Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull signature checking selftest from David Howells:
"The signature checking code, as used by module signing, kexec, etc.,
is non-FIPS compliant as there is no selftest.

For a kernel to be FIPS-compliant, signature checking would have to be
tested before being used, and the box would need to panic if it's not
available (probably reasonable as simply disabling signature checking
would prevent you from loading any driver modules).

Deal with this by adding a minimal test.

This is split into two patches: the first moves load_certificate_list()
to the same place as the X.509 code to make it more accessible
internally; the second adds a selftest"

* tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
certs: Add FIPS selftests
certs: Move load_certificate_list() to be with the asymmetric keys code

+268 -23
+2 -2
certs/Makefile
··· 3 3 # Makefile for the linux kernel signature checking certificates. 4 4 # 5 5 6 - obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o 7 - obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o 6 + obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o 7 + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o 8 8 obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o 9 9 ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) 10 10
+4 -4
certs/blacklist.c
··· 15 15 #include <linux/err.h> 16 16 #include <linux/seq_file.h> 17 17 #include <linux/uidgid.h> 18 - #include <linux/verification.h> 18 + #include <keys/asymmetric-type.h> 19 19 #include <keys/system_keyring.h> 20 20 #include "blacklist.h" 21 - #include "common.h" 22 21 23 22 /* 24 23 * According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(), ··· 364 365 if (revocation_certificate_list_size) 365 366 pr_notice("Loading compiled-in revocation X.509 certificates\n"); 366 367 367 - return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, 368 - blacklist_keyring); 368 + return x509_load_certificate_list(revocation_certificate_list, 369 + revocation_certificate_list_size, 370 + blacklist_keyring); 369 371 } 370 372 late_initcall(load_revocation_certificate_list); 371 373 #endif
+4 -4
certs/common.c crypto/asymmetric_keys/x509_loader.c
··· 2 2 3 3 #include <linux/kernel.h> 4 4 #include <linux/key.h> 5 - #include "common.h" 5 + #include <keys/asymmetric-type.h> 6 6 7 - int load_certificate_list(const u8 cert_list[], 8 - const unsigned long list_size, 9 - const struct key *keyring) 7 + int x509_load_certificate_list(const u8 cert_list[], 8 + const unsigned long list_size, 9 + const struct key *keyring) 10 10 { 11 11 key_ref_t key; 12 12 const u8 *p, *end;
