diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-11-06 00:32:38 +0100 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-11-06 00:32:38 +0100 |
commit | 1873499e13648a2dd01a394ed3217c9290921b3d (patch) | |
tree | 3a662aadb3c02bbce2e9231a90da6e98b54d33d4 /scripts | |
parent | Merge branch 'upstream' of git://git.infradead.org/users/pcmoore/audit (diff) | |
parent | Merge tag 'keys-next-20151021' of git://git.kernel.org/pub/scm/linux/kernel/g... (diff) | |
download | linux-1873499e13648a2dd01a394ed3217c9290921b3d.tar.xz linux-1873499e13648a2dd01a394ed3217c9290921b3d.zip |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem update from James Morris:
"This is mostly maintenance updates across the subsystem, with a
notable update for TPM 2.0, and addition of Jarkko Sakkinen as a
maintainer of that"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits)
apparmor: clarify CRYPTO dependency
selinux: Use a kmem_cache for allocation struct file_security_struct
selinux: ioctl_has_perm should be static
selinux: use sprintf return value
selinux: use kstrdup() in security_get_bools()
selinux: use kmemdup in security_sid_to_context_core()
selinux: remove pointless cast in selinux_inode_setsecurity()
selinux: introduce security_context_str_to_sid
selinux: do not check open perm on ftruncate call
selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default
KEYS: Merge the type-specific data with the payload data
KEYS: Provide a script to extract a module signature
KEYS: Provide a script to extract the sys cert list from a vmlinux file
keys: Be more consistent in selection of union members used
certs: add .gitignore to stop git nagging about x509_certificate_list
KEYS: use kvfree() in add_key
Smack: limited capability for changing process label
TPM: remove unnecessary little endian conversion
vTPM: support little endian guests
char: Drop owner assignment from i2c_driver
...
Diffstat (limited to 'scripts')
-rwxr-xr-x | scripts/extract-module-sig.pl | 136 | ||||
-rwxr-xr-x | scripts/extract-sys-certs.pl | 144 |
2 files changed, 280 insertions, 0 deletions
diff --git a/scripts/extract-module-sig.pl b/scripts/extract-module-sig.pl new file mode 100755 index 000000000000..faac6f2e377f --- /dev/null +++ b/scripts/extract-module-sig.pl @@ -0,0 +1,136 @@ +#!/usr/bin/perl -w +# +# extract-mod-sig <part> <module-file> +# +# Reads the module file and writes out some or all of the signature +# section to stdout. Part is the bit to be written and is one of: +# +# -0: The unsigned module, no signature data at all +# -a: All of the signature data, including magic number +# -d: Just the descriptor values as a sequence of numbers +# -n: Just the signer's name +# -k: Just the key ID +# -s: Just the crypto signature or PKCS#7 message +# +use strict; + +die "Format: $0 -[0adnks] module-file >out\n" + if ($#ARGV != 1); + +my $part = $ARGV[0]; +my $modfile = $ARGV[1]; + +my $magic_number = "~Module signature appended~\n"; + +# +# Read the module contents +# +open FD, "<$modfile" || die $modfile; +binmode(FD); +my @st = stat(FD); +die "$modfile" unless (@st); +my $buf = ""; +my $len = sysread(FD, $buf, $st[7]); +die "$modfile" unless (defined($len)); +die "Short read on $modfile\n" unless ($len == $st[7]); +close(FD) || die $modfile; + +print STDERR "Read ", $len, " bytes from module file\n"; + +die "The file is too short to have a sig magic number and descriptor\n" + if ($len < 12 + length($magic_number)); + +# +# Check for the magic number and extract the information block +# +my $p = $len - length($magic_number); +my $raw_magic = substr($buf, $p); + +die "Magic number not found at $len\n" + if ($raw_magic ne $magic_number); +print STDERR "Found magic number at $len\n"; + +$p -= 12; +my $raw_info = substr($buf, $p, 12); + +my @info = unpack("CCCCCxxxN", $raw_info); +my ($algo, $hash, $id_type, $name_len, $kid_len, $sig_len) = @info; + +if ($id_type == 0) { + print STDERR "Found PGP key identifier\n"; +} elsif ($id_type == 1) { + print STDERR "Found X.509 cert identifier\n"; +} elsif ($id_type == 2) { + print STDERR "Found PKCS#7/CMS encapsulation\n"; +} else { + print STDERR "Found unsupported identifier type $id_type\n"; +} + +# +# Extract the three pieces of info data +# +die "Insufficient name+kid+sig data in file\n" + unless ($p >= $name_len + $kid_len + $sig_len); + +$p -= $sig_len; +my $raw_sig = substr($buf, $p, $sig_len); +$p -= $kid_len; +my $raw_kid = substr($buf, $p, $kid_len); +$p -= $name_len; +my $raw_name = substr($buf, $p, $name_len); + +my $module_len = $p; + +if ($sig_len > 0) { + print STDERR "Found $sig_len bytes of signature ["; + my $n = $sig_len > 16 ? 16 : $sig_len; + foreach my $i (unpack("C" x $n, substr($raw_sig, 0, $n))) { + printf STDERR "%02x", $i; + } + print STDERR "]\n"; +} + +if ($kid_len > 0) { + print STDERR "Found $kid_len bytes of key identifier ["; + my $n = $kid_len > 16 ? 