From 106a4ee258d14818467829bf0e12aeae14c16cd7 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Wed, 26 Sep 2012 10:09:40 +0100 Subject: module: signature checking hook We do a very simple search for a particular string appended to the module (which is cache-hot and about to be SHA'd anyway). There's both a config option and a boot parameter which control whether we accept or fail with unsigned modules and modules that are signed with an unknown key. If module signing is enabled, the kernel will be tainted if a module is loaded that is unsigned or has a signature for which we don't have the key. (Useful feedback and tweaks by David Howells ) Signed-off-by: Rusty Russell Signed-off-by: David Howells Signed-off-by: Rusty Russell --- kernel/module-internal.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 kernel/module-internal.h (limited to 'kernel/module-internal.h') diff --git a/kernel/module-internal.h b/kernel/module-internal.h new file mode 100644 index 000000000000..033c17fd70ef --- /dev/null +++ b/kernel/module-internal.h @@ -0,0 +1,13 @@ +/* Module internals + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +extern int mod_verify_sig(const void *mod, unsigned long modlen, + const void *sig, unsigned long siglen); -- cgit v1.2.3 From 631cc66eb9eaa7296e303197ff1eb0f55e32b61d Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 26 Sep 2012 10:09:51 +0100 Subject: MODSIGN: Provide module signing public keys to the kernel Include a PGP keyring containing the public keys required to perform module verification in the kernel image during build and create a special keyring during boot which is then populated with keys of crypto type holding the public keys found in the PGP keyring. These can be seen by root: [root@andromeda ~]# cat /proc/keys 07ad4ee0 I----- 1 perm 3f010000 0 0 crypto modsign.0: RSA 87b9b3bd [] 15c7f8c3 I----- 1 perm 1f030000 0 0 keyring .module_sign: 1/4 ... It is probably worth permitting root to invalidate these keys, resulting in their removal and preventing further modules from being loaded with that key. Signed-off-by: David Howells Signed-off-by: Rusty Russell --- kernel/Makefile | 11 ++++- kernel/modsign_pubkey.c | 113 +++++++++++++++++++++++++++++++++++++++++++++++ kernel/module-internal.h | 2 + 3 files changed, 124 insertions(+), 2 deletions(-) create mode 100644 kernel/modsign_pubkey.c (limited to 'kernel/module-internal.h') diff --git a/kernel/Makefile b/kernel/Makefile index 58c6f111267e..111a845460c9 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -55,7 +55,7 @@ obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o obj-$(CONFIG_PROVE_LOCKING) += spinlock.o obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o -obj-$(CONFIG_MODULE_SIG) += module_signing.o +obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC) += kexec.o @@ -134,6 +134,13 @@ $(obj)/timeconst.h: $(src)/timeconst.pl FORCE $(call if_changed,timeconst) ifeq ($(CONFIG_MODULE_SIG),y) +# +# Pull the signing certificate and any extra certificates into the kernel +# +extra_certificates: + touch $@ + +kernel/modsign_pubkey.o: signing_key.x509 extra_certificates ############################################################################### # @@ -180,4 +187,4 @@ x509.genkey: @echo >>x509.genkey "subjectKeyIdentifier=hash" @echo >>x509.genkey "authorityKeyIdentifier=keyid" endif -CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey +CLEAN_FILES += signing_key.priv signing_key.x509 x509.genkey extra_certificates diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c new file mode 100644 index 000000000000..4646eb2c3820 --- /dev/null +++ b/kernel/modsign_pubkey.c @@ -0,0 +1,113 @@ +/* Public keys for module signature verification + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include "module-internal.h" + +struct key *modsign_keyring; + +extern __initdata const u8 modsign_certificate_list[]; +extern __initdata const u8 modsign_certificate_list_end[]; +asm(".section .init.data,\"aw\"\n" + "modsign_certificate_list:\n" + ".incbin \"signing_key.x509\"\n" + ".incbin \"extra_certificates\"\n" + "modsign_certificate_list_end:" + ); + +/* + * We need to make sure ccache doesn't cache the .o file as it doesn't notice + * if modsign.pub changes. + */ +static __initdata const char annoy_ccache[] = __TIME__ "foo"; + +/* + * Load the compiled-in keys + */ +static __init int module_verify_init(void) +{ + pr_notice("Initialise module verification\n"); + + modsign_keyring = key_alloc(&key_type_keyring, ".module_sign", + KUIDT_INIT(0), KGIDT_INIT(0), + current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(modsign_keyring)) + panic("Can't allocate module signing keyring\n"); + + if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0) + panic("Can't instantiate module signing keyring\n"); + + return 0; +} + +/* + * Must be initialised before we try and load the keys into the keyring. + */ +device_initcall(module_verify_init); + +/* + * Load the compiled-in keys + */ +static __init int load_module_signing_keys(void) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + pr_notice("Loading module verification certificates\n"); + + end = modsign_certificate_list_end; + p = modsign_certificate_list; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(modsign_keyring, 1), + "asymmetric", + NULL, + p, + plen, + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) + pr_err("MODSIGN: Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + else + pr_notice("MODSIGN: Loaded cert '%s'\n", + key_ref_to_ptr(key)->description); + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("MODSIGN: Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} +late_initcall(load_module_signing_keys); diff --git a/kernel/module-internal.h b/kernel/module-internal.h index 033c17fd70ef..6114a13419bd 100644 --- a/kernel/module-internal.h +++ b/kernel/module-internal.h @@ -9,5 +9,7 @@ * 2 of the Licence, or (at your option) any later version. */ +extern struct key *modsign_keyring; + extern int mod_verify_sig(const void *mod, unsigned long modlen, const void *sig, unsigned long siglen); -- cgit v1.2.3 From caabe240574aec05b2f5667414ce80f9075c2ba1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Sat, 20 Oct 2012 01:19:29 +0100 Subject: MODSIGN: Move the magic string to the end of a module and eliminate the search Emit the magic string that indicates a module has a signature after the signature data instead of before it. This allows module_sig_check() to be made simpler and faster by the elimination of the search for the magic string. Instead we just need to do a single memcmp(). This works because at the end of the signature data there is the fixed-length signature information block. This block then falls immediately prior to the magic number. From the contents of the information block, it is trivial to calculate the size of the signature data and thus the size of the actual module data. Signed-off-by: David Howells Signed-off-by: Linus Torvalds --- kernel/module-internal.h | 3 +-- kernel/module.c | 26 +++++++++----------------- kernel/module_signing.c | 24 +++++++++++++++--------- scripts/sign-file | 6 +++--- 4 files changed, 28 insertions(+), 31 deletions(-) (limited to 'kernel/module-internal.h') diff --git a/kernel/module-internal.h b/kernel/module-internal.h index 6114a13419bd..24f9247b7d02 100644 --- a/kernel/module-internal.h +++ b/kernel/module-internal.h @@ -11,5 +11,4 @@ extern struct key *modsign_keyring; -extern int mod_verify_sig(const void *mod, unsigned long modlen, - const void *sig, unsigned long siglen); +extern int mod_verify_sig(const void *mod, unsigned long *_modlen); diff --git a/kernel/module.c b/kernel/module.c index 0e2da8695f8e..6085f5ef88ea 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -2421,25 +2421,17 @@ static inline void kmemleak_load_module(const struct module *mod, #ifdef CONFIG_MODULE_SIG static int module_sig_check(struct load_info *info, - const void *mod, unsigned long *len) + const void *mod, unsigned long *_len) { int err = -ENOKEY; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - const void *p = mod, *end = mod + *len; - - /* Poor man's memmem. */ - while ((p = memchr(p, MODULE_SIG_STRING[0], end - p))) { - if (p + markerlen > end) - break; - - if (memcmp(p, MODULE_SIG_STRING, markerlen) == 0) { - const void *sig = p + markerlen; - /* Truncate module up to signature. */ - *len = p - mod; - err = mod_verify_sig(mod, *len, sig, end - sig); - break; - } - p++; + unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; + unsigned long len = *_len; + + if (len > markerlen && + memcmp(mod + len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { + /* We truncate the module to discard the signature */ + *_len -= markerlen; + err = mod_verify_sig(mod, _len); } if (!err) { diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 6b09f6983ac0..d492a23df99c 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -183,27 +183,33 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, /* * Verify the signature on a module. */ -int mod_verify_sig(const void *mod, unsigned long modlen, - const void *sig, unsigned long siglen) +int mod_verify_sig(const void *mod, unsigned long *_modlen) { struct public_key_signature *pks; struct module_signature ms; struct key *key; - size_t sig_len; + const void *sig; + size_t modlen = *_modlen, sig_len; int ret; - pr_devel("==>%s(,%lu,,%lu,)\n", __func__, modlen, siglen); + pr_devel("==>%s(,%lu)\n", __func__, modlen); - if (siglen <= sizeof(ms)) + if (modlen <= sizeof(ms)) return -EBADMSG; - memcpy(&ms, sig + (siglen - sizeof(ms)), sizeof(ms)); - siglen -= sizeof(ms); + memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); + modlen -= sizeof(ms); sig_len = be32_to_cpu(ms.sig_len); - if (sig_len >= siglen || - siglen - sig_len != (size_t)ms.signer_len + ms.key_id_len) + if (sig_len >= modlen) return -EBADMSG; + modlen -= sig_len; + if ((size_t)ms.signer_len + ms.key_id_len >= modlen) + return -EBADMSG; + modlen -= (size_t)ms.signer_len + ms.key_id_len; + + *_modlen = modlen; + sig = mod + modlen; /* For the moment, only support RSA and X.509 identifiers */ if (ms.algo != PKEY_ALGO_RSA || diff --git a/scripts/sign-file b/scripts/sign-file index d37d1309531e..87ca59d36e7e 100755 --- a/scripts/sign-file +++ b/scripts/sign-file @@ -403,11 +403,11 @@ my $info = pack("CCCCCxxxN", if ($verbose) { print "Size of unsigned module: ", length($unsigned_module), "\n"; - print "Size of magic number : ", length($magic_number), "\n"; print "Size of signer's name : ", length($signers_name), "\n"; print "Size of key identifier : ", length($key_identifier), "\n"; print "Size of signature : ", length($signature), "\n"; print "Size of informaton : ", length($info), "\n"; + print "Size of magic number : ", length($magic_number), "\n"; print "Signer's name : '", $signers_name, "'\n"; print "Digest : $dgst\n"; } @@ -416,11 +416,11 @@ open(FD, ">$dest") || die $dest; binmode FD; print FD $unsigned_module, - $magic_number, $signers_name, $key_identifier, $signature, - $info + $info, + $magic_number ; close FD || die $dest; -- cgit v1.2.3