aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/module_signing.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2015-07-20 20:16:28 (GMT)
committerDavid Howells <dhowells@redhat.com>2015-08-07 15:26:13 (GMT)
commit091f6e26eb326adbd718f406e440c838bed8ebb6 (patch)
tree9562f51745eb81fdf44d1fb56d6e79090935d2e4 /kernel/module_signing.c
parent1c39449921fc6db1f942051f79868a19c92f4d47 (diff)
downloadkernel_replicant_linux-091f6e26eb326adbd718f406e440c838bed8ebb6.zip
kernel_replicant_linux-091f6e26eb326adbd718f406e440c838bed8ebb6.tar.gz
kernel_replicant_linux-091f6e26eb326adbd718f406e440c838bed8ebb6.tar.bz2
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
Extract the function that drives the PKCS#7 signature verification given a data blob and a PKCS#7 blob out from the module signing code and lump it with the system keyring code as it's generic. This makes it independent of module config options and opens it to use by the firmware loader. Signed-off-by: David Howells <dhowells@redhat.com> Cc: Luis R. Rodriguez <mcgrof@suse.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Cc: Ming Lei <ming.lei@canonical.com> Cc: Seth Forshee <seth.forshee@canonical.com> Cc: Kyle McMartin <kyle@kernel.org>
Diffstat (limited to 'kernel/module_signing.c')
-rw-r--r--kernel/module_signing.c44
1 files changed, 1 insertions, 43 deletions
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 8eb20cc..70ad463 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -10,10 +10,8 @@
*/
#include <linux/kernel.h>
-#include <linux/err.h>
#include <keys/system_keyring.h>
#include <crypto/public_key.h>
-#include <crypto/pkcs7.h>
#include "module-internal.h"
/*
@@ -37,46 +35,6 @@ struct module_signature {
};
/*
- * Verify a PKCS#7-based signature on a module.
- */
-static int mod_verify_pkcs7(const void *mod, unsigned long modlen,
- const void *raw_pkcs7, size_t pkcs7_len)
-{
- struct pkcs7_message *pkcs7;
- bool trusted;
- int ret;
-
- pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
- if (IS_ERR(pkcs7))
- return PTR_ERR(pkcs7);
-
- /* The data should be detached - so we need to supply it. */
- if (pkcs7_supply_detached_data(pkcs7, mod, modlen) < 0) {
- pr_err("PKCS#7 signature with non-detached data\n");
- ret = -EBADMSG;
- goto error;
- }
-
- ret = pkcs7_verify(pkcs7);
- if (ret < 0)
- goto error;
-
- ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
- if (ret < 0)
- goto error;
-
- if (!trusted) {
- pr_err("PKCS#7 signature not signed with a trusted key\n");
- ret = -ENOKEY;
- }
-
-error:
- pkcs7_free_message(pkcs7);
- pr_devel("<==%s() = %d\n", __func__, ret);
- return ret;
-}
-
-/*
* Verify the signature on a module.
*/
int mod_verify_sig(const void *mod, unsigned long *_modlen)
@@ -114,5 +72,5 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
return -EBADMSG;
}
- return mod_verify_pkcs7(mod, modlen, mod + modlen, sig_len);
+ return system_verify_data(mod, modlen, mod + modlen, sig_len);
}