IMA will use the module_signature format for append signatures, so export the relevant definitions and factor out the code which verifies that the appended signature trailer is valid. Also, create a CONFIG_MODULE_SIG_FORMAT option so that IMA can select it and be able to use mod_check_sig() without having to depend on either CONFIG_MODULE_SIG or CONFIG_MODULES. s390 duplicated the definition of struct module_signature so now they can use the new <linux/module_signature.h> header instead. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Acked-by: Jessica Yu <jeyu@kernel.org> Reviewed-by: Philipp Rudo <prudo@linux.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
		
			
				
	
	
		
			47 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			47 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0+
 | |
| /*
 | |
|  * Module signature checker
 | |
|  *
 | |
|  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 | |
|  * Written by David Howells (dhowells@redhat.com)
 | |
|  */
 | |
| 
 | |
| #include <linux/errno.h>
 | |
| #include <linux/printk.h>
 | |
| #include <linux/module_signature.h>
 | |
| #include <asm/byteorder.h>
 | |
| 
 | |
| /**
 | |
|  * mod_check_sig - check that the given signature is sane
 | |
|  *
 | |
|  * @ms:		Signature to check.
 | |
|  * @file_len:	Size of the file to which @ms is appended.
 | |
|  * @name:	What is being checked. Used for error messages.
 | |
|  */
 | |
| int mod_check_sig(const struct module_signature *ms, size_t file_len,
 | |
| 		  const char *name)
 | |
| {
 | |
| 	if (be32_to_cpu(ms->sig_len) >= file_len - sizeof(*ms))
 | |
| 		return -EBADMSG;
 | |
| 
 | |
| 	if (ms->id_type != PKEY_ID_PKCS7) {
 | |
| 		pr_err("%s: Module is not signed with expected PKCS#7 message\n",
 | |
| 		       name);
 | |
| 		return -ENOPKG;
 | |
| 	}
 | |
| 
 | |
| 	if (ms->algo != 0 ||
 | |
| 	    ms->hash != 0 ||
 | |
| 	    ms->signer_len != 0 ||
 | |
| 	    ms->key_id_len != 0 ||
 | |
| 	    ms->__pad[0] != 0 ||
 | |
| 	    ms->__pad[1] != 0 ||
 | |
| 	    ms->__pad[2] != 0) {
 | |
| 		pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
 | |
| 		       name);
 | |
| 		return -EBADMSG;
 | |
| 	}
 | |
| 
 | |
| 	return 0;
 | |
| }
 |