key *keyring, @@ -33,13 +40,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -extern int mark_hash_blacklisted(const char *hash); +extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, - const char *type); + enum blacklist_hash_type hash_type); extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, - const char *type) + enum blacklist_hash_type hash_type) { return 0; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..9e4f156b356e 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -15,35 +15,13 @@ static efi_guid_t efi_cert_x509_sha256_guid __initdata = EFI_CERT_X509_SHA256_GUID; static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; -/* - * Blacklist a hash. - */ -static __init void uefi_blacklist_hash(const char *source, const void *data, - size_t len, const char *type, - size_t type_len) -{ - char *hash, *p; - - hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL); - if (!hash) - return; - p = memcpy(hash, type, type_len); - p += type_len; - bin2hex(p, data, len); - p += len * 2; - *p = 0; - - mark_hash_blacklisted(hash); - kfree(hash); -} - /* * Blacklist an X509 TBS hash. */ static __init void uefi_blacklist_x509_tbs(const char *source, const void *data, size_t len) { - uefi_blacklist_hash(source, data, len, "tbs:", 4); + mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS); } /* @@ -52,7 +30,7 @@ static __init void uefi_blacklist_x509_tbs(const char *source, static __init void uefi_blacklist_binary(const char *source, const void *data, size_t len) { - uefi_blacklist_hash(source, data, len, "bin:", 4); + mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY); } /* -- 2.30.2