diff --git a/LICENSE b/LICENSE
index 97c58d4662c37e15a56f149eedfb98c00e604414..0113e4b173a77583bc17bbbf213595fd9c905121 100644
--- a/LICENSE
+++ b/LICENSE
@@ -3,5 +3,6 @@
./xpm/
./qos_auth/
./ucollection/
+ ./code_sign
As for the specific use of the licenses, please refer to the relevant description in the documents.
diff --git a/OAT.xml b/OAT.xml
index 55a93aaac5d9767f9e9f8ec15add42c0fa350918..13a8f09121676c0990873ef3de5d57c3413a2969 100644
--- a/OAT.xml
+++ b/OAT.xml
@@ -61,10 +61,12 @@ Note:If the text contains special characters, please escape them according to th
+
+
diff --git a/code_sign/Kconfig b/code_sign/Kconfig
new file mode 100644
index 0000000000000000000000000000000000000000..86c3581d99a5bbff86bce5b14c6c7a4275aca0b1
--- /dev/null
+++ b/code_sign/Kconfig
@@ -0,0 +1,8 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+config SECURITY_CODE_SIGN
+ default y
+ bool "code signature"
+ help
+ code signature
\ No newline at end of file
diff --git a/code_sign/Makefile b/code_sign/Makefile
new file mode 100644
index 0000000000000000000000000000000000000000..70482c6d6d0431731ae24870f5a8df1e3f805453
--- /dev/null
+++ b/code_sign/Makefile
@@ -0,0 +1,19 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+obj-$(CONFIG_SECURITY_CODE_SIGN) += \
+ code_sign_misc.o \
+ verify_cert_chain.o
+
+ccflags-$(CONFIG_SECURITY_CODE_SIGN) += \
+ -I$(srctree)/security/selinux/include \
+ -I$(srctree)/security/selinux
+
+$(addprefix $(obj)/,$(obj-y)): $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h av_permissions.h
+$(obj)/flask.h: $(srctree)/security/selinux/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/code_sign/apply_code_sign.sh b/code_sign/apply_code_sign.sh
new file mode 100755
index 0000000000000000000000000000000000000000..6098a16de610d3d626dcca024835ccd29f51cd7a
--- /dev/null
+++ b/code_sign/apply_code_sign.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2023 Huawei Device Co., Ltd.
+#
+
+set -e
+
+OHOS_SOURCE_ROOT=$1
+KERNEL_BUILD_ROOT=$2
+PRODUCT_NAME=$3
+KERNEL_VERSION=$4
+CODE_SIGN_SOURCE_ROOT=$OHOS_SOURCE_ROOT/kernel/linux/common_modules/code_sign
+
+function main()
+{
+ pushd .
+
+ if [ ! -d "$KERNEL_BUILD_ROOT/fs/code_sign" ]; then
+ mkdir $KERNEL_BUILD_ROOT/fs/code_sign
+ fi
+
+ cd $KERNEL_BUILD_ROOT/fs/code_sign
+ ln -s -f $(realpath --relative-to=$KERNEL_BUILD_ROOT/fs/code_sign $CODE_SIGN_SOURCE_ROOT)/* ./
+
+ popd
+}
+
+main
diff --git a/code_sign/code_sign_misc.c b/code_sign/code_sign_misc.c
new file mode 100644
index 0000000000000000000000000000000000000000..3885aec14f60b961b52720e8447cf4def27c0143
--- /dev/null
+++ b/code_sign/code_sign_misc.c
@@ -0,0 +1,288 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include <../../crypto/asymmetric_keys/pkcs7_parser.h>
+#include "avc.h"
+#include "objsec.h"
+#include
+
+struct cert_source *root, *cur;
+
+struct rb_root cert_chain_tree = RB_ROOT;
+
+struct cert_source *cert_chain_search(struct rb_root *root, struct x509_certificate *cert)
+{
+ pr_info("enter cert_chain_search\n");
+ struct rb_node *node = root->rb_node;
+
+ while (node) {
+ struct cert_source *source = container_of(node, struct cert_source, node);
+
+ int result = strcmp(source->subject, cert->subject);
+ pr_info("source->subject '%s', cert->subject '%s'\n", source->subject, cert->subject);
+
+ if (result < 0) {
+ node = node->rb_left;
+ } else if (result > 0) {
+ node = node->rb_right;
+ } else {
+ result = strcmp(source->issuer, cert->issuer);
+ pr_info("source->issuer '%s', cert->issuer '%s'\n", source->issuer, cert->issuer);
+ if (result < 0) {
+ node = node->rb_left;
+ } else if (result > 0) {
+ node = node->rb_right;
+ } else {
+ pr_info("matched\n");
+ return source;
