1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Module signature checker
3 *
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #include <linux/kernel.h>
9 #include <linux/errno.h>
10 #include <linux/module.h>
11 #include <linux/module_signature.h>
12 #include <linux/string.h>
13 #include <linux/verification.h>
14 #include <linux/security.h>
15 #include <crypto/public_key.h>
16 #include <uapi/linux/module.h>
17 #include "internal.h"
18
19 #undef MODULE_PARAM_PREFIX
20 #define MODULE_PARAM_PREFIX "module."
21
22 /*
23 * ANDROID: GKI:
24 * Only enforce signature if SIG_PROTECT is not set
25 */
26 #ifndef CONFIG_MODULE_SIG_PROTECT
27 static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
28 module_param(sig_enforce, bool_enable_only, 0644);
set_module_sig_enforced(void)29 void set_module_sig_enforced(void)
30 {
31 sig_enforce = true;
32 }
33 #else
34 #define sig_enforce false
35 #endif
36
37 /*
38 * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
39 * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.
40 */
is_module_sig_enforced(void)41 bool is_module_sig_enforced(void)
42 {
43 return sig_enforce;
44 }
45 EXPORT_SYMBOL(is_module_sig_enforced);
46
47 /*
48 * Verify the signature on a module.
49 */
mod_verify_sig(const void * mod,struct load_info * info)50 int mod_verify_sig(const void *mod, struct load_info *info)
51 {
52 struct module_signature ms;
53 size_t sig_len, modlen = info->len;
54 int ret;
55
56 pr_devel("==>%s(,%zu)\n", __func__, modlen);
57
58 if (modlen <= sizeof(ms))
59 return -EBADMSG;
60
61 memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
62
63 ret = mod_check_sig(&ms, modlen, "module");
64 if (ret)
65 return ret;
66
67 sig_len = be32_to_cpu(ms.sig_len);
68 modlen -= sig_len + sizeof(ms);
69 info->len = modlen;
70
71 return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
72 VERIFY_USE_SECONDARY_KEYRING,
73 VERIFYING_MODULE_SIGNATURE,
74 NULL, NULL);
75 }
76
module_sig_check(struct load_info * info,int flags)77 int module_sig_check(struct load_info *info, int flags)
78 {
79 int err = -ENODATA;
80 const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
81 const char *reason;
82 const void *mod = info->hdr;
83 bool mangled_module = flags & (MODULE_INIT_IGNORE_MODVERSIONS |
84 MODULE_INIT_IGNORE_VERMAGIC);
85 /*
86 * Do not allow mangled modules as a module with version information
87 * removed is no longer the module that was signed.
88 */
89 if (!mangled_module &&
90 info->len > markerlen &&
91 memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
92 /* We truncate the module to discard the signature */
93 info->len -= markerlen;
94 err = mod_verify_sig(mod, info);
95 if (!err) {
96 info->sig_ok = true;
97 return 0;
98 }
99 }
100
101 /*
102 * We don't permit modules to be loaded into the trusted kernels
103 * without a valid signature on them, but if we're not enforcing,
104 * certain errors are non-fatal.
105 */
106 switch (err) {
107 case -ENODATA:
108 reason = "unsigned module";
109 break;
110 case -ENOPKG:
111 reason = "module with unsupported crypto";
112 break;
113 case -ENOKEY:
114 reason = "module with unavailable key";
115 break;
116
117 default:
118 /*
119 * All other errors are fatal, including lack of memory,
120 * unparseable signatures, and signature check failures --
121 * even if signatures aren't required.
122 */
123 return err;
124 }
125
126 if (is_module_sig_enforced()) {
127 pr_notice("Loading of %s is rejected\n", reason);
128 return -EKEYREJECTED;
129 }
130
131 /*
132 * ANDROID: GKI: Do not prevent loading of unsigned modules;
133 * as all modules except GKI modules are not signed.
134 */
135 #ifndef CONFIG_MODULE_SIG_PROTECT
136 return security_locked_down(LOCKDOWN_MODULE_SIGNATURE);
137 #else
138 return 0;
139 #endif
140 }
141