~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,21 +1,16 @@
	1	+// SPDX-License-Identifier: GPL-2.0-only
1	2	/*
2	3	* Copyright (C) 2011 Intel Corporation
3	4	*
4	5	* Author:
5	6	* Dmitry Kasatkin <dmitry.kasatkin@intel.com>
6		- *
7		- * This program is free software; you can redistribute it and/or modify
8		- * it under the terms of the GNU General Public License as published by
9		- * the Free Software Foundation, version 2 of the License.
10		- *
11	7	*/
12		-
13		-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14	8
15	9	#include <linux/err.h>
16	10	#include <linux/sched.h>
17	11	#include <linux/slab.h>
18	12	#include <linux/cred.h>
	13	+#include <linux/kernel_read_file.h>
19	14	#include <linux/key-type.h>
20	15	#include <linux/digsig.h>
21	16	#include <linux/vmalloc.h>
..	..	@@ -26,7 +21,7 @@
26	21
27	22	static struct key *keyring[INTEGRITY_KEYRING_MAX];
28	23
29		-static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
	24	+static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
30	25	#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
31	26	"_evm",
32	27	"_ima",
..	..	@@ -34,14 +29,8 @@
34	29	".evm",
35	30	".ima",
36	31	#endif
37		- "_module",
	32	+ ".platform",
38	33	};
39		-
40		-#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
41		-static bool init_keyring __initdata = true;
42		-#else
43		-static bool init_keyring __initdata;
44		-#endif
45	34
46	35	#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
47	36	#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
..	..	@@ -49,11 +38,10 @@
49	38	#define restrict_link_to_ima restrict_link_by_builtin_trusted
50	39	#endif
51	40
52		-int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
53		- const char *digest, int digestlen)
	41	+static struct key *integrity_keyring_from_id(const unsigned int id)
54	42	{
55		- if (id >= INTEGRITY_KEYRING_MAX \|\| siglen < 2)
56		- return -EINVAL;
	43	+ if (id >= INTEGRITY_KEYRING_MAX)
	44	+ return ERR_PTR(-EINVAL);
57	45
58	46	if (!keyring[id]) {
59	47	keyring[id] =
..	..	@@ -62,30 +50,86 @@
62	50	int err = PTR_ERR(keyring[id]);
63	51	pr_err("no %s keyring: %d\n", keyring_name[id], err);
64	52	keyring[id] = NULL;
65		- return err;
	53	+ return ERR_PTR(err);
66	54	}
67	55	}
	56	+
	57	+ return keyring[id];
	58	+}
	59	+
	60	+int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
	61	+ const char *digest, int digestlen)
	62	+{
	63	+ struct key *keyring;
	64	+
	65	+ if (siglen < 2)
	66	+ return -EINVAL;
	67	+
	68	+ keyring = integrity_keyring_from_id(id);
	69	+ if (IS_ERR(keyring))
	70	+ return PTR_ERR(keyring);
68	71
69	72	switch (sig[1]) {
70	73	case 1:
71	74	/* v1 API expect signature without xattr type */
72		- return digsig_verify(keyring[id], sig + 1, siglen - 1,
73		- digest, digestlen);
	75	+ return digsig_verify(keyring, sig + 1, siglen - 1, digest,
	76	+ digestlen);
74	77	case 2:
75		- return asymmetric_verify(keyring[id], sig, siglen,
76		- digest, digestlen);
	78	+ return asymmetric_verify(keyring, sig, siglen, digest,
	79	+ digestlen);
77	80	}
78	81
79	82	return -EOPNOTSUPP;
80	83	}
81	84
82		-int __init integrity_init_keyring(const unsigned int id)
	85	+int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
	86	+{
	87	+ struct key *keyring;
	88	+
	89	+ keyring = integrity_keyring_from_id(id);
	90	+ if (IS_ERR(keyring))
	91	+ return PTR_ERR(keyring);
	92	+
	93	+ return ima_modsig_verify(keyring, modsig);
	94	+}
	95	+
	96	+static int __init __integrity_init_keyring(const unsigned int id,
	97	+ key_perm_t perm,
	98	+ struct key_restriction *restriction)
83	99	{
84	100	const struct cred *cred = current_cred();
85		- struct key_restriction *restriction;
86	101	int err = 0;
87	102
88		- if (!init_keyring)
	103	+ keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
	104	+ KGIDT_INIT(0), cred, perm,
	105	+ KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
	106	+ if (IS_ERR(keyring[id])) {
	107	+ err = PTR_ERR(keyring[id]);
