[RFC][PATCH v3 9/9] ima: Support non-PKCS#7 modsig types

Roberto Sassu roberto.sassu at huaweicloud.com
Thu Jul 20 15:32:45 UTC 2023


From: Roberto Sassu <roberto.sassu at huawei.com>

Add support for alternative signature formats through the newly introduced
user asymmetric key signatures. The corresponding API is invoked if the
signature type is not PKEY_ID_PKCS7. If the signature type is
PKEY_ID_PKCS7, nothing changes, the existing API is still invoked.

Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
---
 security/integrity/ima/ima_modsig.c | 79 +++++++++++++++++++++--------
 1 file changed, 59 insertions(+), 20 deletions(-)

diff --git a/security/integrity/ima/ima_modsig.c b/security/integrity/ima/ima_modsig.c
index 3e7bee30080..7c96cb2613a 100644
--- a/security/integrity/ima/ima_modsig.c
+++ b/security/integrity/ima/ima_modsig.c
@@ -12,11 +12,14 @@
 #include <linux/module_signature.h>
 #include <keys/asymmetric-type.h>
 #include <crypto/pkcs7.h>
+#include <crypto/uasym_keys_sigs.h>
 
 #include "ima.h"
 
 struct modsig {
 	struct pkcs7_message *pkcs7_msg;
+	struct uasym_sig_message *uasym_sig;
+	u8 id_type;
 
 	enum hash_algo hash_algo;
 
@@ -28,8 +31,8 @@ struct modsig {
 	 * This is what will go to the measurement list if the template requires
 	 * storing the signature.
 	 */
-	int raw_pkcs7_len;
-	u8 raw_pkcs7[];
+	int raw_sig_len;
+	u8 raw_sig[];
 };
 
 /*
@@ -57,27 +60,43 @@ int ima_read_modsig(enum ima_hooks func, const void *buf, loff_t buf_len,
 	buf_len -= marker_len;
 	sig = (const struct module_signature *)(p - sizeof(*sig));
 
-	rc = mod_check_sig(sig, buf_len, func_tokens[func]);
-	if (rc)
-		return rc;
+	if (sig->id_type == PKEY_ID_PKCS7) {
+		rc = mod_check_sig(sig, buf_len, func_tokens[func]);
+		if (rc)
+			return rc;
+	} else {
+		/* Same as mod_check_sig() but skipping the id_type check. */
+		if (sig->algo != 0 ||
+		    sig->hash != 0 ||
+		    sig->signer_len != 0 ||
+		    sig->key_id_len != 0 ||
+		    sig->__pad[0] != 0 ||
+		    sig->__pad[1] != 0 ||
+		    sig->__pad[2] != 0)
+			return -EBADMSG;
+	}
 
 	sig_len = be32_to_cpu(sig->sig_len);
 	buf_len -= sig_len + sizeof(*sig);
 
-	/* Allocate sig_len additional bytes to hold the raw PKCS#7 data. */
+	/* Allocate sig_len additional bytes to hold the raw sig data. */
 	hdr = kzalloc(sizeof(*hdr) + sig_len, GFP_KERNEL);
 	if (!hdr)
 		return -ENOMEM;
 
-	hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
-	if (IS_ERR(hdr->pkcs7_msg)) {
-		rc = PTR_ERR(hdr->pkcs7_msg);
+	if (sig->id_type == PKEY_ID_PKCS7)
+		hdr->pkcs7_msg = pkcs7_parse_message(buf + buf_len, sig_len);
+	else
+		hdr->uasym_sig = uasym_sig_parse_message(buf + buf_len, sig_len);
+
+	if (IS_ERR(hdr->pkcs7_msg) || IS_ERR(hdr->uasym_sig)) {
 		kfree(hdr);
 		return rc;
 	}
 
-	memcpy(hdr->raw_pkcs7, buf + buf_len, sig_len);
-	hdr->raw_pkcs7_len = sig_len;
+	memcpy(hdr->raw_sig, buf + buf_len, sig_len);
+	hdr->raw_sig_len = sig_len;
+	hdr->id_type = sig->id_type;
 
 	/* We don't know the hash algorithm yet. */
 	hdr->hash_algo = HASH_ALGO__LAST;
@@ -105,21 +124,38 @@ void ima_collect_modsig(struct modsig *modsig, const void *buf, loff_t size)
 	 * Provide the file contents (minus the appended sig) so that the PKCS7
 	 * code can calculate the file hash.
 	 */
-	size -= modsig->raw_pkcs7_len + strlen(MODULE_SIG_STRING) +
+	size -= modsig->raw_sig_len + strlen(MODULE_SIG_STRING) +
 		sizeof(struct module_signature);
-	rc = pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size);
+	if (modsig->id_type == PKEY_ID_PKCS7)
+		rc = pkcs7_supply_detached_data(modsig->pkcs7_msg, buf, size);
+	else
+		rc = uasym_sig_supply_detached_data(modsig->uasym_sig, buf,
+						    size);
 	if (rc)
 		return;
 
 	/* Ask the PKCS7 code to calculate the file hash. */
-	rc = pkcs7_get_digest(modsig->pkcs7_msg, &modsig->digest,
-			      &modsig->digest_size, &modsig->hash_algo);
+	if (modsig->id_type == PKEY_ID_PKCS7)
+		rc = pkcs7_get_digest(modsig->pkcs7_msg, &modsig->digest,
+				      &modsig->digest_size, &modsig->hash_algo);
+	else
+		rc = uasym_sig_get_digest(modsig->uasym_sig, &modsig->digest,
+					  &modsig->digest_size,
+					  &modsig->hash_algo);
 }
 
 int ima_modsig_verify(struct key *keyring, const struct modsig *modsig)
 {
-	return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg, keyring,
-					VERIFYING_MODULE_SIGNATURE, NULL, NULL);
+	if (modsig->id_type == PKEY_ID_PKCS7)
+		return verify_pkcs7_message_sig(NULL, 0, modsig->pkcs7_msg,
+						keyring,
+						VERIFYING_MODULE_SIGNATURE,
+						NULL, NULL);
+	else
+		return verify_uasym_sig_message(NULL, 0, modsig->uasym_sig,
+						keyring,
+						VERIFYING_MODULE_SIGNATURE,
+						NULL, NULL);
 }
 
 int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
@@ -135,8 +171,8 @@ int ima_get_modsig_digest(const struct modsig *modsig, enum hash_algo *algo,
 int ima_get_raw_modsig(const struct modsig *modsig, const void **data,
 		       u32 *data_len)
 {
-	*data = &modsig->raw_pkcs7;
-	*data_len = modsig->raw_pkcs7_len;
+	*data = &modsig->raw_sig;
+	*data_len = modsig->raw_sig_len;
 
 	return 0;
 }
@@ -146,6 +182,9 @@ void ima_free_modsig(struct modsig *modsig)
 	if (!modsig)
 		return;
 
-	pkcs7_free_message(modsig->pkcs7_msg);
+	if (modsig->id_type == PKEY_ID_PKCS7)
+		pkcs7_free_message(modsig->pkcs7_msg);
+	else
+		uasym_sig_free_message(modsig->uasym_sig);
 	kfree(modsig);
 }
-- 
2.34.1



More information about the Linux-security-module-archive mailing list