From b7b2e271e1bfa78b13c27bcad61263e2ea5c662b Mon Sep 17 00:00:00 2001
From: zengsiyu <zengsiyu3@huawei.com>
Date: Mon, 9 Oct 2023 14:58:11 +0800
Subject: [PATCH] add code sign

Change-Id: I627f9f8585b406e1d7bf0a070e515d3aeb3fd10f
Signed-off-by: zengsiyu <zengsiyu3@huawei.com>
---
 drivers/hck/vendor_hooks.c             |  1 +
 fs/Kconfig                             |  2 ++
 fs/Makefile                            |  5 +++--
 fs/verity/signature.c                  | 11 ++++++++++-
 include/linux/hck/lite_hck_code_sign.h | 27 ++++++++++++++++++++++++++
 security/selinux/include/classmap.h    |  2 ++
 6 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 include/linux/hck/lite_hck_code_sign.h

diff --git a/drivers/hck/vendor_hooks.c b/drivers/hck/vendor_hooks.c
index 7bea8ddcaaa8..5ac7abbcac83 100644
--- a/drivers/hck/vendor_hooks.c
+++ b/drivers/hck/vendor_hooks.c
@@ -11,3 +11,4 @@
 #include <linux/hck/lite_hck_sample.h>
 #include <linux/hck/lite_hck_xpm.h>
 #include <linux/hck/lite_hck_inet.h>
+#include <linux/hck/lite_hck_code_sign.h>
diff --git a/fs/Kconfig b/fs/Kconfig
index efc725d7c628..0b0cf3e09f30 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -115,6 +115,8 @@ config MANDATORY_FILE_LOCKING
 
 source "fs/crypto/Kconfig"
 
+source "fs/code_sign/Kconfig"
+
 source "fs/verity/Kconfig"
 
 source "fs/notify/Kconfig"
diff --git a/fs/Makefile b/fs/Makefile
index 74989c30c3fb..ff1ad0366d9d 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -4,7 +4,7 @@
 #
 # 14 Sep 2000, Christoph Hellwig <hch@infradead.org>
 # Rewritten to use lists instead of if-statements.
-# 
+#
 
 obj-y :=	open.o read_write.o file_table.o super.o \
 		char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \
@@ -34,6 +34,7 @@ obj-$(CONFIG_USERFAULTFD)	+= userfaultfd.o
 obj-$(CONFIG_AIO)               += aio.o
 obj-$(CONFIG_FS_DAX)		+= dax.o
 obj-$(CONFIG_FS_ENCRYPTION)	+= crypto/
+obj-$(CONFIG_SECURITY_CODE_SIGN)	+= code_sign/
 obj-$(CONFIG_FS_VERITY)		+= verity/
 obj-$(CONFIG_FILE_LOCKING)      += locks.o
 obj-$(CONFIG_BINFMT_AOUT)	+= binfmt_aout.o
@@ -64,7 +65,7 @@ obj-y				+= devpts/
 
 obj-$(CONFIG_PROFILING)		+= dcookies.o
 obj-$(CONFIG_DLM)		+= dlm/
- 
+
 # Do not add any filesystems before this line
 obj-$(CONFIG_FSCACHE)		+= fscache/
 obj-$(CONFIG_REISERFS_FS)	+= reiserfs/
diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index b14ed96387ec..23109a7ba148 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -11,6 +11,7 @@
 #include <linux/key.h>
 #include <linux/slab.h>
 #include <linux/verification.h>
+#include <linux/hck/lite_hck_code_sign.h>
 
 /*
  * /proc/sys/fs/verity/require_signatures
@@ -45,7 +46,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
 	const u32 sig_size = le32_to_cpu(desc->sig_size);
 	struct fsverity_signed_digest *d;
-	int err;
+	int err, ret = 0;
 
 	if (sig_size == 0) {
 		if (fsverity_require_signatures) {
@@ -69,6 +70,14 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	d->digest_size = cpu_to_le16(hash_alg->digest_size);
 	memcpy(d->digest, vi->measurement, hash_alg->digest_size);
 
+	CALL_HCK_LITE_HOOK(fsverity_verity_certchain_lhck, desc->signature, sig_size, &ret);
+	if (!ret) {
+		pr_debug("verify cert chain succ\n");
+	} else {
+		fsverity_err(inode, "verify cert chain failed, ret = %d", ret);
+		return -EPERM;
+	}
+
 	err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
 				     desc->signature, sig_size,
 				     fsverity_keyring,
diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h
new file mode 100644
index 000000000000..b03f9a2a1fb5
--- /dev/null
+++ b/include/linux/hck/lite_hck_code_sign.h
@@ -0,0 +1,27 @@
+//SPDX-License-Identifier: GPL-2.0-only
+/*lite_hck_sample.h
+ *
+ *OpenHarmony Common Kernel Vendor Hook Smaple
+ *
+ */
+
+#ifndef LITE_HCK_CODE_SIGN_H
+#define LITE_HCK_CODE_SIGN_H
+
+#include <linux/hck/lite_vendor_hooks.h>
+
+#ifndef CONFIG_HCK
+
+#define CALL_HCK_LITE_HOOK(name, args...)
+#define REGISTER_HCK_LITE_HOOK(name, probe)
+#define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data)
+
+#else
+
+DECLARE_HCK_LITE_HOOK(fsverity_verity_certchain_lhck,
+	TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret),
+	TP_ARGS(raw_pkcs7, pkcs7_len, ret));
+
+#endif /* CONFIG_HCK */
+
+#endif /* LITE_HCK_CODE_SIGN_H */
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 1c6c59b92ab5..2702e1df32a2 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -252,6 +252,8 @@ struct security_class_mapping secclass_map[] = {
 	  { "integrity", "confidentiality", NULL } },
 	{ "xpm",
 	  { "exec_no_sign", "exec_anon_mem", NULL } },
+	{ "code_sign",
+	  { "access_cert_chain", NULL } },
 	{ NULL }
   };
 
-- 
Gitee