	108	+ pr_info("Can't allocate %s keyring (%d)\n",
	109	+ keyring_name[id], err);
	110	+ keyring[id] = NULL;
	111	+ } else {
	112	+ if (id == INTEGRITY_KEYRING_PLATFORM)
	113	+ set_platform_trusted_keys(keyring[id]);
	114	+ }
	115	+
	116	+ return err;
	117	+}
	118	+
	119	+int __init integrity_init_keyring(const unsigned int id)
	120	+{
	121	+ struct key_restriction *restriction;
	122	+ key_perm_t perm;
	123	+
	124	+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW
	125	+ \| KEY_USR_READ \| KEY_USR_SEARCH;
	126	+
	127	+ if (id == INTEGRITY_KEYRING_PLATFORM) {
	128	+ restriction = NULL;
	129	+ goto out;
	130	+ }
	131	+
	132	+ if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
89	133	return 0;
90	134
91	135	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
..	..	@@ -93,57 +137,67 @@
93	137	return -ENOMEM;
94	138
95	139	restriction->check = restrict_link_to_ima;
	140	+ perm \|= KEY_USR_WRITE;
96	141
97		- keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
98		- KGIDT_INIT(0), cred,
99		- ((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
100		- KEY_USR_VIEW \| KEY_USR_READ \|
101		- KEY_USR_WRITE \| KEY_USR_SEARCH),
102		- KEY_ALLOC_NOT_IN_QUOTA,
103		- restriction, NULL);
104		- if (IS_ERR(keyring[id])) {
105		- err = PTR_ERR(keyring[id]);
106		- pr_info("Can't allocate %s keyring (%d)\n",
107		- keyring_name[id], err);
108		- keyring[id] = NULL;
109		- }
110		- return err;
	142	+out:
	143	+ return __integrity_init_keyring(id, perm, restriction);
111	144	}
112	145
113		-int __init integrity_load_x509(const unsigned int id, const char *path)
	146	+int __init integrity_add_key(const unsigned int id, const void *data,
	147	+ off_t size, key_perm_t perm)
114	148	{
115	149	key_ref_t key;
116		- void *data;
117		- loff_t size;
118		- int rc;
	150	+ int rc = 0;
119	151
120	152	if (!keyring[id])
121	153	return -EINVAL;
122	154
123		- rc = kernel_read_file_from_path(path, &data, &size, 0,
	155	+ key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
	156	+ NULL, data, size, perm,
	157	+ KEY_ALLOC_NOT_IN_QUOTA);
	158	+ if (IS_ERR(key)) {
	159	+ rc = PTR_ERR(key);
	160	+ pr_err("Problem loading X.509 certificate %d\n", rc);
	161	+ } else {
	162	+ pr_notice("Loaded X.509 cert '%s'\n",
	163	+ key_ref_to_ptr(key)->description);
	164	+ key_ref_put(key);
	165	+ }
	166	+
	167	+ return rc;
	168	+
	169	+}
	170	+
	171	+int __init integrity_load_x509(const unsigned int id, const char *path)
	172	+{
	173	+ void *data = NULL;
	174	+ size_t size;
	175	+ int rc;
	176	+ key_perm_t perm;
	177	+
	178	+ rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
124	179	READING_X509_CERTIFICATE);
125	180	if (rc < 0) {
126	181	pr_err("Unable to open file: %s (%d)", path, rc);
127	182	return rc;
128	183	}
	184	+ size = rc;
129	185
130		- key = key_create_or_update(make_key_ref(keyring[id], 1),
131		- "asymmetric",
132		- NULL,
133		- data,
134		- size,
135		- ((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
136		- KEY_USR_VIEW \| KEY_USR_READ),
137		- KEY_ALLOC_NOT_IN_QUOTA);
138		- if (IS_ERR(key)) {
139		- rc = PTR_ERR(key);
140		- pr_err("Problem loading X.509 certificate (%d): %s\n",
141		- rc, path);
142		- } else {
143		- pr_notice("Loaded X.509 cert '%s': %s\n",
144		- key_ref_to_ptr(key)->description, path);
145		- key_ref_put(key);
146		- }
	186	+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW \| KEY_USR_READ;
	187	+
	188	+ pr_info("Loading X.509 certificate: %s\n", path);
	189	+ rc = integrity_add_key(id, (const void *)data, size, perm);
	190	+
147	191	vfree(data);
148		- return 0;
	192	+ return rc;
	193	+}
	194	+
	195	+int __init integrity_load_cert(const unsigned int id, const char *source,
	196	+ const void *data, size_t len, key_perm_t perm)
	197	+{
	198	+ if (!data)
	199	+ return -EINVAL;
	200	+
	201	+ pr_info("Loading X.509 certificate: %s\n", source);
	202	+ return integrity_add_key(id, data, len, perm);
149	203	}