+ }
+ }
+ }
+ pr_err("cert not found\n");
+ return NULL;
+}
+
+struct cert_source *find_match(struct x509_certificate *cert)
+{
+ pr_info("enter find_match\n");
+ return cert_chain_search(&cert_chain_tree, cert);
+}
+
+void cert_chain_insert(struct rb_root *root, struct cert_source *cert)
+{
+ struct rb_node **new = &(root->rb_node), *parent = NULL;
+
+ while (*new) {
+ struct cert_source *this = container_of(*new, struct cert_source, node);
+ int result = strcmp(cert->subject, this->subject);
+
+ parent = *new;
+ if (result < 0) {
+ new = &((*new)->rb_left);
+ } else if (result > 0) {
+ new = &((*new)->rb_right);
+ } else {
+ result = strcmp(cert->issuer, this->issuer);
+ if (result < 0) {
+ new = &((*new)->rb_left);
+ } else if (result > 0) {
+ new = &((*new)->rb_right);
+ } else {
+ pr_info("cert existed\n");
+ return;
+ }
+ }
+ }
+
+ // add new node
+ rb_link_node(&cert->node, parent, new);
+ rb_insert_color(&cert->node, root);
+}
+
+int code_sign_open(struct inode *inode, struct file *filp)
+{
+ return 0;
+}
+
+int code_sign_release(struct inode *inode, struct file *filp)
+{
+ return 0;
+}
+
+/*
+ * Fabricate and save the issuer and subject names. See x509_fabricate_name in x509_cert_parse.c.
+ */
+int fabricate_name(char *origin_name, int len, char **subject)
+{
+ char *common_name, *orgnazition, *email;
+ char *attr, *value;
+
+ for (attr = strsep(&origin_name, "="); origin_name != NULL; attr = strsep(&origin_name, "=")) {
+ value = strsep(&origin_name, ",");
+ attr = strim(attr);
+
+ if (strlen(attr) == 2 && memcmp(attr, "CN", 2) == 0)
+ common_name = value;
+ else if (strlen(attr) == 1 && memcmp(attr, "O", 1) == 0)
+ orgnazition = value;
+ else if (strlen(attr) == 1 && memcmp(attr, "E", 1) == 0)
+ email = value;
+ }
+
+ if (common_name && orgnazition) {
+ if (memcmp(common_name, orgnazition, strlen(orgnazition)) == 0)
+ goto return_common_name;
+ if (strlen(common_name) >= 7 && strlen(orgnazition) >= 7 && memcmp(common_name, orgnazition, 7) == 0)
+ goto return_common_name;
+
+ char* name = kzalloc(strlen(common_name) + 2 + strlen(orgnazition) + 1, GFP_KERNEL);
+ if (!name)
+ return -ENOMEM;
+
+ memcpy(name, orgnazition, strlen(orgnazition));
+ name[strlen(orgnazition) + 0] = ':';
+ name[strlen(orgnazition) + 1] = ' ';
+ memcpy(name + strlen(orgnazition) + 2, common_name, strlen(common_name));
+ name[strlen(orgnazition) + 2 + strlen(common_name)] = 0;
+ *subject = name;
+ return 0;
+ } else if (common_name) {
+return_common_name:
+ *subject = common_name;
+ return 0;
+ } else if (orgnazition) {
+ *subject = orgnazition;
+ return 0;
+ } else if (email) {
+ *subject = email;
+ return 0;
+ }
+
+ return -EINVAL;
+}
+
+int code_sign_avc_has_perm(u16 tclass, u32 requested)
+{
+ struct av_decision avd;
+ u32 sid = current_sid();
+ int rc, rc2;
+
+ rc = avc_has_perm_noaudit(&selinux_state, sid, sid, tclass, requested,
+ AVC_STRICT, &avd);
+ rc2 = avc_audit(&selinux_state, sid, sid, tclass, requested, &avd, rc,
+ NULL, AVC_STRICT);
+ if (rc2)
+ return rc2;
+
+ return rc;
+}
+
+long code_sign_ioctl(struct file *filp, unsigned int cmd, unsigned long args)
+{
+ if (code_sign_avc_has_perm(SECCLASS_CODE_SIGN, CODE_SIGN__ACCESS_CERT_CHAIN))
+ return -EPERM;
+
+ struct cert_source *source = kzalloc(sizeof(struct cert_source), GFP_KERNEL);
+
+ if (!source)
+ return -ENOMEM;
+
+ if (cmd != WRITE_CERT_CHAIN) {
+ pr_err("code_sign cmd error, cmd:%d\n", cmd);
+ return -EINVAL;
+ }
+
+ struct cert_chain_info info;
+
+ int ret = copy_from_user(&info, args, sizeof(struct cert_chain_info));
+ if (ret) {
+ pr_err("cmd copy_from_user failed %d\n", ret);
+ ret = -ENOMEM;
+ goto copy_source_failed;
+ }
+
