[RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]

From: David Howells
Date: Tue Jan 19 2016 - 06:31:15 EST

Next message: David Howells: "[RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted [ver #2]"
Previous message: David Howells: "[RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
In reply to: Mimi Zohar: "Re: [RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Add the following:

(1) A new system keyring that is used to store information about
blacklisted certificates and signatures.

(2) A new key type (called 'blacklist') that is used to store a
blacklisted hash in its description as a hex string. The key accepts
no payload.

(3) The ability to configure a list of blacklisted hashes into the kernel
at build time. This is done by setting
CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
that are in the form:

"<hash>", "<hash>", ..., "<hash>"

where each <hash> is a hex string representation of the hash and must
include all necessary leading zeros to pad the hash to the right size.

The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.

Once the kernel is booted, the blacklist keyring can be listed:

root@andromeda ~]# keyctl show %:.blacklist
Keyring
723359729 ---lswrv 0 0 keyring: .blacklist
676257228 ---lswrv 0 0 \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46

The blacklist cannot currently be modified by userspace, but it will be
possible to load it, for example, from the UEFI blacklist database.

In the future, it should also be made possible to load blacklisted
asymmetric keys in here too.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

certs/Kconfig | 18 +++++
certs/Makefile | 6 ++
certs/blacklist.c | 164 +++++++++++++++++++++++++++++++++++++++++
certs/blacklist.h | 3 +
certs/blacklist_hashes.c | 6 ++
certs/blacklist_nohashes.c | 5 +
include/keys/system_keyring.h | 15 ++++
7 files changed, 217 insertions(+)
create mode 100644 certs/blacklist.c
create mode 100644 certs/blacklist.h
create mode 100644 certs/blacklist_hashes.c
create mode 100644 certs/blacklist_nohashes.c

diff --git a/certs/Kconfig b/certs/Kconfig
index b030b9c7ed34..7ce41d4b541d 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -39,4 +39,22 @@ config SYSTEM_TRUSTED_KEYS
form of DER-encoded *.x509 files in the top-level build directory,
those are no longer used. You will need to set this option instead.

+config SYSTEM_BLACKLIST_KEYRING
+ bool "Provide system-wide ring of blacklisted keys"
+ depends on KEYS
+ help
+ Provide a system keyring to which blacklisted keys can be added.
+ Keys in the keyring are considered entirely untrusted. Keys in this
+ keyring are used by the module signature checking to reject loading
+ of modules signed with a blacklisted key.
+
+config SYSTEM_BLACKLIST_HASH_LIST
+ string "Hashes to be preloaded into the system blacklist keyring"
+ depends on SYSTEM_BLACKLIST_KEYRING
+ help
+ If set, this option should be the filename of a list of hashes in the
+ form "<hash>", "<hash>", ... . This will be included into a C
+ wrapper to incorporate the list into the kernel. Each <hash> should
+ be a string of hex digits.
+
endmenu
diff --git a/certs/Makefile b/certs/Makefile
index 28ac694dd11a..556705723c68 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -3,6 +3,12 @@
#

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
+obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
+ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
+obj-y += blacklist_hashes.o
+else
+obj-y += blacklist_nohashes.o
+endif

ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)

