1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* Module signature checker |
3 | * |
4 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
5 | * Written by David Howells (dhowells@redhat.com) |
6 | */ |
7 | |
8 | #include <linux/kernel.h> |
9 | #include <linux/errno.h> |
10 | #include <linux/module.h> |
11 | #include <linux/module_signature.h> |
12 | #include <linux/string.h> |
13 | #include <linux/verification.h> |
14 | #include <linux/security.h> |
15 | #include <crypto/public_key.h> |
16 | #include <uapi/linux/module.h> |
17 | #include "internal.h" |
18 | |
19 | #undef MODULE_PARAM_PREFIX |
20 | #define MODULE_PARAM_PREFIX "module." |
21 | |
22 | static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); |
23 | module_param(sig_enforce, bool_enable_only, 0644); |
24 | |
25 | /* |
26 | * Export sig_enforce kernel cmdline parameter to allow other subsystems rely |
27 | * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. |
28 | */ |
29 | bool is_module_sig_enforced(void) |
30 | { |
31 | return sig_enforce; |
32 | } |
33 | EXPORT_SYMBOL(is_module_sig_enforced); |
34 | |
35 | void set_module_sig_enforced(void) |
36 | { |
37 | sig_enforce = true; |
38 | } |
39 | |
40 | /* |
41 | * Verify the signature on a module. |
42 | */ |
43 | int mod_verify_sig(const void *mod, struct load_info *info) |
44 | { |
45 | struct module_signature ms; |
46 | size_t sig_len, modlen = info->len; |
47 | int ret; |
48 | |
49 | pr_devel("==>%s(,%zu)\n" , __func__, modlen); |
50 | |
51 | if (modlen <= sizeof(ms)) |
52 | return -EBADMSG; |
53 | |
54 | memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); |
55 | |
56 | ret = mod_check_sig(ms: &ms, file_len: modlen, name: "module" ); |
57 | if (ret) |
58 | return ret; |
59 | |
60 | sig_len = be32_to_cpu(ms.sig_len); |
61 | modlen -= sig_len + sizeof(ms); |
62 | info->len = modlen; |
63 | |
64 | return verify_pkcs7_signature(data: mod, len: modlen, raw_pkcs7: mod + modlen, pkcs7_len: sig_len, |
65 | VERIFY_USE_SECONDARY_KEYRING, |
66 | usage: VERIFYING_MODULE_SIGNATURE, |
67 | NULL, NULL); |
68 | } |
69 | |
70 | int module_sig_check(struct load_info *info, int flags) |
71 | { |
72 | int err = -ENODATA; |
73 | const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; |
74 | const char *reason; |
75 | const void *mod = info->hdr; |
76 | bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS | |
77 | MODULE_INIT_IGNORE_VERMAGIC); |
78 | /* |
79 | * Do not allow mangled modules as a module with version information |
80 | * removed is no longer the module that was signed. |
81 | */ |
82 | if (!mangled_module && |
83 | info->len > markerlen && |
84 | memcmp(p: mod + info->len - markerlen, MODULE_SIG_STRING, size: markerlen) == 0) { |
85 | /* We truncate the module to discard the signature */ |
86 | info->len -= markerlen; |
87 | err = mod_verify_sig(mod, info); |
88 | if (!err) { |
89 | info->sig_ok = true; |
90 | return 0; |
91 | } |
92 | } |
93 | |
94 | /* |
95 | * We don't permit modules to be loaded into the trusted kernels |
96 | * without a valid signature on them, but if we're not enforcing, |
97 | * certain errors are non-fatal. |
98 | */ |
99 | switch (err) { |
100 | case -ENODATA: |
101 | reason = "unsigned module" ; |
102 | break; |
103 | case -ENOPKG: |
104 | reason = "module with unsupported crypto" ; |
105 | break; |
106 | case -ENOKEY: |
107 | reason = "module with unavailable key" ; |
108 | break; |
109 | |
110 | default: |
111 | /* |
112 | * All other errors are fatal, including lack of memory, |
113 | * unparseable signatures, and signature check failures -- |
114 | * even if signatures aren't required. |
115 | */ |
116 | return err; |
117 | } |
118 | |
119 | if (is_module_sig_enforced()) { |
120 | pr_notice("Loading of %s is rejected\n" , reason); |
121 | return -EKEYREJECTED; |
122 | } |
123 | |
124 | return security_locked_down(what: LOCKDOWN_MODULE_SIGNATURE); |
125 | } |
126 | |