| Message ID | 20210429072851.24057-3-jlee@suse.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Check codeSigning extended key usage extension | expand |
Hi Chun-Yi",
I love your patch! Yet something to improve:
[auto build test ERROR on linus/master]
[also build test ERROR on next-20210429]
[cannot apply to cryptodev/master crypto/master v5.12]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210429-153115
base: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git d72cd4ad4174cfd2257c426ad51e4f53bcfde9c9
config: powerpc64-randconfig-m031-20210429 (attached as .config)
compiler: powerpc-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/63e6809a57ca114d297694a24283256990aa10df
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210429-153115
git checkout 63e6809a57ca114d297694a24283256990aa10df
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross W=1 ARCH=powerpc64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
certs/blacklist.c: In function 'is_key_on_revocation_list':
>> certs/blacklist.c:188:8: error: too few arguments to function 'pkcs7_validate_trust'
188 | ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
| ^~~~~~~~~~~~~~~~~~~~
In file included from certs/blacklist.h:3,
from certs/blacklist.c:19:
include/crypto/pkcs7.h:32:12: note: declared here
32 | extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
| ^~~~~~~~~~~~~~~~~~~~
vim +/pkcs7_validate_trust +188 certs/blacklist.c
56c5812623f953 Eric Snowberg 2021-01-22 179
56c5812623f953 Eric Snowberg 2021-01-22 180 /**
56c5812623f953 Eric Snowberg 2021-01-22 181 * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
56c5812623f953 Eric Snowberg 2021-01-22 182 * @pkcs7: The PKCS#7 message to check
56c5812623f953 Eric Snowberg 2021-01-22 183 */
56c5812623f953 Eric Snowberg 2021-01-22 184 int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
56c5812623f953 Eric Snowberg 2021-01-22 185 {
56c5812623f953 Eric Snowberg 2021-01-22 186 int ret;
56c5812623f953 Eric Snowberg 2021-01-22 187
56c5812623f953 Eric Snowberg 2021-01-22 @188 ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
56c5812623f953 Eric Snowberg 2021-01-22 189
56c5812623f953 Eric Snowberg 2021-01-22 190 if (ret == 0)
56c5812623f953 Eric Snowberg 2021-01-22 191 return -EKEYREJECTED;
56c5812623f953 Eric Snowberg 2021-01-22 192
56c5812623f953 Eric Snowberg 2021-01-22 193 return -ENOKEY;
56c5812623f953 Eric Snowberg 2021-01-22 194 }
56c5812623f953 Eric Snowberg 2021-01-22 195 #endif
56c5812623f953 Eric Snowberg 2021-01-22 196
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 0c9a4795e847..302ca0555e75 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -206,7 +206,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len, goto error; } } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); + ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage); if (ret < 0) { if (ret == -ENOKEY) pr_devel("PKCS#7 signature not signed with a trusted key\n"); diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 1f1f004dc757..1754812df989 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. +config CHECK_CODESIGN_EKU + bool "Check codeSigning extended key usage" + depends on PKCS7_MESSAGE_PARSER=y + depends on SYSTEM_DATA_VERIFICATION + help + This option provides support for checking the codeSigning extended + key usage when verifying the signature in PKCS#7. It affects kernel + module verification and kexec PE binary verification. + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b531df2013c4..7c27bf81aca9 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -16,12 +16,36 @@ #include <crypto/public_key.h> #include "pkcs7_parser.h" +#ifdef CONFIG_CHECK_CODESIGN_EKU +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + struct public_key *public_key = key->payload.data[asym_crypto]; + + switch (usage) { + case VERIFYING_MODULE_SIGNATURE: + case VERIFYING_KEXEC_PE_SIGNATURE: + return !!(public_key->eku & EKU_codeSigning); + default: + break; + } + return true; +} +#else +static bool check_codesign_eku(struct key *key, + enum key_being_used_for usage) +{ + return true; +} +#endif + /* * Check the trust on one PKCS#7 SignedInfo block. */ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct public_key_signature *sig = sinfo->sig; struct x509_certificate *x509, *last = NULL, *p; @@ -112,6 +136,12 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, return -ENOKEY; matched: + if (!check_codesign_eku(key, usage)) { + pr_warn("sinfo %u: The signer %x key is not CodeSigning\n", + sinfo->index, key_serial(key)); + key_put(key); + return -ENOKEY; + } ret = verify_signature(key, sig); key_put(key); if (ret < 0) { @@ -135,6 +165,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * pkcs7_validate_trust - Validate PKCS#7 trust chain * @pkcs7: The PKCS#7 certificate to validate * @trust_keyring: Signing certificates to use as starting points + * @usage: The use to which the key is being put. * * Validate that the certificate chain inside the PKCS#7 message intersects * keys we already know and trust. @@ -156,7 +187,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, * May also return -ENOMEM. */ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring) + struct key *trust_keyring, + enum key_being_used_for usage) { struct pkcs7_signed_info *sinfo; struct x509_certificate *p; @@ -167,7 +199,7 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, p->seen = false; for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { - ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring); + ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring, usage); switch (ret) { case -ENOKEY: continue; diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 38ec7f5f9041..b3b48240ba73 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -30,7 +30,8 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, * pkcs7_trust.c */ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, - struct key *trust_keyring); + struct key *trust_keyring, + enum key_being_used_for usage); /* * pkcs7_verify.c
This patch adds the logic for checking the CodeSigning extended key usage when verifying signature of kernel module or kexec PE binary in PKCS#7. Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com> --- certs/system_keyring.c | 2 +- crypto/asymmetric_keys/Kconfig | 9 +++++++++ crypto/asymmetric_keys/pkcs7_trust.c | 38 +++++++++++++++++++++++++++++++++--- include/crypto/pkcs7.h | 3 ++- 4 files changed, 47 insertions(+), 5 deletions(-)