diff --git a/certs/blacklist.c b/certs/blacklist.c
new file mode 100644
index 000000000000..5f54baae3a32
--- /dev/null
+++ b/certs/blacklist.c
@@ -0,0 +1,164 @@
+/* System hash blacklist.
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@xxxxxxxxxx)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "blacklist: "fmt
+#include <linux/module.h>
+#include <linux/slab.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/sched.h>
+#include <linux/ctype.h>
+#include <linux/err.h>
+#include <keys/system_keyring.h>
+#include "blacklist.h"
+
+static struct key *blacklist_keyring;
+
+/*
+ * The description must be an even number of hex digits. We keep the hash
+ * here.
+ */
+static int blacklist_vet_description(const char *desc)
+{
+ int n = 0;
+
+ for (; *desc; desc++) {
+ if (!isxdigit(*desc))
+ return -EINVAL;
+ n++;
+ }
+
+ if (n == 0 || n & 1)
+ return -EINVAL;
+ return 0;
+}
+
+/*
+ * The hash to be blacklisted is expected to be in the description. There will
+ * be no payload.
+ */
+static int blacklist_preparse(struct key_preparsed_payload *prep)
+{
+ if (prep->datalen > 0)
+ return -EINVAL;
+ return 0;
+}
+
+static void blacklist_free_preparse(struct key_preparsed_payload *prep)
+{
+}
+
+static struct key_type key_type_blacklist = {
+ .name = "blacklist",
+ .vet_description = blacklist_vet_description,
+ .preparse = blacklist_preparse,
+ .free_preparse = blacklist_free_preparse,
+ .instantiate = generic_key_instantiate,
+};
+
+/**
+ * mark_hash_blacklisted - Add a hash to the system blacklist
+ * @hash - The hash as a hex string
+ */
+int mark_hash_blacklisted(const char *hash)
+{
+ key_ref_t key;
+
+ key = key_create_or_update(make_key_ref(blacklist_keyring, true),
+ "blacklist",
+ hash,
+ NULL,
+ 0,
+ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW),
+ KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_ALLOC_BUILT_IN);
+ if (IS_ERR(key)) {
+ pr_err("Problem blacklisting hash (%ld)\n",
+ PTR_ERR(key));
+ return PTR_ERR(key);
+ }
+ return 0;
+}
+
+/**
+ * is_hash_blacklisted - Determine if a hash is blacklisted
+ * @hash: The hash to be checked as a hex string.
+ */
+int is_hash_blacklisted(const char *hash)
+{
+ key_ref_t kref;
+
+ kref = keyring_search(make_key_ref(blacklist_keyring, true),
+ &key_type_blacklist, hash);
+ if (!IS_ERR(kref)) {
+ key_ref_put(kref);
+ return -EKEYREJECTED;
+ }
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(is_hash_blacklisted);
+
+/**
+ * is_bin_hash_blacklisted - Determine if a hash is blacklisted
+ * @hash: The hash to be checked as a binary blob
+ * @hash_len: The length of the binary hash
+ */
+int is_bin_hash_blacklisted(const u8 *hash, size_t hash_len)
+{
+ char *buffer;
+ int ret;
+
+ buffer = kmalloc(hash_len * 2 + 1, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+ bin2hex(buffer, hash, hash_len);
+ buffer[hash_len * 2] = 0;
+ ret = is_hash_blacklisted(buffer);
+ kfree(buffer);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(is_bin_hash_blacklisted);
+
+/*
+ * Intialise the blacklist
+ */
+static int __init blacklist_init(void)
+{
+ const char *const *bl;
+
+ if (register_key_type(&key_type_blacklist) < 0)
+ panic("Can't allocate system blacklist key type\n");
+
+ blacklist_keyring =
+ keyring_alloc(".blacklist",
+ KUIDT_INIT(0), KGIDT_INIT(0),
+ current_cred(),
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW | KEY_USR_READ |
+ KEY_USR_SEARCH,
+ KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_FLAG_KEEP,
+ NULL);
+ if (IS_ERR(blacklist_keyring))
+ panic("Can't allocate system blacklist keyring\n");
+
+ for (bl = blacklist_hashes; *bl; bl++)
+ if (mark_hash_blacklisted(*bl) < 0)
+ pr_err("- blacklisting failed\n");
+ return 0;
+}
+
+/*
+ * Must be initialised before we try and load the keys into the keyring.
+ */
+device_initcall(blacklist_init);
diff --git a/certs/blacklist.h b/certs/blacklist.h
new file mode 100644
index 000000000000..150d82da8e99
--- /dev/null
+++ b/certs/blacklist.h
@@ -0,0 +1,3 @@
+#include <linux/kernel.h>
+
+extern const char __initdata *const blacklist_hashes[];
diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c
new file mode 100644
index 000000000000..5bd449f7db17
--- /dev/null
+++ b/certs/blacklist_hashes.c
@@ -0,0 +1,6 @@
+#include "blacklist.h"
+
+const char __initdata *const blacklist_hashes[] = {
+#include CONFIG_SYSTEM_BLACKLIST_HASH_LIST
+ , NULL
+};
diff --git a/certs/blacklist_nohashes.c b/certs/blacklist_nohashes.c
new file mode 100644
index 000000000000..851de10706a5
--- /dev/null
+++ b/certs/blacklist_nohashes.c
@@ -0,0 +1,5 @@
+#include "blacklist.h"
+
+const char __initdata *const blacklist_hashes[] = {
+ NULL
+};
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 39fd38cfa8c9..e8334d299314 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -35,6 +35,21 @@ extern int system_verify_data(const void *data, unsigned long len,
enum key_being_used_for usage);
#endif

+#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+extern int mark_hash_blacklisted(const char *hash);
+extern int is_hash_blacklisted(const char *hash);
+extern int is_bin_hash_blacklisted(const u8 *hash, size_t hash_len);
+#else
+static inline int is_hash_blacklisted(const char *hash)
+{
+ return 0;
+}
+static inline int is_bin_hash_blacklisted(const u8 *hash, size_t hash_len)
+{
+ return 0;
+}
+#endif
+
#ifdef CONFIG_IMA_MOK_KEYRING
extern struct key *ima_mok_keyring;
extern struct key *ima_blacklist_keyring;

Next message: David Howells: "[RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted [ver #2]"
Previous message: David Howells: "[RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
In reply to: Mimi Zohar: "Re: [RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key [ver #2]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]