diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c index 6592279d839aff6d267cd225e5e51f0e6bbe0ea2..2a2b14d1c3d6a99d0a5b884a919b2795b869ea8e 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.c +++ b/crypto/asymmetric_keys/pkcs7_parser.c @@ -526,6 +526,17 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen, } return 0; +#ifdef CONFIG_SECURITY_CODE_SIGN + case OID_ownerid: + if (__test_and_set_bit(sinfo_has_owner_identifier, &sinfo->aa_set)) + goto repeated; + if (tag != ASN1_UTF8STR) + return -EBADMSG; + sinfo->ownerid = value; + sinfo->ownerid_len = vlen; + return 0; +#endif /* CONFIG_SECURITY_CODE_SIGN */ + /* Microsoft SpOpusInfo seems to be contain cont[0] 16-bit BE * char URLs and cont[1] 8-bit char URLs. * diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h index 6565fdc2d4cac2bc49bfa629edde67b875573cb7..49317eaf0abe851283caa309546abfb89446312e 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.h +++ b/crypto/asymmetric_keys/pkcs7_parser.h @@ -35,8 +35,14 @@ struct pkcs7_signed_info { #define sinfo_has_smime_caps 3 #define sinfo_has_ms_opus_info 4 #define sinfo_has_ms_statement_type 5 +#define sinfo_has_owner_identifier 6 time64_t signing_time; +#ifdef CONFIG_SECURITY_CODE_SIGN + const char *ownerid; + unsigned ownerid_len; +#endif /* CONFIG_SECURITY_CODE_SIGN */ + /* Message signature. * * This contains the generated digest of _either_ the Content Data or diff --git a/fs/verity/fsverity_private.h b/fs/verity/fsverity_private.h index 643d404d2c0e5f184e92d43bcc7d9de35b37f9b7..f2f2a1b1d72471f580ec4a7fa19cd96226935db2 100644 --- a/fs/verity/fsverity_private.h +++ b/fs/verity/fsverity_private.h @@ -77,6 +77,7 @@ struct fsverity_info { u8 measurement[FS_VERITY_MAX_DIGEST_SIZE]; const struct inode *inode; #ifdef CONFIG_SECURITY_CODE_SIGN + struct cs_info fcs_info; u64 verified_data_size; int cert_type; #endif diff --git a/fs/verity/signature.c b/fs/verity/signature.c index aa95f36a68afa6ec2b572e8ec3b7ceacf12e4ce3..d066b1b9f027d29c3b9e1d5491c5bb3e11244b35 100644 --- a/fs/verity/signature.c +++ b/fs/verity/signature.c @@ -55,7 +55,7 @@ static inline int fsverity_verify_certchain(struct fsverity_info *vi, int ret = 0; CALL_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, - raw_pkcs7, pkcs7_len, &ret); + raw_pkcs7, pkcs7_len, &vi->fcs_info, &ret); if (ret > 0) { fsverity_set_cert_type(vi, ret); ret = 0; diff --git a/include/linux/hck/lite_hck_code_sign.h b/include/linux/hck/lite_hck_code_sign.h index 13d139fc5d6b64a446aeae3b0b2c4769938693e4..d479babbf5cb45ba85bdad2f04e2076c550dd7f5 100644 --- a/include/linux/hck/lite_hck_code_sign.h +++ b/include/linux/hck/lite_hck_code_sign.h @@ -17,8 +17,9 @@ #else DECLARE_HCK_LITE_HOOK(code_sign_verify_certchain_lhck, - TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, int *ret), - TP_ARGS(raw_pkcs7, pkcs7_len, ret)); + TP_PROTO(const void *raw_pkcs7, size_t pkcs7_len, struct cs_info *cs_info, + int *ret), + TP_ARGS(raw_pkcs7, pkcs7_len, cs_info, ret)); DECLARE_HCK_LITE_HOOK(code_sign_check_descriptor_lhck, TP_PROTO(const struct inode *inode, const void *desc, int *ret), diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 3eb93c4870045ce60d6a096b4fd71bdbbc7a3391..52ed702ffb116b9a1abf30cde844dd2c46b193f0 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -608,6 +608,10 @@ struct mm_struct { #ifdef CONFIG_SECURITY_XPM struct xpm_region xpm_region; #endif + +#ifdef CONFIG_SECURITY_CODE_SIGN + struct cs_info pcs_info; +#endif } __randomize_layout; /* diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index cc64d941974668327e42240ad0e367f7e9e82ee1..334fd50348d531c326601f3458ac4a23616a61ec 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -120,6 +120,9 @@ enum OID { OID_SM2_with_SM3, /* 1.2.156.10197.1.501 */ OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ + /* Code signature defined OIDS */ + OID_ownerid, /* 1.3.6.1.4.1.2011.2.376.1.4.1 */ + OID__NR }; diff --git a/include/linux/xpm_types.h b/include/linux/xpm_types.h index 22a58c8a8542dcf9675fdf4dfad52f1080a67fc6..e8a0cec9845f15561dddbf521ea3c398b96e4979 100644 --- a/include/linux/xpm_types.h +++ b/include/linux/xpm_types.h @@ -13,4 +13,9 @@ struct xpm_region { unsigned long addr_end; /* end address of xpm region */ }; +struct cs_info { + uint32_t id_type; + uint32_t ownerid; +}; + #endif /* _XPM_TYPES_H */ \ No newline at end of file