From: Josh Boyer
Git-commit: Not yet
Patch-mainline: Not yet, from Fedora 18 kernel
Target: openSUSE 12.3
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
and if the module's certificate is found, it will refuse to load. This is
useful in cases where third party certificates are used for module signing.
Signed-off-by: Josh Boyer
Acked-by: Lee, Chun-Yi
---
init/Kconfig | 8 ++++++++
kernel/modsign_pubkey.c | 17 +++++++++++++++++
kernel/module-internal.h | 3 +++
kernel/module_signing.c | 14 +++++++++++++-
4 files changed, 41 insertions(+), 1 deletion(-)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1641,6 +1641,14 @@ config MODULE_SIG_FORCE
Reject unsigned modules or signed modules for which we don't have a
key. Without this, such modules will simply taint the kernel.
+config MODULE_SIG_BLACKLIST
+ bool "Support for blacklisting module signature certificates"
+ depends on MODULE_SIG
+ help
+ This adds support for keeping a blacklist of certificates that
+ should not pass module signature verification. If a module is
+ signed with something in this keyring, the load will be rejected.
+
choice
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
--- a/kernel/modsign_pubkey.c
+++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,9 @@
#include "module-internal.h"
struct key *modsign_keyring;
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+struct key *modsign_blacklist;
+#endif
extern __initdata const u8 modsign_certificate_list[];
extern __initdata const u8 modsign_certificate_list_end[];
@@ -40,6 +43,20 @@ static __init int module_verify_init(voi
if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0)
panic("Can't instantiate module signing keyring\n");
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+ modsign_blacklist = key_alloc(&key_type_keyring, ".modsign_blacklist",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ,
+ KEY_ALLOC_NOT_IN_QUOTA);
+ if (IS_ERR(modsign_blacklist))
+ panic("Can't allocate module signing blacklist keyring\n");
+
+ if (key_instantiate_and_link(modsign_blacklist, NULL, 0, NULL, NULL) < 0)
+ panic("Can't instantiate module signing blacklist keyring\n");
+#endif
+
return 0;
}
--- a/kernel/module-internal.h
+++ b/kernel/module-internal.h
@@ -10,5 +10,8 @@
*/
extern struct key *modsign_keyring;
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+extern struct key *modsign_blacklist;
+#endif
extern int mod_verify_sig(const void *mod, unsigned long *_modlen);
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -133,7 +133,7 @@ static int mod_extract_mpi_array(struct
static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
const u8 *key_id, size_t key_id_len)
{
- key_ref_t key;
+ key_ref_t key, blacklist;
size_t i;
char *id, *q;
@@ -158,6 +158,18 @@ static struct key *request_asymmetric_ke
pr_debug("Look up: \"%s\"\n", id);
+#ifdef CONFIG_MODULE_SIG_BLACKLIST
+ blacklist = keyring_search(make_key_ref(modsign_blacklist, 1),
+ &key_type_asymmetric, id);
+ if (!IS_ERR(blacklist)) {
+ /* module is signed with a cert in the blacklist. reject */
+ pr_err("Module key '%s' is in blacklist\n", id);
+ key_ref_put(blacklist);
+ kfree(id);
+ return ERR_PTR(-EKEYREJECTED);
+ }
+#endif
+
key = keyring_search(make_key_ref(modsign_keyring, 1),
&key_type_asymmetric, id);
if (IS_ERR(key))
--
To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
