aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells2015-07-20 15:16:28 -0500
committerDavid Howells2015-08-07 10:26:13 -0500
commit091f6e26eb326adbd718f406e440c838bed8ebb6 (patch)
tree9562f51745eb81fdf44d1fb56d6e79090935d2e4 /kernel/system_keyring.c
parent1c39449921fc6db1f942051f79868a19c92f4d47 (diff)
downloadkernel-omap-091f6e26eb326adbd718f406e440c838bed8ebb6.tar.gz
kernel-omap-091f6e26eb326adbd718f406e440c838bed8ebb6.tar.xz
kernel-omap-091f6e26eb326adbd718f406e440c838bed8ebb6.zip
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
Extract the function that drives the PKCS#7 signature verification given a data blob and a PKCS#7 blob out from the module signing code and lump it with the system keyring code as it's generic. This makes it independent of module config options and opens it to use by the firmware loader. Signed-off-by: David Howells <dhowells@redhat.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Ming Lei <ming.lei@canonical.com> Cc: Seth Forshee <seth.forshee@canonical.com> Cc: Kyle McMartin <kyle@kernel.org>
Diffstat (limited to 'kernel/system_keyring.c')
-rw-r--r--kernel/system_keyring.c50
1 files changed, 50 insertions, 0 deletions
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
index 4cda71ee51c7..95f2dcbc7616 100644
--- a/kernel/system_keyring.c
+++ b/kernel/system_keyring.c
@@ -16,6 +16,7 @@
16#include <linux/err.h> 16#include <linux/err.h>
17#include <keys/asymmetric-type.h> 17#include <keys/asymmetric-type.h>
18#include <keys/system_keyring.h> 18#include <keys/system_keyring.h>
19#include <crypto/pkcs7.h>
19 20
20struct key *system_trusted_keyring; 21struct key *system_trusted_keyring;
21EXPORT_SYMBOL_GPL(system_trusted_keyring); 22EXPORT_SYMBOL_GPL(system_trusted_keyring);
@@ -103,3 +104,52 @@ dodgy_cert:
103 return 0; 104 return 0;
104} 105}
105late_initcall(load_system_certificate_list); 106late_initcall(load_system_certificate_list);
107
108#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
109
110/**
111 * Verify a PKCS#7-based signature on system data.
112 * @data: The data to be verified.
113 * @len: Size of @data.
114 * @raw_pkcs7: The PKCS#7 message that is the signature.
115 * @pkcs7_len: The size of @raw_pkcs7.
116 */
117int system_verify_data(const void *data, unsigned long len,
118 const void *raw_pkcs7, size_t pkcs7_len)
119{
120 struct pkcs7_message *pkcs7;
121 bool trusted;
122 int ret;
123
124 pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
125 if (IS_ERR(pkcs7))
126 return PTR_ERR(pkcs7);
127
128 /* The data should be detached - so we need to supply it. */
129 if (pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
130 pr_err("PKCS#7 signature with non-detached data\n");
131 ret = -EBADMSG;
132 goto error;
133 }
134
135 ret = pkcs7_verify(pkcs7);
136 if (ret < 0)
137 goto error;
138
139 ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
140 if (ret < 0)
141 goto error;
142
143 if (!trusted) {
144 pr_err("PKCS#7 signature not signed with a trusted key\n");
145 ret = -ENOKEY;
146 }
147
148error:
149 pkcs7_free_message(pkcs7);
150 pr_devel("<==%s() = %d\n", __func__, ret);
151 return ret;
152}
153EXPORT_SYMBOL_GPL(system_verify_data);
154
155#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */