From 83c7b0555077fcf7d886737c031b9d847423798e Mon Sep 17 00:00:00 2001
From: Hongjin Li <lihongjin1@huawei.com>
Date: Mon, 16 Oct 2023 17:30:37 +0800
Subject: [PATCH 1/5] =?UTF-8?q?feat:=20=E5=86=85=E6=A0=B8=20fs-verity?=
 =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E8=AF=81=E4=B9=A6=E8=B7=AF=E5=BE=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Hongjin Li <lihongjin1@huawei.com>
---
 drivers/hck/vendor_hooks.c             |  1 +
 fs/Kconfig                             |  2 ++
 fs/Makefile                            |  5 +++--
 fs/verity/signature.c                  | 19 +++++++++++++++++-
 include/linux/hck/lite_hck_code_sign.h | 27 ++++++++++++++++++++++++++
 scripts/kconfig/lexer.l                |  1 +
 security/selinux/include/classmap.h    |  2 ++
 7 files changed, 54 insertions(+), 3 deletions(-)
 create mode 100644 include/linux/hck/lite_hck_code_sign.h

diff --git a/drivers/hck/vendor_hooks.c b/drivers/hck/vendor_hooks.c
index 7bea8ddcaaa8..5ac7abbcac83 100644
--- a/drivers/hck/vendor_hooks.c
+++ b/drivers/hck/vendor_hooks.c
@@ -11,3 +11,4 @@
 #include <linux/hck/lite_hck_sample.h>
 #include <linux/hck/lite_hck_xpm.h>
 #include <linux/hck/lite_hck_inet.h>
+#include <linux/hck/lite_hck_code_sign.h>
diff --git a/fs/Kconfig b/fs/Kconfig
index efc725d7c628..0b0cf3e09f30 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -115,6 +115,8 @@ config MANDATORY_FILE_LOCKING
 
 source "fs/crypto/Kconfig"
 
+source "fs/code_sign/Kconfig"
+
 source "fs/verity/Kconfig"
 
 source "fs/notify/Kconfig"
diff --git a/fs/Makefile b/fs/Makefile
index 74989c30c3fb..ff1ad0366d9d 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -4,7 +4,7 @@
 #
 # 14 Sep 2000, Christoph Hellwig <hch@infradead.org>
 # Rewritten to use lists instead of if-statements.
-# 
+#
 
 obj-y :=	open.o read_write.o file_table.o super.o \
 		char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \
@@ -34,6 +34,7 @@ obj-$(CONFIG_USERFAULTFD)	+= userfaultfd.o
 obj-$(CONFIG_AIO)               += aio.o
 obj-$(CONFIG_FS_DAX)		+= dax.o
 obj-$(CONFIG_FS_ENCRYPTION)	+= crypto/
+obj-$(CONFIG_SECURITY_CODE_SIGN)	+= code_sign/
 obj-$(CONFIG_FS_VERITY)		+= verity/
 obj-$(CONFIG_FILE_LOCKING)      += locks.o
 obj-$(CONFIG_BINFMT_AOUT)	+= binfmt_aout.o
@@ -64,7 +65,7 @@ obj-y				+= devpts/
 
 obj-$(CONFIG_PROFILING)		+= dcookies.o
 obj-$(CONFIG_DLM)		+= dlm/
- 
+
 # Do not add any filesystems before this line
 obj-$(CONFIG_FSCACHE)		+= fscache/
 obj-$(CONFIG_REISERFS_FS)	+= reiserfs/
diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index b14ed96387ec..0b357b445568 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -11,6 +11,7 @@
 #include <linux/key.h>
 #include <linux/slab.h>
 #include <linux/verification.h>
+#include <linux/hck/lite_hck_code_sign.h>
 
 /*
  * /proc/sys/fs/verity/require_signatures
@@ -26,6 +27,14 @@ static int fsverity_require_signatures;
  */
 static struct key *fsverity_keyring;
 
+static inline int fsverity_verify_certchain(const void *raw_pkcs7, size_t pkcs7_len)
+{
+	int ret = 0;
+
+	CALL_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, raw_pkcs7, pkcs7_len, &ret);
+	return ret;
+}
+
 /**
  * fsverity_verify_signature() - check a verity file's signature
  * @vi: the file's fsverity_info
@@ -45,7 +54,8 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
 	const u32 sig_size = le32_to_cpu(desc->sig_size);
 	struct fsverity_signed_digest *d;
-	int err;
+	int err = 0;
+	int ret = 0;
 
 	if (sig_size == 0) {
 		if (fsverity_require_signatures) {
@@ -69,6 +79,13 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	d->digest_size = cpu_to_le16(hash_alg->digest_size);
 	memcpy(d->digest, vi->measurement, hash_alg->digest_size);
 
+	ret = fsverity_verify_certchain(desc->signature, sig_size);
+	if (ret) {
+		fsverity_err(inode, "verify cert chain failed, ret = %d", ret);
+		return ret;
+	}
+	pr_debug("verify cert chain success\n");
+
 	err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
 				     desc->signature, sig_size,
 				     fsverity_keyring,
diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h
new file mode 100644
index 000000000000..dc82ab61ad6d
--- /dev/null
+++ b/include/linux/hck/lite_hck_code_sign.h
@@ -0,0 +1,27 @@
+//SPDX-License-Identifier: GPL-2.0-only
+/*lite_hck_sample.h
+ *
+ *OpenHarmony Common Kernel Vendor Hook Smaple
+ *
+ */
+
+#ifndef LITE_HCK_CODE_SIGN_H
+#define LITE_HCK_CODE_SIGN_H
+
+#include <linux/hck/lite_vendor_hooks.h>
+
+#ifndef CONFIG_HCK
+
+#define CALL_HCK_LITE_HOOK(name, args...)
+#define REGISTER_HCK_LITE_HOOK(name, probe)
+#define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data)
+
+#else
+
+DECLARE_HCK_LITE_HOOK(code_sign_verify_certchain_lhck,
+	TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret),
+	TP_ARGS(raw_pkcs7, pkcs7_len, ret));
+
+#endif /* CONFIG_HCK */
+
+#endif /* LITE_HCK_CODE_SIGN_H */
diff --git a/scripts/kconfig/lexer.l b/scripts/kconfig/lexer.l
index 551ec37e9f27..464a19c3de38 100644
--- a/scripts/kconfig/lexer.l
+++ b/scripts/kconfig/lexer.l
@@ -27,6 +27,7 @@ static const char *kconfig_white_list[] = {
 	"security/xpm/Kconfig",
 	"drivers/auth_ctl/Kconfig",
 	"drivers/staging/ucollection/Kconfig",
+	"fs/code_sign/Kconfig",
 };
 
 static struct {
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 1c6c59b92ab5..2702e1df32a2 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -252,6 +252,8 @@ struct security_class_mapping secclass_map[] = {
 	  { "integrity", "confidentiality", NULL } },
 	{ "xpm",
 	  { "exec_no_sign", "exec_anon_mem", NULL } },
+	{ "code_sign",
+	  { "access_cert_chain", NULL } },
 	{ NULL }
   };
 
-- 
Gitee


From 503f7eff7e995efb4774e63564b8eafcbcd77a9d Mon Sep 17 00:00:00 2001
From: Hongjin Li <lihongjin1@huawei.com>
Date: Wed, 18 Oct 2023 04:45:38 +0000
Subject: [PATCH 2/5] update security/selinux/include/classmap.h.

