~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,21 +1,16 @@
	1	+// SPDX-License-Identifier: GPL-2.0-only
1	2	/*
2	3	* Copyright (C) 2011 Intel Corporation
3	4	*
4	5	* Author:
5	6	* Dmitry Kasatkin <dmitry.kasatkin@intel.com>
6		- *
7		- * This program is free software; you can redistribute it and/or modify
8		- * it under the terms of the GNU General Public License as published by
9		- * the Free Software Foundation, version 2 of the License.
10		- *
11	7	*/
12		-
13		-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14	8
15	9	#include <linux/err.h>
16	10	#include <linux/sched.h>
17	11	#include <linux/slab.h>
18	12	#include <linux/cred.h>
	13	+#include <linux/kernel_read_file.h>
19	14	#include <linux/key-type.h>
20	15	#include <linux/digsig.h>
21	16	#include <linux/vmalloc.h>
..	..	@@ -26,7 +21,7 @@
26	21
27	22	static struct key *keyring[INTEGRITY_KEYRING_MAX];
28	23
29		-static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
	24	+static const char * const keyring_name[INTEGRITY_KEYRING_MAX] = {
30	25	#ifndef CONFIG_INTEGRITY_TRUSTED_KEYRING
31	26	"_evm",
32	27	"_ima",
..	..	@@ -34,14 +29,8 @@
34	29	".evm",
35	30	".ima",
36	31	#endif
37		- "_module",
	32	+ ".platform",
38	33	};
39		-
40		-#ifdef CONFIG_INTEGRITY_TRUSTED_KEYRING
41		-static bool init_keyring __initdata = true;
42		-#else
43		-static bool init_keyring __initdata;
44		-#endif
45	34
46	35	#ifdef CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
47	36	#define restrict_link_to_ima restrict_link_by_builtin_and_secondary_trusted
..	..	@@ -49,11 +38,10 @@
49	38	#define restrict_link_to_ima restrict_link_by_builtin_trusted
50	39	#endif
51	40
52		-int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
53		- const char *digest, int digestlen)
	41	+static struct key *integrity_keyring_from_id(const unsigned int id)
54	42	{
55		- if (id >= INTEGRITY_KEYRING_MAX \|\| siglen < 2)
56		- return -EINVAL;
	43	+ if (id >= INTEGRITY_KEYRING_MAX)
	44	+ return ERR_PTR(-EINVAL);
57	45
58	46	if (!keyring[id]) {
59	47	keyring[id] =
..	..	@@ -62,30 +50,87 @@
62	50	int err = PTR_ERR(keyring[id]);
63	51	pr_err("no %s keyring: %d\n", keyring_name[id], err);
64	52	keyring[id] = NULL;
65		- return err;
	53	+ return ERR_PTR(err);
66	54	}
67	55	}
	56	+
	57	+ return keyring[id];
	58	+}
	59	+
	60	+int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
	61	+ const char *digest, int digestlen)
	62	+{
	63	+ struct key *keyring;
	64	+
	65	+ if (siglen < 2)
	66	+ return -EINVAL;
	67	+
	68	+ keyring = integrity_keyring_from_id(id);
	69	+ if (IS_ERR(keyring))
	70	+ return PTR_ERR(keyring);
68	71
69	72	switch (sig[1]) {
70	73	case 1:
71	74	/* v1 API expect signature without xattr type */
72		- return digsig_verify(keyring[id], sig + 1, siglen - 1,
73		- digest, digestlen);
	75	+ return digsig_verify(keyring, sig + 1, siglen - 1, digest,
	76	+ digestlen);
74	77	case 2:
75		- return asymmetric_verify(keyring[id], sig, siglen,
76		- digest, digestlen);
	78	+ return asymmetric_verify(keyring, sig, siglen, digest,
	79	+ digestlen);
77	80	}
78	81
79	82	return -EOPNOTSUPP;
80	83	}
81	84
82		-int __init integrity_init_keyring(const unsigned int id)
	85	+int integrity_modsig_verify(const unsigned int id, const struct modsig *modsig)
	86	+{
	87	+ struct key *keyring;
	88	+
	89	+ keyring = integrity_keyring_from_id(id);
	90	+ if (IS_ERR(keyring))
	91	+ return PTR_ERR(keyring);
	92	+
	93	+ return ima_modsig_verify(keyring, modsig);
	94	+}
	95	+
	96	+static int __init __integrity_init_keyring(const unsigned int id,
	97	+ key_perm_t perm,
	98	+ struct key_restriction *restriction)
83	99	{
84	100	const struct cred *cred = current_cred();
85		- struct key_restriction *restriction;
86	101	int err = 0;
87	102
88		- if (!init_keyring)
	103	+ keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
	104	+ KGIDT_INIT(0), cred, perm,
	105	+ KEY_ALLOC_NOT_IN_QUOTA, restriction, NULL);
	106	+ if (IS_ERR(keyring[id])) {
	107	+ err = PTR_ERR(keyring[id]);
	108	+ pr_info("Can't allocate %s keyring (%d)\n",
