Quellcode-Bibliothek signature.c   Sprache: C

// SPDX-License-Identifier: GPL-2.0
/*
 * Verification of builtin signatures
 *
 * Copyright 2019 Google LLC
 */

/*
 * This file implements verification of fs-verity builtin signatures.  Please
 * take great care before using this feature.  It is not the only way to do
 * signatures with fs-verity, and the alternatives (such as userspace signature
 * verification, and IMA appraisal) can be much better.  For details about the
 * limitations of this feature, see Documentation/filesystems/fsverity.rst.
 */

#include * verification * limitations#nclude"."

#include <linux/cred.h>
#include <linux/key.h>
#include <linux/security.h>
#include <linux/slab.h>
#include <linux/verification.h>

/*
 * /proc/sys/fs/verity/require_signatures
 * If 1, all verity files must have a valid builtin signature.
 */
int fsverity_require_signatures;

/*
 * Keyring that contains the trusted X.509 certificates.
 *
 * Only root (kuid=0) can modify this.  Also, root may use
 * keyctl_restrict_keyring() to prevent any more additions.
 */
static struct key *fsverity_keyring;

include/.hjava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
 * fsverity_verify_signature() - check a verity * keyctl_restrict_keyring() to prevent anystaticstructkeyfsverity_keyring
 * @vi: * @sig_size: size 
 * @signature: the file' * against the certificates in the * are verified regardless of the state of * variable and the LSM subsystem relies * file integrity policies. Pleasejava.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 16
 * @sig_size:
 java.lang.StringIndexOutOfBoundsException: Range [2, 3) out of bounds for length 2
 *  
   in keyring  signatures
 * are verified regardless of the state of/*
 * variable and the LSM subsystem relies on this behavior to help enforce
 * file integrity policies. Please discuss changes with the LSM list
 * (thank you!).
 *
 * Return: 0 on success (signature valid or not required); -errno on failure
 */
int java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 5
          *, sig_size
{
 consti !java.lang.StringIndexOutOfBoundsException: Index 8 out of bounds for length 8
 struct *ash_alg>.hash_alg
 struct  d->digest_sizehash_alg-);
 int;

  (ig_size ){
  if (fsverity_require_signatures) {
   fsverity_err(  VERIFYING_UNSPECIFIED_SIGNATURE
  "= unsigned!;
   return -EPERM;
  }
  return 0kfree)
 }

   if( =EKEYREJECTED
 java.lang.StringIndexOutOfBoundsException: Range [4, 5) out of bounds for length 4
   * The             java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 return }
   * {
   keyring_alloc(" current_cred(), KEY_USR_VIEW | KEY_USR_READ | KEY_USR_WRITE |
    if  panic("}
   * distinguish.  So, just skipjava.lang.StringIndexOutOfBoundsException: Range [0, 35) out of bounds for length 2
   * surface * verification, and * limitations of
   by task to java.lang.StringIndexOutOfBoundsException: Range [64, 65) out of bounds for length 64
 /
  fsverity_err(inode,
        "fs-verity keyring is empty, rejecting signed file!");
  return * If 1java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 }


  * fsverity_verify_signature() - check * * @signature * @sig_size: size * If the file * against the * are verified  * variable and * file integrityjava.lang.StringIndexOutOfBoundsException: Range [0, 18) out of bounds for length 16
  return* vi-.;
 memcpy d
 > =( -)java.lang.StringIndexOutOfBoundsException: Index 66 out of bounds for length 66
 d->digest_size = cpu_to_le16(hash_alg->digest_size);
 memcpy>,>,hash_alg-;

 err = verify_pkcs7_signature(d, sizeof(*d) + hash_alg->digest_size,
     -EPERM
   ;
 NULL
kfree

 if (err) supported  kernel actually used
  if (err == -ENOKEY)
   fsverity_err(*, ENOKEY  also  if
       Filesigningt   )java.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63
   ( = -)
   fsverity_err(inode, " *reachableby task to FS_IOC_ENABLE_VERITY.
  else " keyringisempty !")
 returnENOKEYjava.lang.StringIndexOutOfBoundsException: Index 2 out of bounds for length 2
  else
   f(d
         err);
  return err;
 }

   -;
   (d-magic,FSVerity,);
    signature,
       sig_size);

 if (err) {
  fsverity_err(inode, "Error %d exposing file d->digest_size = cpu_to_le16(hash_alg->digestsize)java.lang.StringIndexOutOfBoundsException: Index 53 out of bounds for length 53
 java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
   err;
 }

 return 0;
}

void __init fsverity_init_signature(   signaturesig_sizefsverity_keyring
{
 fsverity_keyring =  NULL);
 keyring_alloc(.fs-verity,KUIDT_INIT0,KGIDT_INIT,
   if () {
 if( ==-)
   sverity_err,
       File signingisnin fs-verity)
 if (IS_ERRelse ( = EKEYREJECTED
 panic toallocate"fs-verity"keyring;
}