Signed-off-by: Hongjin Li <lihongjin1@huawei.com>
---
 security/selinux/include/classmap.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 2702e1df32a2..4b05b7692e23 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -253,7 +253,7 @@ struct security_class_mapping secclass_map[] = {
 	{ "xpm",
 	  { "exec_no_sign", "exec_anon_mem", NULL } },
 	{ "code_sign",
-	  { "access_cert_chain", NULL } },
+	  { "add_cert_chain", NULL } },
 	{ NULL }
   };
 
-- 
Gitee


From 264a3624eb6cf70c80f8ea7d61c1ea4e50898f3e Mon Sep 17 00:00:00 2001
From: Hongjin Li <lihongjin1@huawei.com>
Date: Wed, 18 Oct 2023 10:31:47 +0000
Subject: [PATCH 3/5] update fs/Makefile.

Signed-off-by: Hongjin Li <lihongjin1@huawei.com>
---
 fs/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/Makefile b/fs/Makefile
index ff1ad0366d9d..5036d5691632 100644
--- a/fs/Makefile
+++ b/fs/Makefile
@@ -4,7 +4,7 @@
 #
 # 14 Sep 2000, Christoph Hellwig <hch@infradead.org>
 # Rewritten to use lists instead of if-statements.
-#
+# 
 
 obj-y :=	open.o read_write.o file_table.o super.o \
 		char_dev.o stat.o exec.o pipe.o namei.o fcntl.o \
@@ -65,7 +65,7 @@ obj-y				+= devpts/
 
 obj-$(CONFIG_PROFILING)		+= dcookies.o
 obj-$(CONFIG_DLM)		+= dlm/
-
+ 
 # Do not add any filesystems before this line
 obj-$(CONFIG_FSCACHE)		+= fscache/
 obj-$(CONFIG_REISERFS_FS)	+= reiserfs/
-- 
Gitee


From 6e7f7595f748fb30492a057c744e6d22146605d8 Mon Sep 17 00:00:00 2001
From: Hongjin Li <lihongjin1@huawei.com>
Date: Wed, 18 Oct 2023 10:39:33 +0000
Subject: [PATCH 4/5] update fs/verity/signature.c.

Signed-off-by: Hongjin Li <lihongjin1@huawei.com>
---
 fs/verity/signature.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index 0b357b445568..94f44a8c7d18 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -55,7 +55,6 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	const u32 sig_size = le32_to_cpu(desc->sig_size);
 	struct fsverity_signed_digest *d;
 	int err = 0;
-	int ret = 0;
 
 	if (sig_size == 0) {
 		if (fsverity_require_signatures) {
@@ -79,10 +78,10 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	d->digest_size = cpu_to_le16(hash_alg->digest_size);
 	memcpy(d->digest, vi->measurement, hash_alg->digest_size);
 
-	ret = fsverity_verify_certchain(desc->signature, sig_size);
-	if (ret) {
-		fsverity_err(inode, "verify cert chain failed, ret = %d", ret);
-		return ret;
+	err = fsverity_verify_certchain(desc->signature, sig_size);
+	if (err) {
+		fsverity_err(inode, "verify cert chain failed, err = %d", err);
+		return err;
 	}
 	pr_debug("verify cert chain success\n");
 
-- 
Gitee


From b0bae17cec48a36945da510044d6fab766b1310c Mon Sep 17 00:00:00 2001
From: Hongjin Li <lihongjin1@huawei.com>
Date: Wed, 18 Oct 2023 10:41:52 +0000
Subject: [PATCH 5/5] update fs/verity/signature.c.

Signed-off-by: Hongjin Li <lihongjin1@huawei.com>
---
 fs/verity/signature.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/verity/signature.c b/fs/verity/signature.c
index 94f44a8c7d18..15e5879817e7 100644
--- a/fs/verity/signature.c
+++ b/fs/verity/signature.c
@@ -54,7 +54,7 @@ int fsverity_verify_signature(const struct fsverity_info *vi,
 	const struct fsverity_hash_alg *hash_alg = vi->tree_params.hash_alg;
 	const u32 sig_size = le32_to_cpu(desc->sig_size);
 	struct fsverity_signed_digest *d;
-	int err = 0;
+	int err;
 
 	if (sig_size == 0) {
 		if (fsverity_require_signatures) {
-- 
Gitee