+ char *origin_subject = kzalloc(info.signing_length, GFP_KERNEL);
+ if (!origin_subject) {
+ ret = -ENOMEM;
+ goto copy_source_failed;
+ }
+
+ ret = copy_from_user(origin_subject, u64_to_user_ptr(info.signing_ptr), info.signing_length);
+ if (ret) {
+ pr_err("copy_from_user get signing failed\n");
+ ret = -EFAULT;
+ goto copy_subject_failed;
+ }
+
+ if (fabricate_name(origin_subject, info.signing_length, &source->subject)) {
+ pr_err("Fabricate subject failed\n");
+ goto copy_subject_failed;
+ }
+
+ char *origin_issuer = kzalloc(info.issuer_length, GFP_KERNEL);
+ if (!origin_issuer) {
+ ret = -ENOMEM;
+ goto copy_subject_failed;
+ }
+
+ ret = copy_from_user(origin_issuer, u64_to_user_ptr(info.issuer_ptr), info.issuer_length);
+ if (ret) {
+ pr_err("copy_from_user get issuer failed\n");
+ ret = -EFAULT;
+ goto copy_issuer_failed;
+ }
+
+ if (fabricate_name(origin_issuer, info.issuer_length, &source->issuer)) {
+ pr_err("Fabricate issuer failed\n");
+ goto copy_issuer_failed;
+ }
+
+ source->max_path_depth = info.path;
+
+ pr_info("signing = '%s', issuer = '%s', max_path_depth = %d\n", source->subject, source->issuer, source->max_path_depth);
+
+ // insert rb_tree
+ cert_chain_insert(&cert_chain_tree, source);
+
+ return ret;
+
+copy_issuer_failed:
+ kfree(origin_issuer);
+ kfree(source->issuer);
+copy_subject_failed:
+ kfree(origin_subject);
+ kfree(source->subject);
+copy_source_failed:
+ kfree(source);
+ return ret;
+}
+
+const struct file_operations code_sign_ops = {
+ .owner = THIS_MODULE,
+ .open = code_sign_open,
+ .release = code_sign_release,
+ .unlocked_ioctl = code_sign_ioctl,
+ .compat_ioctl = code_sign_ioctl,
+};
+
+static struct miscdevice code_sign_misc = {
+ .minor = MISC_DYNAMIC_MINOR,
+ .name = "code_sign",
+ .fops = &code_sign_ops,
+};
+
+static void code_sign_register_hck_hooks(void)
+{
+ REGISTER_HCK_LITE_HOOK(fsverity_verity_certchain_lhck, fsverity_verity_certchain);
+}
+
+static int __init code_sign_init(void)
+{
+ pr_info("INIT\n");
+
+ code_sign_register_hck_hooks();
+
+ return misc_register(&code_sign_misc);
+}
+
+static void __exit code_sign_exit(void)
+{
+ misc_deregister(&code_sign_misc);
+
+ pr_info("EXIT\n");
+}
+
+module_init(code_sign_init);
+module_exit(code_sign_exit);
+
+MODULE_LICENSE("GPL");
diff --git a/code_sign/code_sign_misc.h b/code_sign/code_sign_misc.h
new file mode 100644
index 0000000000000000000000000000000000000000..f424e672f1a79a4c16fde673aff243e9e8b1d97e
--- /dev/null
+++ b/code_sign/code_sign_misc.h
@@ -0,0 +1,35 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#include
+
+#ifndef _CODE_SIGN_H
+#define _CODE_SIGN_H
+
+struct cert_chain_info {
+ __u32 signing_length;
+ __u32 issuer_length;
+ __u64 signing_ptr;
+ __u64 issuer_ptr;
+ __u32 path;
+ __u8 __reserved[36];
+};
+
+struct cert_source {
+ char *subject;
+ char *issuer;
+ int max_path_depth;
+ struct rb_node node;
+};
+
+#define WRITE_CERT_CHAIN _IOW('k', 1, struct cert_chain_info)
+
+/*
+ * cert_chain.c
+ */
+
+struct cert_source *find_match(struct x509_certificate *cert);
+
+#endif /* _CODE_SIGN_H */
diff --git a/code_sign/verify_cert_chain.c b/code_sign/verify_cert_chain.c
new file mode 100644
index 0000000000000000000000000000000000000000..e66ef51324c9a69755dce11a4b9ec6d103b60fb1
--- /dev/null
+++ b/code_sign/verify_cert_chain.c
@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include <../../crypto/asymmetric_keys/pkcs7_parser.h>
+#include
+#include
+
+/*
+ * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7
+ * uses the issuer's name and the issuing certificate serial number for
+ * matching purposes. These must match the certificate issuer's name (not
+ * subject's name) and the certificate serial number [RFC 2315 6.7].