16 : $kid_len; + foreach my $i (unpack("C" x $n, substr($raw_kid, 0, $n))) { + printf STDERR "%02x", $i; + } + print STDERR "]\n"; +} + +if ($name_len > 0) { + print STDERR "Found $name_len bytes of signer's name [$raw_name]\n"; +} + +# +# Produce the requested output +# +if ($part eq "-0") { + # The unsigned module, no signature data at all + binmode(STDOUT); + print substr($buf, 0, $module_len); +} elsif ($part eq "-a") { + # All of the signature data, including magic number + binmode(STDOUT); + print substr($buf, $module_len); +} elsif ($part eq "-d") { + # Just the descriptor values as a sequence of numbers + print join(" ", @info), "\n"; +} elsif ($part eq "-n") { + # Just the signer's name + print STDERR "No signer's name for PKCS#7 message type sig\n" + if ($id_type == 2); + binmode(STDOUT); + print $raw_name; +} elsif ($part eq "-k") { + # Just the key identifier + print STDERR "No key ID for PKCS#7 message type sig\n" + if ($id_type == 2); + binmode(STDOUT); + print $raw_kid; +} elsif ($part eq "-s") { + # Just the crypto signature or PKCS#7 message + binmode(STDOUT); + print $raw_sig; +} diff --git a/scripts/extract-sys-certs.pl b/scripts/extract-sys-certs.pl new file mode 100755 index 000000000000..d476e7d1fd88 --- /dev/null +++ b/scripts/extract-sys-certs.pl @@ -0,0 +1,144 @@ +#!/usr/bin/perl -w +# +use strict; +use Math::BigInt; +use Fcntl "SEEK_SET"; + +die "Format: $0 [-s <systemmap-file>] <vmlinux-file> <keyring-file>\n" + if ($#ARGV != 1 && $#ARGV != 3 || + $#ARGV == 3 && $ARGV[0] ne "-s"); + +my $sysmap = ""; +if ($#ARGV == 3) { + shift; + $sysmap = $ARGV[0]; + shift; +} + +my $vmlinux = $ARGV[0]; +my $keyring = $ARGV[1]; + +# +# Parse the vmlinux section table +# +open FD, "objdump -h $vmlinux |" || die $vmlinux; +my @lines = <FD>; +close(FD) || die $vmlinux; + +my @sections = (); + +foreach my $line (@lines) { + chomp($line); + if ($line =~ /\s*([0-9]+)\s+(\S+)\s+([0-9a-f]+)\s+([0-9a-f]+)\s+([0-9a-f]+)\s+([0-9a-f]+)\s+2[*][*]([0-9]+)/ + ) { + my $seg = $1; + my $name = $2; + my $len = Math::BigInt->new("0x" . $3); + my $vma = Math::BigInt->new("0x" . $4); + my $lma = Math::BigInt->new("0x" . $5); + my $foff = Math::BigInt->new("0x" . $6); + my $align = 2 ** $7; + + push @sections, { name => $name, + vma => $vma, + len => $len, + foff => $foff }; + } +} + +print "Have $#sections sections\n"; + +# +# Try and parse the vmlinux symbol table. If the vmlinux file has been created +# from a vmlinuz file with extract-vmlinux then the symbol table will be empty. +# +open FD, "nm $vmlinux 2>/dev/null |" || die $vmlinux; +@lines = <FD>; +close(FD) || die $vmlinux; + +my %symbols = (); +my $nr_symbols = 0; + +sub parse_symbols(@) { + foreach my $line (@_) { + chomp($line); + if ($line =~ /([0-9a-f]+)\s([a-zA-Z])\s(\S+)/ + ) { + my $addr = "0x" . $1; + my $type = $2; + my $name = $3; + + $symbols{$name} = $addr; + $nr_symbols++; + } + } +} +parse_symbols(@lines); + +if ($nr_symbols == 0 && $sysmap ne "") { + print "No symbols in vmlinux, trying $sysmap\n"; + + open FD, "<$sysmap" || die $sysmap; + @lines = <FD>; + close(FD) || die $sysmap; + parse_symbols(@lines); +} + +die "No symbols available\n" + if ($nr_symbols == 0); + +print "Have $nr_symbols symbols\n"; + +die "Can't find system certificate list" + unless (exists($symbols{"__cert_list_start"}) && + exists($symbols{"__cert_list_end"})); + +my $start = Math::BigInt->new($symbols{"__cert_list_start"}); +my $end = Math::BigInt->new($symbols{"__cert_list_end"}); +my $size = $end - $start; + +printf "Have %u bytes of certs at VMA 0x%x\n", $size, $start; + +my $s = undef; +foreach my $sec (@sections) { + my $s_name = $sec->{name}; + my $s_vma = $sec->{vma}; + my $s_len = $sec->{len}; + my $s_foff = $sec->{foff}; + my $s_vend = $s_vma + $s_len; + + next unless ($start >= $s_vma); + next if ($start >= $s_vend); + + die "Cert object partially overflows section $s_name\n" + if ($end > $s_vend); + + die "Cert object in multiple sections: ", $s_name, " and ", $s->{name}, "\n" + if ($s); + $s = $sec; +} + +die "Cert object not inside a section\n" + unless ($s); + +print "Certificate list in section ", $s->{name}, "\n"; + +my $foff = $start - $s->{vma} + $s->{foff}; + +printf "Certificate list at file offset 0x%x\n", $foff; + +open FD, "<$vmlinux" || die $vmlinux; +binmode(FD); +die $vmlinux if (!defined(sysseek(FD, $foff, SEEK_SET))); +my $buf = ""; +my $len = sysread(FD, $buf, $size); +die "$vmlinux" if (!defined($len)); +die "Short read on $vmlinux\n" if ($len != $size); +close(FD) || die $vmlinux; + +open FD, ">$keyring" || die $keyring; +binmode(FD); +$len = syswrite(FD, $buf, $size); +die "$keyring" if (!defined($len)); +die "Short write on $keyring\n" if ($len != $size); +close(FD) || die $keyring; |