Merge branch 'next-integrity' of...

			euid:= decimal value

			euid:= decimal value

			fowner:= decimal value

			fowner:= decimal value

		lsm:  	are LSM specific

		lsm:  	are LSM specific

		option:	appraise_type:= [imasig]

		option:	appraise_type:= [imasig] [imasig|modsig]

			template:= name of a defined IMA template type

			template:= name of a defined IMA template type

			(eg, ima-ng). Only valid when action is "measure".

			(eg, ima-ng). Only valid when action is "measure".

			pcr:= decimal value

			pcr:= decimal value

			measure func=KEXEC_KERNEL_CHECK pcr=4

			measure func=KEXEC_KERNEL_CHECK pcr=4

			measure func=KEXEC_INITRAMFS_CHECK pcr=5

			measure func=KEXEC_INITRAMFS_CHECK pcr=5

		Example of appraise rule allowing modsig appended signatures:

			appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig

 - 'd-ng': the digest of the event, calculated with an arbitrary hash

 - 'd-ng': the digest of the event, calculated with an arbitrary hash

   algorithm (field format: [<hash algo>:]digest, where the digest

   algorithm (field format: [<hash algo>:]digest, where the digest

   prefix is shown only if the hash algorithm is not SHA1 or MD5);

   prefix is shown only if the hash algorithm is not SHA1 or MD5);

 - 'd-modsig': the digest of the event without the appended modsig;

 - 'n-ng': the name of the event, without size limitations;

 - 'n-ng': the name of the event, without size limitations;

 - 'sig': the file signature;

 - 'sig': the file signature;

 - 'modsig' the appended file signature;

 - 'buf': the buffer data that was used to generate the hash without size limitations;

 - 'buf': the buffer data that was used to generate the hash without size limitations;

 - "ima-ng" (default): its format is ``d-ng|n-ng``;

 - "ima-ng" (default): its format is ``d-ng|n-ng``;

 - "ima-sig": its format is ``d-ng|n-ng|sig``;

 - "ima-sig": its format is ``d-ng|n-ng|sig``;

 - "ima-buf": its format is ``d-ng|n-ng|buf``;

 - "ima-buf": its format is ``d-ng|n-ng|buf``;

 - "ima-modsig": its format is ``d-ng|n-ng|sig|d-modsig|modsig``;

Use

Use

config KEXEC_VERIFY_SIG

config KEXEC_VERIFY_SIG

	bool "Verify kernel signature during kexec_file_load() syscall"

	bool "Verify kernel signature during kexec_file_load() syscall"

	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION

	depends on KEXEC_FILE && MODULE_SIG_FORMAT

	help

	help

	  This option makes kernel signature verification mandatory for

	  This option makes kernel signature verification mandatory for

	  the kexec_file_load() syscall.

	  the kexec_file_load() syscall.

#include <linux/elf.h>

#include <linux/elf.h>

#include <linux/errno.h>

#include <linux/errno.h>

#include <linux/kexec.h>

#include <linux/kexec.h>

#include <linux/module.h>

#include <linux/module_signature.h>

#include <linux/verification.h>

#include <linux/verification.h>

#include <asm/boot_data.h>

#include <asm/boot_data.h>

#include <asm/ipl.h>

#include <asm/ipl.h>

};

};

#ifdef CONFIG_KEXEC_VERIFY_SIG

#ifdef CONFIG_KEXEC_VERIFY_SIG

/*

 * Module signature information block.

 *

 * The constituents of the signature section are, in order:

 *

 *	- Signer's name

 *	- Key identifier

 *	- Signature data

 *	- Information block

 */

struct module_signature {

	u8	algo;		/* Public-key crypto algorithm [0] */

	u8	hash;		/* Digest algorithm [0] */

	u8	id_type;	/* Key identifier type [PKEY_ID_PKCS7] */

	u8	signer_len;	/* Length of signer's name [0] */

	u8	key_id_len;	/* Length of key identifier [0] */

	u8	__pad[3];

	__be32	sig_len;	/* Length of signature data */

};

#define PKEY_ID_PKCS7 2

int s390_verify_sig(const char *kernel, unsigned long kernel_len)

int s390_verify_sig(const char *kernel, unsigned long kernel_len)

{

{

	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;

	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;

#ifdef CONFIG_SYSTEM_DATA_VERIFICATION

#ifdef CONFIG_SYSTEM_DATA_VERIFICATION

/**

/**

 * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.

 * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.

 * @data: The data to be verified (NULL if expecting internal data).

 * @data: The data to be verified (NULL if expecting internal data).

 * @len: Size of @data.

 * @len: Size of @data.

 * @raw_pkcs7: The PKCS#7 message that is the signature.

 * @pkcs7: The PKCS#7 message that is the signature.

 * @pkcs7_len: The size of @raw_pkcs7.

 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,

 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,

 *					(void *)1UL for all trusted keys).

 *					(void *)1UL for all trusted keys).

 * @usage: The use to which the key is being put.

 * @usage: The use to which the key is being put.

 * @view_content: Callback to gain access to content.

 * @view_content: Callback to gain access to content.

 * @ctx: Context for callback.

 * @ctx: Context for callback.

 */

 */

int verify_pkcs7_signature(const void *data, size_t len,

int verify_pkcs7_message_sig(const void *data, size_t len,

			   const void *raw_pkcs7, size_t pkcs7_len,

			     struct pkcs7_message *pkcs7,

			     struct key *trusted_keys,

			     struct key *trusted_keys,

			     enum key_being_used_for usage,

			     enum key_being_used_for usage,

			     int (*view_content)(void *ctx,

			     int (*view_content)(void *ctx,

						 size_t asn1hdrlen),

						 size_t asn1hdrlen),

			     void *ctx)

			     void *ctx)

{

{

	struct pkcs7_message *pkcs7;

	int ret;

	int ret;

	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);

	if (IS_ERR(pkcs7))

		return PTR_ERR(pkcs7);

	/* The data should be detached - so we need to supply it. */

	/* The data should be detached - so we need to supply it. */

	if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {

	if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {

		pr_err("PKCS#7 signature with non-detached data\n");

		pr_err("PKCS#7 signature with non-detached data\n");

	}

	}

error:

error:

	pr_devel("<==%s() = %d\n", __func__, ret);

	return ret;

}

/**

 * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.

 * @data: The data to be verified (NULL if expecting internal data).

 * @len: Size of @data.

 * @raw_pkcs7: The PKCS#7 message that is the signature.

 * @pkcs7_len: The size of @raw_pkcs7.

 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,

 *					(void *)1UL for all trusted keys).

 * @usage: The use to which the key is being put.

 * @view_content: Callback to gain access to content.

 * @ctx: Context for callback.

 */

int verify_pkcs7_signature(const void *data, size_t len,

			   const void *raw_pkcs7, size_t pkcs7_len,

			   struct key *trusted_keys,

			   enum key_being_used_for usage,

			   int (*view_content)(void *ctx,

					       const void *data, size_t len,

					       size_t asn1hdrlen),

			   void *ctx)

{

	struct pkcs7_message *pkcs7;

	int ret;

	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);

	if (IS_ERR(pkcs7))

		return PTR_ERR(pkcs7);

	ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,

				       view_content, ctx);

	pkcs7_free_message(pkcs7);

	pkcs7_free_message(pkcs7);

	pr_devel("<==%s() = %d\n", __func__, ret);

	pr_devel("<==%s() = %d\n", __func__, ret);

	return ret;

	return ret;