[PATCH v3 11/14] verification: introduce verify_pgp_signature()
From: Roberto Sassu
Date: Wed Sep 11 2024 - 08:35:06 EST
From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Introduce verify_pgp_signature() to verify PGP signatures from detached
data. It can be used by kernel subsystems (e.g. IMA).
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
certs/system_keyring.c | 71 ++++++++++++++++++++++++++++++++++++
include/linux/verification.h | 23 ++++++++++++
2 files changed, 94 insertions(+)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..f132773c6096 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -16,6 +16,7 @@
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
+#include <crypto/pgp.h>
static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
@@ -418,6 +419,76 @@ int verify_pkcs7_signature(const void *data, size_t len,
}
EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+#ifdef CONFIG_PGP_KEY_PARSER
+/**
+ * verify_pgp_signature - Verify a PGP-based signature on system data.
+ * @data: The data to be verified (must be provided).
+ * @len: Size of @data.
+ * @raw_pgp: The PGP message that is the signature.
+ * @pgp_len: The size of @raw_pgp.
+ * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
+ * (void *)1UL for all trusted keys,
+ (void *)2UL for platform keys).
+ * @usage: The use to which the key is being put.
+ * @view_content: Callback to gain access to content.
+ * @ctx: Context for callback.
+ */
+int verify_pgp_signature(const void *data, size_t len,
+ const void *raw_pgp, size_t pgp_len,
+ struct key *trusted_keys,
+ enum key_being_used_for usage,
+ int (*view_content)(void *ctx,
+ const void *data, size_t len,
+ size_t asn1hdrlen),
+ void *ctx)
+{
+ struct pgp_sig_verify *pgp_ctx;
+ int ret;
+
+ if (!data || !len)
+ return -EINVAL;
+
+ pgp_ctx = pgp_sig_parse(raw_pgp, pgp_len);
+ if (IS_ERR(pgp_ctx))
+ return PTR_ERR(pgp_ctx);
+
+ if (!trusted_keys) {
+ trusted_keys = builtin_trusted_keys;
+ } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ trusted_keys = secondary_trusted_keys;
+#else
+ trusted_keys = builtin_trusted_keys;
+#endif
+ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+ trusted_keys = platform_trusted_keys;
+#else
+ trusted_keys = NULL;
+#endif
+ if (!trusted_keys) {
+ ret = -ENOKEY;
+ pr_devel("PGP platform keyring is not available\n");
+ goto error;
+ }
+ }
+
+ /* The data should be detached - so we need to supply it. */
+ if (pgp_sig_add_data(pgp_ctx, data, len)) {
+ pr_err("Failed to supply data for PGP signature\n");
+ ret = -EBADMSG;
+ goto error;
+ }
+
+ ret = pgp_sig_verify(pgp_ctx, trusted_keys);
+error:
+ pgp_sig_verify_cancel(pgp_ctx, false);
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(verify_pgp_signature);
+
+#endif /* CONFIG_PGP_KEY_PARSER */
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
diff --git a/include/linux/verification.h b/include/linux/verification.h
index cb2d47f28091..e1a3b9424b67 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -63,6 +63,29 @@ extern int verify_pkcs7_message_sig(const void *data, size_t len,
size_t asn1hdrlen),
void *ctx);
+#ifdef CONFIG_PGP_KEY_PARSER
+extern int verify_pgp_signature(const void *data, size_t len,
+ const void *raw_pgp, size_t pgp_len,
+ struct key *trusted_keys,
+ enum key_being_used_for usage,
+ int (*view_content)(void *ctx,
+ const void *data, size_t len,
+ size_t asn1hdrlen),
+ void *ctx);
+#else
+static inline int verify_pgp_signature(const void *data, size_t len,
+ const void *raw_pgp, size_t pgp_len,
+ struct key *trusted_keys,
+ enum key_being_used_for usage,
+ int (*view_content)(void *ctx,
+ const void *data, size_t len,
+ size_t asn1hdrlen),
+ void *ctx)
+{
+ return -EOPNOTSUPP;
+}
+#endif /* CONFIG_PGP_KEY_PARSER */
+
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
struct key *trusted_keys,
--
2.34.1