	109	+ keyring_name[id], err);
	110	+ keyring[id] = NULL;
	111	+ } else {
	112	+ if (id == INTEGRITY_KEYRING_PLATFORM)
	113	+ set_platform_trusted_keys(keyring[id]);
	114	+ }
	115	+
	116	+ return err;
	117	+}
	118	+
	119	+int __init integrity_init_keyring(const unsigned int id)
	120	+{
	121	+ struct key_restriction *restriction;
	122	+ key_perm_t perm;
	123	+ int ret;
	124	+
	125	+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW
	126	+ \| KEY_USR_READ \| KEY_USR_SEARCH;
	127	+
	128	+ if (id == INTEGRITY_KEYRING_PLATFORM) {
	129	+ restriction = NULL;
	130	+ goto out;
	131	+ }
	132	+
	133	+ if (!IS_ENABLED(CONFIG_INTEGRITY_TRUSTED_KEYRING))
89	134	return 0;
90	135
91	136	restriction = kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
..	..	@@ -93,57 +138,70 @@
93	138	return -ENOMEM;
94	139
95	140	restriction->check = restrict_link_to_ima;
	141	+ perm \|= KEY_USR_WRITE;
96	142
97		- keyring[id] = keyring_alloc(keyring_name[id], KUIDT_INIT(0),
98		- KGIDT_INIT(0), cred,
99		- ((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
100		- KEY_USR_VIEW \| KEY_USR_READ \|
101		- KEY_USR_WRITE \| KEY_USR_SEARCH),
102		- KEY_ALLOC_NOT_IN_QUOTA,
103		- restriction, NULL);
104		- if (IS_ERR(keyring[id])) {
105		- err = PTR_ERR(keyring[id]);
106		- pr_info("Can't allocate %s keyring (%d)\n",
107		- keyring_name[id], err);
108		- keyring[id] = NULL;
109		- }
110		- return err;
	143	+out:
	144	+ ret = __integrity_init_keyring(id, perm, restriction);
	145	+ if (ret)
	146	+ kfree(restriction);
	147	+ return ret;
111	148	}
112	149
113		-int __init integrity_load_x509(const unsigned int id, const char *path)
	150	+int __init integrity_add_key(const unsigned int id, const void *data,
	151	+ off_t size, key_perm_t perm)
114	152	{
115	153	key_ref_t key;
116		- void *data;
117		- loff_t size;
118		- int rc;
	154	+ int rc = 0;
119	155
120	156	if (!keyring[id])
121	157	return -EINVAL;
122	158
123		- rc = kernel_read_file_from_path(path, &data, &size, 0,
	159	+ key = key_create_or_update(make_key_ref(keyring[id], 1), "asymmetric",
	160	+ NULL, data, size, perm,
	161	+ KEY_ALLOC_NOT_IN_QUOTA);
	162	+ if (IS_ERR(key)) {
	163	+ rc = PTR_ERR(key);
	164	+ pr_err("Problem loading X.509 certificate %d\n", rc);
	165	+ } else {
	166	+ pr_notice("Loaded X.509 cert '%s'\n",
	167	+ key_ref_to_ptr(key)->description);
	168	+ key_ref_put(key);
	169	+ }
	170	+
	171	+ return rc;
	172	+
	173	+}
	174	+
	175	+int __init integrity_load_x509(const unsigned int id, const char *path)
	176	+{
	177	+ void *data = NULL;
	178	+ size_t size;
	179	+ int rc;
	180	+ key_perm_t perm;
	181	+
	182	+ rc = kernel_read_file_from_path(path, 0, &data, INT_MAX, NULL,
124	183	READING_X509_CERTIFICATE);
125	184	if (rc < 0) {
126	185	pr_err("Unable to open file: %s (%d)", path, rc);
127	186	return rc;
128	187	}
	188	+ size = rc;
129	189
130		- key = key_create_or_update(make_key_ref(keyring[id], 1),
131		- "asymmetric",
132		- NULL,
133		- data,
134		- size,
135		- ((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
136		- KEY_USR_VIEW \| KEY_USR_READ),
137		- KEY_ALLOC_NOT_IN_QUOTA);
138		- if (IS_ERR(key)) {
139		- rc = PTR_ERR(key);
140		- pr_err("Problem loading X.509 certificate (%d): %s\n",
141		- rc, path);
142		- } else {
143		- pr_notice("Loaded X.509 cert '%s': %s\n",
144		- key_ref_to_ptr(key)->description, path);
145		- key_ref_put(key);
146		- }
	190	+ perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) \| KEY_USR_VIEW \| KEY_USR_READ;
	191	+
	192	+ pr_info("Loading X.509 certificate: %s\n", path);
	193	+ rc = integrity_add_key(id, (const void *)data, size, perm);
	194	+
147	195	vfree(data);
148		- return 0;
	196	+ return rc;
	197	+}
	198	+
	199	+int __init integrity_load_cert(const unsigned int id, const char *source,
	200	+ const void *data, size_t len, key_perm_t perm)
	201	+{
	202	+ if (!data)
	203	+ return -EINVAL;
	204	+
	205	+ pr_info("Loading X.509 certificate: %s\n", source);
	206	+ return integrity_add_key(id, data, len, perm);
149	207	}