From: Roberto Sassu roberto.sassu@huawei.com
Provide a function to load user asymmetric keys from a keyring blob to the keyring supplied:
int preload_uasym_keys(const u8 *data, size_t data_len, struct key *keyring);
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- crypto/asymmetric_keys/Makefile | 3 +- crypto/asymmetric_keys/uasym_key_preload.c | 102 +++++++++++++++++++++ include/crypto/uasym_keys_sigs.h | 9 ++ 3 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 crypto/asymmetric_keys/uasym_key_preload.c
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index 191b7fe8359..ffc6c7d6e65 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -82,4 +82,5 @@ $(obj)/mscode.asn1.o: $(obj)/mscode.asn1.c $(obj)/mscode.asn1.h # obj-$(CONFIG_UASYM_KEYS_SIGS) += uasym_keys_sigs.o uasym_keys_sigs-y := uasym_key_parser.o \ - uasym_sig_parser.o + uasym_sig_parser.o \ + uasym_key_preload.o diff --git a/crypto/asymmetric_keys/uasym_key_preload.c b/crypto/asymmetric_keys/uasym_key_preload.c new file mode 100644 index 00000000000..039dbf64378 --- /dev/null +++ b/crypto/asymmetric_keys/uasym_key_preload.c @@ -0,0 +1,102 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2011 Red Hat, Inc. All Rights Reserved. + * Copyright (C) 2023 Huawei Technologies Duesseldorf GmbH + * + * Authors: + * David Howells dhowells@redhat.com + * Roberto Sassu roberto.sassu@huawei.com + * + * Load user asymmetric keys from a keyring blob. + */ + +#define pr_fmt(fmt) "UASYM PRELOAD: "fmt +#include <linux/module.h> +#include <linux/key.h> +#include <linux/err.h> +#include <linux/tlv_parser.h> + +#include "uasym_parser.h" + +/** + * create_uasym_key - Create a user asymmetric key + * @data_start: Where the user asymmetric key starts in the blob + * @data_end: Where the user asymmetric key ends in the blob + * @keyring: The keyring to add the new key to + * + * Create a user asymmetric key from the supplied buffer. + */ +static void __init create_uasym_key(const u8 *data_start, const u8 *data_end, + struct key *keyring) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(keyring, 1), "asymmetric", NULL, + data_start, data_end - data_start, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_notice("Ignoring user asymmetric key, error: %ld\n", + PTR_ERR(key)); + return; + } + + pr_notice("Loaded user asymmetric key '%s'\n", + key_ref_to_ptr(key)->description); + + key_ref_put(key); +} + +/** + * preload_uasym_keys - Load user asymmetric keys from a keyring blob + * @data: The keyring blob containing the user asymmetric keys + * @data_len: The size of the @data blob + * @keyring: The keyring to add the new keys to + * + * Preload a pack of user asymmetric keys from a keyring blob. + * + * The callers should override the current creds if they want the keys to be + * owned by someone other than the current process's owner. Keys will not be + * accounted towards the owner's quota. + * + * This function may only be called whilst the kernel is booting. + * + * Return: Zero on success, a negative value otherwise. + */ +int __init preload_uasym_keys(const u8 *data, size_t data_len, + struct key *keyring) +{ + const u8 *data_ptr = data, *data_end = data + data_len; + u64 data_type; + u64 num_fields; + u64 total_len; + int ret; + + kenter(""); + + while (data_ptr < data_end) { + ret = tlv_parse_hdr(&data_ptr, &data_len, &data_type, + &num_fields, &total_len, data_types_str, + TYPE__LAST); + if (ret < 0) { + pr_notice("Unable to parse keyring blob, ret: %d\n", + ret); + return ret; + } + + if (data_type != TYPE_KEY) { + data_ptr += total_len; + continue; + } + + create_uasym_key(data_ptr - sizeof(struct tlv_hdr), + data_ptr + total_len, keyring); + + data_ptr += total_len; + } + + return 0; +} diff --git a/include/crypto/uasym_keys_sigs.h b/include/crypto/uasym_keys_sigs.h index ac5bce6d081..a227d6d082e 100644 --- a/include/crypto/uasym_keys_sigs.h +++ b/include/crypto/uasym_keys_sigs.h @@ -29,6 +29,9 @@ int uasym_sig_get_digest(struct uasym_sig_message *uasym_sig, const u8 **buf, int uasym_sig_verify_message(struct uasym_sig_message *uasym_sig, struct key *keyring); void uasym_sig_free_message(struct uasym_sig_message *uasym_sig); + +int __init preload_uasym_keys(const u8 *data, size_t data_len, + struct key *keyring); #else static inline struct uasym_sig_message * uasym_sig_parse_message(const u8 *sig_data, size_t sig_len) @@ -68,5 +71,11 @@ static inline void uasym_sig_free_message(struct uasym_sig_message *uasym_sig) { }
+static inline int __init preload_uasym_keys(const u8 *data, size_t data_len, + struct key *keyring) +{ + return -EOPNOTSUPP; +} + #endif /* CONFIG_UASYM_KEYS_SIGS */ #endif /* _CRYPTO_UASYM_KEYS_SIGS_H */