1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Module signature checker 3 * 4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/kernel.h> 9 #include <linux/errno.h> 10 #include <linux/module.h> 11 #include <linux/module_signature.h> 12 #include <linux/string.h> 13 #include <linux/verification.h> 14 #include <linux/security.h> 15 #include <crypto/public_key.h> 16 #include <uapi/linux/module.h> 17 #include "internal.h" 18 19 static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); 20 module_param(sig_enforce, bool_enable_only, 0644); 21 22 /* 23 * Export sig_enforce kernel cmdline parameter to allow other subsystems rely 24 * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. 25 */ 26 bool is_module_sig_enforced(void) 27 { 28 return sig_enforce; 29 } 30 EXPORT_SYMBOL(is_module_sig_enforced); 31 32 void set_module_sig_enforced(void) 33 { 34 sig_enforce = true; 35 } 36 37 /* 38 * Verify the signature on a module. 39 */ 40 int mod_verify_sig(const void *mod, struct load_info *info) 41 { 42 struct module_signature ms; 43 size_t sig_len, modlen = info->len; 44 int ret; 45 46 pr_devel("==>%s(,%zu)\n", __func__, modlen); 47 48 if (modlen <= sizeof(ms)) 49 return -EBADMSG; 50 51 memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); 52 53 ret = mod_check_sig(&ms, modlen, "module"); 54 if (ret) 55 return ret; 56 57 sig_len = be32_to_cpu(ms.sig_len); 58 modlen -= sig_len + sizeof(ms); 59 info->len = modlen; 60 61 return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, 62 VERIFY_USE_SECONDARY_KEYRING, 63 VERIFYING_MODULE_SIGNATURE, 64 NULL, NULL); 65 } 66 67 int module_sig_check(struct load_info *info, int flags) 68 { 69 int err = -ENODATA; 70 const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; 71 const char *reason; 72 const void *mod = info->hdr; 73 bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS | 74 MODULE_INIT_IGNORE_VERMAGIC); 75 /* 76 * Do not allow mangled modules as a module with version information 77 * removed is no longer the module that was signed. 78 */ 79 if (!mangled_module && 80 info->len > markerlen && 81 memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { 82 /* We truncate the module to discard the signature */ 83 info->len -= markerlen; 84 err = mod_verify_sig(mod, info); 85 if (!err) { 86 info->sig_ok = true; 87 return 0; 88 } 89 } 90 91 /* 92 * We don't permit modules to be loaded into the trusted kernels 93 * without a valid signature on them, but if we're not enforcing, 94 * certain errors are non-fatal. 95 */ 96 switch (err) { 97 case -ENODATA: 98 reason = "unsigned module"; 99 break; 100 case -ENOPKG: 101 reason = "module with unsupported crypto"; 102 break; 103 case -ENOKEY: 104 reason = "module with unavailable key"; 105 break; 106 107 default: 108 /* 109 * All other errors are fatal, including lack of memory, 110 * unparseable signatures, and signature check failures -- 111 * even if signatures aren't required. 112 */ 113 return err; 114 } 115 116 if (is_module_sig_enforced()) { 117 pr_notice("Loading of %s is rejected\n", reason); 118 return -EKEYREJECTED; 119 } 120 121 return security_locked_down(LOCKDOWN_MODULE_SIGNATURE); 122 } 123