diff options
| author |   David Howells <dhowells@redhat.com> | 2015-07-20 21:16:28 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2015-08-07 16:26:13 +0100 |
| commit | 091f6e26eb326adbd718f406e440c838bed8ebb6 (patch) | |
| tree | 9562f51745eb81fdf44d1fb56d6e79090935d2e4 /kernel/module_signing.c | |
| parent | system_keyring.c doesn't need to #include module-internal.h (diff) | |
| download | wireguard-linux-091f6e26eb326adbd718f406e440c838bed8ebb6.tar.xz wireguard-linux-091f6e26eb326adbd718f406e440c838bed8ebb6.zip | |
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
Extract the function that drives the PKCS#7 signature verification given a
data blob and a PKCS#7 blob out from the module signing code and lump it with
the system keyring code as it's generic. This makes it independent of module
config options and opens it to use by the firmware loader.
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Ming Lei <ming.lei@canonical.com>
Cc: Seth Forshee <seth.forshee@canonical.com>
Cc: Kyle McMartin <kyle@kernel.org>
Diffstat (limited to 'kernel/module_signing.c')
| -rw-r--r-- | kernel/module_signing.c | 44 |
1 files changed, 1 insertions, 43 deletions
diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 8eb20cc66b39..70ad463f6df0 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -10,10 +10,8 @@ */ #include <linux/kernel.h> -#include <linux/err.h> #include <keys/system_keyring.h> #include <crypto/public_key.h> -#include <crypto/pkcs7.h> #include "module-internal.h" /* @@ -37,46 +35,6 @@ struct module_signature { }; /* - * Verify a PKCS#7-based signature on a module. - */ -static int mod_verify_pkcs7(const void *mod, unsigned long modlen, - const void *raw_pkcs7, size_t pkcs7_len) -{ - struct pkcs7_message *pkcs7; - bool trusted; - int ret; - - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); - if (IS_ERR(pkcs7)) - return PTR_ERR(pkcs7); - - /* The data should be detached - so we need to supply it. */ - if (pkcs7_supply_detached_data(pkcs7, mod, modlen) < 0) { - pr_err("PKCS#7 signature with non-detached data\n"); - ret = -EBADMSG; - goto error; - } - - ret = pkcs7_verify(pkcs7); - if (ret < 0) - goto error; - - ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); - if (ret < 0) - goto error; - - if (!trusted) { - pr_err("PKCS#7 signature not signed with a trusted key\n"); - ret = -ENOKEY; - } - -error: - pkcs7_free_message(pkcs7); - pr_devel("<==%s() = %d\n", __func__, ret); - return ret; -} - -/* * Verify the signature on a module. */ int mod_verify_sig(const void *mod, unsigned long *_modlen) @@ -114,5 +72,5 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) return -EBADMSG; } - return mod_verify_pkcs7(mod, modlen, mod + modlen, sig_len); + return system_verify_data(mod, modlen, mod + modlen, sig_len); } |