-9
certs/common.h
··· 1 - /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 - 3 - #ifndef _CERT_COMMON_H 4 - #define _CERT_COMMON_H 5 - 6 - int load_certificate_list(const u8 cert_list[], const unsigned long list_size, 7 - const struct key *keyring); 8 - 9 - #endif
+3 -3
certs/system_keyring.c
··· 16 16 #include <keys/asymmetric-type.h> 17 17 #include <keys/system_keyring.h> 18 18 #include <crypto/pkcs7.h> 19 - #include "common.h" 20 19 21 20 static struct key *builtin_trusted_keys; 22 21 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING ··· 182 183 183 184 pr_notice("Loading compiled-in module X.509 certificates\n"); 184 185 185 - return load_certificate_list(system_certificate_list, module_cert_size, keyring); 186 + return x509_load_certificate_list(system_certificate_list, 187 + module_cert_size, keyring); 186 188 } 187 189 188 190 /* ··· 204 204 size = system_certificate_list_size - module_cert_size; 205 205 #endif 206 206 207 - return load_certificate_list(p, size, builtin_trusted_keys); 207 + return x509_load_certificate_list(p, size, builtin_trusted_keys); 208 208 } 209 209 late_initcall(load_system_certificate_list); 210 210
+10
crypto/asymmetric_keys/Kconfig
··· 75 75 This option provides support for verifying the signature(s) on a 76 76 signed PE binary. 77 77 78 + config FIPS_SIGNATURE_SELFTEST 79 + bool "Run FIPS selftests on the X.509+PKCS7 signature verification" 80 + help 81 + This option causes some selftests to be run on the signature 82 + verification code, using some built in data. This is required 83 + for FIPS. 84 + depends on KEYS 85 + depends on ASYMMETRIC_KEY_TYPE 86 + depends on PKCS7_MESSAGE_PARSER 87 + 78 88 endif # ASYMMETRIC_KEY_TYPE
+2
crypto/asymmetric_keys/Makefile
··· 20 20 x509.asn1.o \ 21 21 x509_akid.asn1.o \ 22 22 x509_cert_parser.o \ 23 + x509_loader.o \ 23 24 x509_public_key.o 25 + x509_key_parser-$(CONFIG_FIPS_SIGNATURE_SELFTEST) += selftest.o 24 26 25 27 $(obj)/x509_cert_parser.o: \ 26 28 $(obj)/x509.asn1.h \
+224
crypto/asymmetric_keys/selftest.c
··· 1 + /* Self-testing for signature checking. 2 + * 3 + * Copyright (C) 2022 Red Hat, Inc. All Rights Reserved. 4 + * Written by David Howells (dhowells@redhat.com) 5 + */ 6 + 7 + #include <linux/kernel.h> 8 + #include <linux/cred.h> 9 + #include <linux/key.h> 10 + #include <crypto/pkcs7.h> 11 + #include "x509_parser.h" 12 + 13 + struct certs_test { 14 + const u8 *data; 15 + size_t data_len; 16 + const u8 *pkcs7; 17 + size_t pkcs7_len; 18 + }; 19 + 20 + /* 21 + * Set of X.509 certificates to provide public keys for the tests. These will 22 + * be loaded into a temporary keyring for the duration of the testing. 