diff --git a/drivers/hck/vendor_hooks.c b/drivers/hck/vendor_hooks.c index 7bea8ddcaaa8bac1809c83c5775586d2fd8024d3..5ac7abbcac83ecf4b62a645e8cc4440abd73b4c5 100644 --- a/drivers/hck/vendor_hooks.c +++ b/drivers/hck/vendor_hooks.c @@ -11,3 +11,4 @@ #include #include #include +#include diff --git a/fs/Kconfig b/fs/Kconfig index efc725d7c628e7a0e864bcc02e40422466a1f374..0b0cf3e09f30200841534f4714e4b29487476bb9 100644 --- a/fs/Kconfig +++ b/fs/Kconfig @@ -115,6 +115,8 @@ config MANDATORY_FILE_LOCKING source "fs/crypto/Kconfig" +source "fs/code_sign/Kconfig" + source "fs/verity/Kconfig" source "fs/notify/Kconfig" diff --git a/fs/Makefile b/fs/Makefile index 74989c30c3fb240cee76863f008b5ce9ecc198c0..5036d569163229243ed1e5cf45b82117e34523bd 100644 --- a/fs/Makefile +++ b/fs/Makefile @@ -34,6 +34,7 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o obj-$(CONFIG_AIO) += aio.o obj-$(CONFIG_FS_DAX) += dax.o obj-$(CONFIG_FS_ENCRYPTION) += crypto/ +obj-$(CONFIG_SECURITY_CODE_SIGN) += code_sign/ obj-$(CONFIG_FS_VERITY) += verity/ obj-$(CONFIG_FILE_LOCKING) += locks.o obj-$(CONFIG_BINFMT_AOUT) += binfmt_aout.o diff --git a/fs/verity/signature.c b/fs/verity/signature.c index b14ed96387ece05635780ef34e267729fe27ccb5..15e5879817e7714b5ed392580cdf63a00b423ba4 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -11,6 +11,7 @@ #include #include #include +#include /* * /proc/sys/fs/verity/require_signatures @@ -26,6 +27,14 @@ static int fsverity_require_signatures; */ static struct key *fsverity_keyring; +static inline int fsverity_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len) +{ + int ret = 0; + + CALL_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, raw_pkcs7, pkcs7_len, &ret); + return ret; +} + /** * fsverity_verify_signature() - check a verity file's signature * @vi: the file's fsverity_info @@ -69,6 +78,13 @@ int fsverity_verify_signature(const struct fsverity_info *vi, d->digest_size = cpu_to_le16(hash_alg->digest_size); memcpy(d->digest, vi->measurement, hash_alg->digest_size); + err = fsverity_verify_certchain(desc->signature, sig_size); + if (err) { + fsverity_err(inode, "verify cert chain failed, err = %d", err); + return err; + } + pr_debug("verify cert chain success\n"); + err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size, desc->signature, sig_size, fsverity_keyring, diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h new file mode 100644 index 0000000000000000000000000000000000000000..dc82ab61ad6d9571d3449ed0cce92ea6b46e582e --- /dev/null +++ b/include/linux/hck/lite_hck_code_sign.h @@ -0,0 +1,27 @@ +//SPDX-License-Identifier: GPL-2.0-only +/*lite_hck_sample.h + * + *OpenHarmony Common Kernel Vendor Hook Smaple + * + */ + +#ifndef LITE_HCK_CODE_SIGN_H +#define LITE_HCK_CODE_SIGN_H + +#include + +#ifndef CONFIG_HCK + +#define CALL_HCK_LITE_HOOK(name, args...) +#define REGISTER_HCK_LITE_HOOK(name, probe) +#define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data) + +#else + +DECLARE_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, + TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret), + TP_ARGS(raw_pkcs7, pkcs7_len, ret)); + +#endif /* CONFIG_HCK */ + +#endif /* LITE_HCK_CODE_SIGN_H */ diff --git a/scripts/kconfig/lexer.l b/scripts/kconfig/lexer.l index 551ec37e9f27d08c0c2dfbb7a957ec12177f667f..464a19c3de388c5b4fcd85d43e4d3514858d08e9 100644 --- a/scripts/kconfig/lexer.l +++ b/scripts/kconfig/lexer.l @@ -27,6 +27,7 @@ static const char *kconfig_white_list[] = { "security/xpm/Kconfig", "drivers/auth_ctl/Kconfig", "drivers/staging/ucollection/Kconfig", + "fs/code_sign/Kconfig", }; static struct { diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 1c6c59b92ab5c79c73352c7246bce957c01e60dd..4b05b7692e235fd587ed186f90d021ef19b77f80 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -252,6 +252,8 @@ struct security_class_mapping secclass_map[] = { { "integrity", "confidentiality", NULL } }, { "xpm", { "exec_no_sign", "exec_anon_mem", NULL } }, + { "code_sign", + { "add_cert_chain", NULL } }, { NULL } };