+ */
+static int pkcs7_find_key(struct pkcs7_message *pkcs7,
+ struct pkcs7_signed_info *sinfo)
+{
+ struct x509_certificate *x509;
+ unsigned certix = 1;
+
+ kenter("%u", sinfo->index);
+ pr_info("sinfo->index %u", sinfo->index);
+
+ for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) {
+ /* I'm _assuming_ that the generator of the PKCS#7 message will
+ * encode the fields from the X.509 cert in the same way in the
+ * PKCS#7 message - but I can't be 100% sure of that. It's
+ * possible this will need element-by-element comparison.
+ */
+ if (!asymmetric_key_id_same(x509->id, sinfo->sig->auth_ids[0])) {
+ pr_warn("Sig %u: X.509->id and PKCS#7 sinfo->sig->auth_ids[0] don't match\n", sinfo->index, x509->id, sinfo->sig->auth_ids[0]);
+ continue;
+ }
+ pr_info("Sig %u: Found cert serial match X.509[%u]\n",
+ sinfo->index, certix);
+
+ if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0 && (strncmp(x509->pub->pkey_algo, "ecdsa-", 6) != 0 || strcmp(x509->sig->pkey_algo, "ecdsa") != 0)) {
+ pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", sinfo->index);
+ continue;
+ }
+
+ sinfo->signer = x509;
+ return 0;
+ }
+
+ /* The relevant X.509 cert isn't found here, but it might be found in
+ * the trust keyring.
+ */
+ pr_info("Sig %u: Issuing X.509 cert not found (#%*phN)\n",
+ sinfo->index,
+ sinfo->sig->auth_ids[0]->len, sinfo->sig->auth_ids[0]->data);
+ return 0;
+}
+
+void fsverity_verity_certchain(const void *raw_pkcs7, size_t pkcs7_len, int *ret)
+{
+ pr_info("enter fsverity_verity_certchain\n");
+ struct pkcs7_message *pkcs7;
+ struct pkcs7_signed_info *sinfo;
+ int cert_chain_depth = 1;
+
+ pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
+ if (IS_ERR(pkcs7)) {
+ pr_err("parse pkcs7 message failed\n");
+ *ret = PTR_ERR(pkcs7);
+ return;
+ }
+
+ if (!pkcs7->signed_infos) {
+ pr_err("No found signed_info\n");
+ *ret = -EKEYREJECTED;
+ return;
+ }
+
+ for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+ /* Find the key for the signature if there is one */
+ *ret = pkcs7_find_key(pkcs7, sinfo);
+ if (*ret) {
+ pr_err("pkcs7 not find key\n");
+ return;
+ }
+
+ struct x509_certificate *signer = sinfo->signer;
+
+ if (!signer) {
+ pr_err("No found signer\n");
+ *ret = -EINVAL;
+ return;
+ }
+
+ struct cert_source *source = find_match(signer);
+ if (source) {
+ // cal cert chain depth
+ char *issuer = signer->issuer;
+ for (; signer; signer = signer->next) {
+ if (signer->subject && (strcmp(signer->subject, issuer) == 0)) {
+ cert_chain_depth++;
+ issuer = signer->issuer;
+ } else
+ break;
+ }
+ if (cert_chain_depth == source->max_path_depth)
+ return;
+ }
+ }
+
+ pr_err("Cannot find match\n");
+ *ret = -EINVAL;
+}
diff --git a/code_sign/verify_cert_chain.h b/code_sign/verify_cert_chain.h
new file mode 100644
index 0000000000000000000000000000000000000000..ad3eb5df8da3dbc2a0f9681011faa614fc8fc18f
--- /dev/null
+++ b/code_sign/verify_cert_chain.h
@@ -0,0 +1,15 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * Copyright (c) 2023 Huawei Device Co., Ltd.
+ */
+
+#ifndef _VERIFY_CERT_CHAIN_H
+#define _VERIFY_CERT_CHAIN_H
+
+/*
+ * verify_cert_chain.c
+ */
+
+void fsverity_verity_certchain(const void *raw_pkcs7, size_t pkcs7_len, int *ret);
+
+#endif /* _VERIFY_CERT_CHAIN_H */