23 + */ 24 + static const __initconst u8 certs_selftest_keys[] = { 25 + "\x30\x82\x05\x55\x30\x82\x03\x3d\xa0\x03\x02\x01\x02\x02\x14\x73" 26 + "\x98\xea\x98\x2d\xd0\x2e\xa8\xb1\xcf\x57\xc7\xf2\x97\xb3\xe6\x1a" 27 + "\xfc\x8c\x0a\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b" 28 + "\x05\x00\x30\x34\x31\x32\x30\x30\x06\x03\x55\x04\x03\x0c\x29\x43" 29 + "\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69\x66" 30 + "\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x65\x6c\x66\x2d\x74\x65\x73" 31 + "\x74\x69\x6e\x67\x20\x6b\x65\x79\x30\x20\x17\x0d\x32\x32\x30\x35" 32 + "\x31\x38\x32\x32\x33\x32\x34\x31\x5a\x18\x0f\x32\x31\x32\x32\x30" 33 + "\x34\x32\x34\x32\x32\x33\x32\x34\x31\x5a\x30\x34\x31\x32\x30\x30" 34 + "\x06\x03\x55\x04\x03\x0c\x29\x43\x65\x72\x74\x69\x66\x69\x63\x61" 35 + "\x74\x65\x20\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x20" 36 + "\x73\x65\x6c\x66\x2d\x74\x65\x73\x74\x69\x6e\x67\x20\x6b\x65\x79" 37 + "\x30\x82\x02\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01" 38 + "\x01\x05\x00\x03\x82\x02\x0f\x00\x30\x82\x02\x0a\x02\x82\x02\x01" 39 + "\x00\xcc\xac\x49\xdd\x3b\xca\xb0\x15\x7e\x84\x6a\xb2\x0a\x69\x5f" 40 + "\x1c\x0a\x61\x82\x3b\x4f\x2c\xa3\x95\x2c\x08\x58\x4b\xb1\x5d\x99" 41 + "\xe0\xc3\xc1\x79\xc2\xb3\xeb\xc0\x1e\x6d\x3e\x54\x1d\xbd\xb7\x92" 42 + "\x7b\x4d\xb5\x95\x58\xb2\x52\x2e\xc6\x24\x4b\x71\x63\x80\x32\x77" 43 + "\xa7\x38\x5e\xdb\x72\xae\x6e\x0d\xec\xfb\xb6\x6d\x01\x7f\xe9\x55" 44 + "\x66\xdf\xbf\x1d\x76\x78\x02\x31\xe8\xe5\x07\xf8\xb7\x82\x5c\x0d" 45 + "\xd4\xbb\xfb\xa2\x59\x0d\x2e\x3a\x78\x95\x3a\x8b\x46\x06\x47\x44" 46 + "\x46\xd7\xcd\x06\x6a\x41\x13\xe3\x19\xf6\xbb\x6e\x38\xf4\x83\x01" 47 + "\xa3\xbf\x4a\x39\x4f\xd7\x0a\xe9\x38\xb3\xf5\x94\x14\x4e\xdd\xf7" 48 + "\x43\xfd\x24\xb2\x49\x3c\xa5\xf7\x7a\x7c\xd4\x45\x3d\x97\x75\x68" 49 + "\xf1\xed\x4c\x42\x0b\x70\xca\x85\xf3\xde\xe5\x88\x2c\xc5\xbe\xb6" 50 + "\x97\x34\xba\x24\x02\xcd\x8b\x86\x9f\xa9\x73\xca\x73\xcf\x92\x81" 51 + "\xee\x75\x55\xbb\x18\x67\x5c\xff\x3f\xb5\xdd\x33\x1b\x0c\xe9\x78" 52 + "\xdb\x5c\xcf\xaa\x5c\x43\x42\xdf\x5e\xa9\x6d\xec\xd7\xd7\xff\xe6" 53 + "\xa1\x3a\x92\x1a\xda\xae\xf6\x8c\x6f\x7b\xd5\xb4\x6e\x06\xe9\x8f" 54 + "\xe8\xde\x09\x31\x89\xed\x0e\x11\xa1\xfa\x8a\xe9\xe9\x64\x59\x62" 55 + "\x53\xda\xd1\x70\xbe\x11\xd4\x99\x97\x11\xcf\x99\xde\x0b\x9d\x94" 56 + "\x7e\xaa\xb8\x52\xea\x37\xdb\x90\x7e\x35\xbd\xd9\xfe\x6d\x0a\x48" 57 + "\x70\x28\xdd\xd5\x0d\x7f\x03\x80\x93\x14\x23\x8f\xb9\x22\xcd\x7c" 58 + "\x29\xfe\xf1\x72\xb5\x5c\x0b\x12\xcf\x9c\x15\xf6\x11\x4c\x7a\x45" 59 + "\x25\x8c\x45\x0a\x34\xac\x2d\x9a\x81\xca\x0b\x13\x22\xcd\xeb\x1a" 60 + "\x38\x88\x18\x97\x96\x08\x81\xaa\xcc\x8f\x0f\x8a\x32\x7b\x76\x68" 61 + "\x03\x68\x43\xbf\x11\xba\x55\x60\xfd\x80\x1c\x0d\x9b\x69\xb6\x09" 62 + "\x72\xbc\x0f\x41\x2f\x07\x82\xc6\xe3\xb2\x13\x91\xc4\x6d\x14\x95" 63 + "\x31\xbe\x19\xbd\xbc\xed\xe1\x4c\x74\xa2\xe0\x78\x0b\xbb\x94\xec" 64 + "\x4c\x53\x3a\xa2\xb5\x84\x1d\x4b\x65\x7e\xdc\xf7\xdb\x36\x7d\xbe" 65 + "\x9e\x3b\x36\x66\x42\x66\x76\x35\xbf\xbe\xf0\xc1\x3c\x7c\xe9\x42" 66 + "\x5c\x24\x53\x03\x05\xa8\x67\x24\x50\x02\x75\xff\x24\x46\x3b\x35" 67 + "\x89\x76\xe6\x70\xda\xc5\x51\x8c\x9a\xe5\x05\xb0\x0b\xd0\x2d\xd4" 68 + "\x7d\x57\x75\x94\x6b\xf9\x0a\xad\x0e\x41\x00\x15\xd0\x4f\xc0\x7f" 69 + "\x90\x2d\x18\x48\x8f\x28\xfe\x5d\xa7\xcd\x99\x9e\xbd\x02\x6c\x8a" 70 + "\x31\xf3\x1c\xc7\x4b\xe6\x93\xcd\x42\xa2\xe4\x68\x10\x47\x9d\xfc" 71 + "\x21\x02\x03\x01\x00\x01\xa3\x5d\x30\x5b\x30\x0c\x06\x03\x55\x1d" 72 + "\x13\x01\x01\xff\x04\x02\x30\x00\x30\x0b\x06\x03\x55\x1d\x0f\x04" 73 + "\x04\x03\x02\x07\x80\x30\x1d\x06\x03\x55\x1d\x0e\x04\x16\x04\x14" 74 + "\xf5\x87\x03\xbb\x33\xce\x1b\x73\xee\x02\xec\xcd\xee\x5b\x88\x17" 75 + "\x51\x8f\xe3\xdb\x30\x1f\x06\x03\x55\x1d\x23\x04\x18\x30\x16\x80" 76 + "\x14\xf5\x87\x03\xbb\x33\xce\x1b\x73\xee\x02\xec\xcd\xee\x5b\x88" 77 + "\x17\x51\x8f\xe3\xdb\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01" 78 + "\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xc0\x2e\x12\x41\x7b\x73\x85" 79 + "\x16\xc8\xdb\x86\x79\xe8\xf5\xcd\x44\xf4\xc6\xe2\x81\x23\x5e\x47" 80 + "\xcb\xab\x25\xf1\x1e\x58\x3e\x31\x7f\x78\xad\x85\xeb\xfe\x14\x88" 81 + "\x60\xf7\x7f\xd2\x26\xa2\xf4\x98\x2a\xfd\xba\x05\x0c\x20\x33\x12" 82 + "\xcc\x4d\x14\x61\x64\x81\x93\xd3\x33\xed\xc8\xff\xf1\x78\xcc\x5f" 83 + "\x51\x9f\x09\xd7\xbe\x0d\x5c\x74\xfd\x9b\xdf\x52\x4a\xc9\xa8\x71" 84 + "\x25\x33\x04\x10\x67\x36\xd0\xb3\x0b\xc9\xa1\x40\x72\xae\x41\x7b" 85 + "\x68\xe6\xe4\x7b\xd0\x28\xf7\x6d\xe7\x3f\x50\xfc\x91\x7c\x91\x56" 86 + "\xd4\xdf\xa6\xbb\xe8\x4d\x1b\x58\xaa\x28\xfa\xc1\x19\xeb\x11\x2f" 87 + "\x24\x8b\x7c\xc5\xa9\x86\x26\xaa\x6e\xb7\x9b\xd5\xf8\x06\xfb\x02" 88 + "\x52\x7b\x9c\x9e\xa1\xe0\x07\x8b\x5e\xe4\xb8\x55\x29\xf6\x48\x52" 89 + "\x1c\x1b\x54\x2d\x46\xd8\xe5\x71\xb9\x60\xd1\x45\xb5\x92\x89\x8a" 90 + "\x63\x58\x2a\xb3\xc6\xb2\x76\xe2\x3c\x82\x59\x04\xae\x5a\xc4\x99" 91 + "\x7b\x2e\x4b\x46\x57\xb8\x29\x24\xb2\xfd\xee\x2c\x0d\xa4\x83\xfa" 92 + "\x65\x2a\x07\x35\x8b\x97\xcf\xbd\x96\x2e\xd1\x7e\x6c\xc2\x1e\x87" 93 + "\xb6\x6c\x76\x65\xb5\xb2\x62\xda\x8b\xe9\x73\xe3\xdb\x33\xdd\x13" 94 + "\x3a\x17\x63\x6a\x76\xde\x8d\x8f\xe0\x47\x61\x28\x3a\x83\xff\x8f" 95 + "\xe7\xc7\xe0\x4a\xa3\xe5\x07\xcf\xe9\x8c\x35\x35\x2e\xe7\x80\x66" 96 + "\x31\xbf\x91\x58\x0a\xe1\x25\x3d\x38\xd3\xa4\xf0\x59\x34\x47\x07" 97 + "\x62\x0f\xbe\x30\xdd\x81\x88\x58\xf0\x28\xb0\x96\xe5\x82\xf8\x05" 98 + "\xb7\x13\x01\xbc\xfa\xc6\x1f\x86\x72\xcc\xf9\xee\x8e\xd9\xd6\x04" 99 + "\x8c\x24\x6c\xbf\x0f\x5d\x37\x39\xcf\x45\xc1\x93\x3a\xd2\xed\x5c" 100 + "\x58\x79\x74\x86\x62\x30\x7e\x8e\xbb\xdd\x7a\xa9\xed\xca\x40\xcb" 101 + "\x62\x47\xf4\xb4\x9f\x52\x7f\x72\x63\xa8\xf0\x2b\xaf\x45\x2a\x48" 102 + "\x19\x6d\xe3\xfb\xf9\x19\x66\x69\xc8\xcc\x62\x87\x6c\x53\x2b\x2d" 103 + "\x6e\x90\x6c\x54\x3a\x82\x25\x41\xcb\x18\x6a\xa4\x22\xa8\xa1\xc4" 104 + "\x47\xd7\x81\x00\x1c\x15\x51\x0f\x1a\xaf\xef\x9f\xa6\x61\x8c\xbd" 105 + "\x6b\x8b\xed\xe6\xac\x0e\xb6\x3a\x4c\x92\xe6\x0f\x91\x0a\x0f\x71" 106 + "\xc7\xa0\xb9\x0d\x3a\x17\x5a\x6f\x35\xc8\xe7\x50\x4f\x46\xe8\x70" 107 + "\x60\x48\x06\x82\x8b\x66\x58\xe6\x73\x91\x9c\x12\x3d\x35\x8e\x46" 108 + "\xad\x5a\xf5\xb3\xdb\x69\x21\x04\xfd\xd3\x1c\xdf\x94\x9d\x56\xb0" 109 + "\x0a\xd1\x95\x76\x8d\xec\x9e\xdd\x0b\x15\x97\x64\xad\xe5\xf2\x62" 110 + "\x02\xfc\x9e\x5f\x56\x42\x39\x05\xb3" 111 + }; 112 + 113 + /* 114 + * Signed data and detached signature blobs that form the verification tests. 115 + */ 116 + static const __initconst u8 certs_selftest_1_data[] = { 117 + "\x54\x68\x69\x73\x20\x69\x73\x20\x73\x6f\x6d\x65\x20\x74\x65\x73" 118 + "\x74\x20\x64\x61\x74\x61\x20\x75\x73\x65\x64\x20\x66\x6f\x72\x20" 119 + "\x73\x65\x6c\x66\x2d\x74\x65\x73\x74\x69\x6e\x67\x20\x63\x65\x72" 120 + "\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69\x66\x69\x63" 121 + "\x61\x74\x69\x6f\x6e\x2e\x0a" 122 + }; 123 + 124 + static const __initconst u8 certs_selftest_1_pkcs7[] = { 125 + "\x30\x82\x02\xab\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0" 126 + "\x82\x02\x9c\x30\x82\x02\x98\x02\x01\x01\x31\x0d\x30\x0b\x06\x09" 127 + "\x60\x86\x48\x01\x65\x03\x04\x02\x01\x30\x0b\x06\x09\x2a\x86\x48" 128 + "\x86\xf7\x0d\x01\x07\x01\x31\x82\x02\x75\x30\x82\x02\x71\x02\x01" 129 + "\x01\x30\x4c\x30\x34\x31\x32\x30\x30\x06\x03\x55\x04\x03\x0c\x29" 130 + "\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69" 131 + "\x66\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x65\x6c\x66\x2d\x74\x65" 132 + "\x73\x74\x69\x6e\x67\x20\x6b\x65\x79\x02\x14\x73\x98\xea\x98\x2d" 133 + "\xd0\x2e\xa8\xb1\xcf\x57\xc7\xf2\x97\xb3\xe6\x1a\xfc\x8c\x0a\x30" 134 + "\x0b\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x30\x0d\x06\x09" 135 + "\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x04\x82\x02\x00\xac" 136 + "\xb0\xf2\x07\xd6\x99\x6d\xc0\xc0\xd9\x8d\x31\x0d\x7e\x04\xeb\xc3" 137 + "\x88\x90\xc4\x58\x46\xd4\xe2\xa0\xa3\x25\xe3\x04\x50\x37\x85\x8c" 138 + "\x91\xc6\xfc\xc5\xd4\x92\xfd\x05\xd8\xb8\xa3\xb8\xba\x89\x13\x00" 139 + "\x88\x79\x99\x51\x6b\x5b\x28\x31\xc0\xb3\x1b\x7a\x68\x2c\x00\xdb" 140 + "\x4b\x46\x11\xf3\xfa\x50\x8e\x19\x89\xa2\x4c\xda\x4c\x89\x01\x11" 141 + "\x89\xee\xd3\xc8\xc1\xe7\xa7\xf6\xb2\xa2\xf8\x65\xb8\x35\x20\x33" 142 + "\xba\x12\x62\xd5\xbd\xaa\x71\xe5\x5b\xc0\x6a\x32\xff\x6a\x2e\x23" 143 + "\xef\x2b\xb6\x58\xb1\xfb\x5f\x82\x34\x40\x6d\x9f\xbc\x27\xac\x37" 144 + "\x23\x99\xcf\x7d\x20\xb2\x39\x01\xc0\x12\xce\xd7\x5d\x2f\xb6\xab" 145 + "\xb5\x56\x4f\xef\xf4\x72\x07\x58\x65\xa9\xeb\x1f\x75\x1c\x5f\x0c" 146 + "\x88\xe0\xa4\xe2\xcd\x73\x2b\x9e\xb2\x05\x7e\x12\xf8\xd0\x66\x41" 147 + "\xcc\x12\x63\xd4\xd6\xac\x9b\x1d\x14\x77\x8d\x1c\x57\xd5\x27\xc6" 148 + "\x49\xa2\x41\x43\xf3\x59\x29\xe5\xcb\xd1\x75\xbc\x3a\x97\x2a\x72" 149 + "\x22\x66\xc5\x3b\xc1\xba\xfc\x53\x18\x98\xe2\x21\x64\xc6\x52\x87" 150 + "\x13\xd5\x7c\x42\xe8\xfb\x9c\x9a\x45\x32\xd5\xa5\x22\x62\x9d\xd4" 151 + "\xcb\xa4\xfa\x77\xbb\x50\x24\x0b\x8b\x88\x99\x15\x56\xa9\x1e\x92" 152 + "\xbf\x5d\x94\x77\xb6\xf1\x67\x01\x60\x06\x58\x5c\xdf\x18\x52\x79" 153 + "\x37\x30\x93\x7d\x87\x04\xf1\xe0\x55\x59\x52\xf3\xc2\xb1\x1c\x5b" 154 + "\x12\x7c\x49\x87\xfb\xf7\xed\xdd\x95\x71\xec\x4b\x1a\x85\x08\xb0" 155 + "\xa0\x36\xc4\x7b\xab\x40\xe0\xf1\x98\xcc\xaf\x19\x40\x8f\x47\x6f" 156 + "\xf0\x6c\x84\x29\x7f\x7f\x04\x46\xcb\x08\x0f\xe0\xc1\xc9\x70\x6e" 157 + "\x95\x3b\xa4\xbc\x29\x2b\x53\x67\x45\x1b\x0d\xbc\x13\xa5\x76\x31" 158 + "\xaf\xb9\xd0\xe0\x60\x12\xd2\xf4\xb7\x7c\x58\x7e\xf6\x2d\xbb\x24" 159 + "\x14\x5a\x20\x24\xa8\x12\xdf\x25\xbd\x42\xce\x96\x7c\x2e\xba\x14" 160 + "\x1b\x81\x9f\x18\x45\xa4\xc6\x70\x3e\x0e\xf0\xd3\x7b\x9c\x10\xbe" 161 + "\xb8\x7a\x89\xc5\x9e\xd9\x97\xdf\xd7\xe7\xc6\x1d\xc0\x20\x6c\xb8" 162 + "\x1e\x3a\x63\xb8\x39\x8e\x8e\x62\xd5\xd2\xb4\xcd\xff\x46\xfc\x8e" 163 + "\xec\x07\x35\x0c\xff\xb0\x05\xe6\xf4\xe5\xfe\xa2\xe3\x0a\xe6\x36" 164 + "\xa7\x4a\x7e\x62\x1d\xc4\x50\x39\x35\x4e\x28\xcb\x4a\xfb\x9d\xdb" 165 + "\xdd\x23\xd6\x53\xb1\x74\x77\x12\xf7\x9c\xf0\x9a\x6b\xf7\xa9\x64" 166 + "\x2d\x86\x21\x2a\xcf\xc6\x54\xf5\xc9\xad\xfa\xb5\x12\xb4\xf3\x51" 167 + "\x77\x55\x3c\x6f\x0c\x32\xd3\x8c\x44\x39\x71\x25\xfe\x96\xd2" 168 + }; 169 + 170 + /* 171 + * List of tests to be run. 172 + */ 173 + #define TEST(data, pkcs7) { data, sizeof(data) - 1, pkcs7, sizeof(pkcs7) - 1 } 174 + static const struct certs_test certs_tests[] __initconst = { 175 + TEST(certs_selftest_1_data, certs_selftest_1_pkcs7), 176 + }; 177 + 178 + int __init fips_signature_selftest(void) 179 + { 180 + struct key *keyring; 181 + int