Re: [RFC 4/4] cfg80211: implement regdb signature checking

Johannes Berg <johannes@xxxxxxxxxxxxxxxx> · Fri, 15 Sep 2017 12:20:58 +0200

On Fri, 2017-09-15 at 12:18 +0200, Johannes Berg wrote:
> 
> +config CFG80211_REQUIRE_SIGNED_REGDB
> +	bool "require regdb signature" if
> CFG80211_CERTIFICATION_ONUS
> +	default y
> +	select SYSTEM_DATA_VERIFICATION

Note that this will not be easy to backport, however, the code only
needs relatively self-contained functionality, namely this:

> +       builtin_regdb_keys =
> +               keyring_alloc(".builtin_regdb_keys",
> +                             KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),
> +                             ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> +                             KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),
> +                             KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL);

> +               key = key_create_or_update(make_key_ref(builtin_regdb_keys, 1),
> +                                          "asymmetric",
> +                                          NULL,
> +                                          p,
> +                                          plen,
> +                                          ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
> +                                          KEY_USR_VIEW | KEY_USR_READ),
> +                                          KEY_ALLOC_NOT_IN_QUOTA |
> +                                          KEY_ALLOC_BUILT_IN |
> +                                          KEY_ALLOC_BYPASS_RESTRICTION);

> +       if (verify_pkcs7_signature(db->data, db->size, sig->data, sig->size,
> +                                  builtin_regdb_keys,
> +                                  VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL))

so I'm hoping it won't be too difficult, since we don't really need the
ability to manipulate keyrings etc.

johannes