ret, i; 182 + 183 + pr_notice("Running certificate verification selftests\n"); 184 + 185 + keyring = keyring_alloc(".certs_selftest", 186 + GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), 187 + (KEY_POS_ALL & ~KEY_POS_SETATTR) | 188 + KEY_USR_VIEW | KEY_USR_READ | 189 + KEY_USR_SEARCH, 190 + KEY_ALLOC_NOT_IN_QUOTA, 191 + NULL, NULL); 192 + if (IS_ERR(keyring)) 193 + panic("Can't allocate certs selftest keyring: %ld\n", 194 + PTR_ERR(keyring)); 195 + 196 + ret = x509_load_certificate_list(certs_selftest_keys, 197 + sizeof(certs_selftest_keys) - 1, keyring); 198 + if (ret < 0) 199 + panic("Can't allocate certs selftest keyring: %d\n", ret); 200 + 201 + for (i = 0; i < ARRAY_SIZE(certs_tests); i++) { 202 + const struct certs_test *test = &certs_tests[i]; 203 + struct pkcs7_message *pkcs7; 204 + 205 + pkcs7 = pkcs7_parse_message(test->pkcs7, test->pkcs7_len); 206 + if (IS_ERR(pkcs7)) 207 + panic("Certs selftest %d: pkcs7_parse_message() = %d\n", i, ret); 208 + 209 + pkcs7_supply_detached_data(pkcs7, test->data, test->data_len); 210 + 211 + ret = pkcs7_verify(pkcs7, VERIFYING_MODULE_SIGNATURE); 212 + if (ret < 0) 213 + panic("Certs selftest %d: pkcs7_verify() = %d\n", i, ret); 214 + 215 + ret = pkcs7_validate_trust(pkcs7, keyring); 216 + if (ret < 0) 217 + panic("Certs selftest %d: pkcs7_validate_trust() = %d\n", i, ret); 218 + 219 + pkcs7_free_message(pkcs7); 220 + } 221 + 222 + key_put(keyring); 223 + return 0; 224 + }
+9
crypto/asymmetric_keys/x509_parser.h
··· 41 41 }; 42 42 43 43 /* 44 + * selftest.c 45 + */ 46 + #ifdef CONFIG_FIPS_SIGNATURE_SELFTEST 47 + extern int __init fips_signature_selftest(void); 48 + #else 49 + static inline int fips_signature_selftest(void) { return 0; } 50 + #endif 51 + 52 + /* 44 53 * x509_cert_parser.c 45 54 */ 46 55 extern void x509_free_certificate(struct x509_certificate *cert);
+7 -1
crypto/asymmetric_keys/x509_public_key.c
··· 244 244 /* 245 245 * Module stuff 246 246 */ 247 + extern int __init certs_selftest(void); 247 248 static int __init x509_key_init(void) 248 249 { 249 - return register_asymmetric_key_parser(&x509_key_parser); 250 + int ret; 251 + 252 + ret = register_asymmetric_key_parser(&x509_key_parser); 253 + if (ret < 0) 254 + return ret; 255 + return fips_signature_selftest(); 250 256 } 251 257 252 258 static void __exit x509_key_exit(void)
+3
include/keys/asymmetric-type.h
··· 84 84 const struct asymmetric_key_id *id_2, 85 85 bool partial); 86 86 87 + int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size, 88 + const struct key *keyring); 89 + 87 90 /* 88 91 * The payload is at the discretion of the subtype. 89 92 */