1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* 27 * Core KCF (Kernel Cryptographic Framework). This file implements 28 * the loadable module entry points and module verification routines. 29 */ 30 31 #include <sys/systm.h> 32 #include <sys/cmn_err.h> 33 #include <sys/ddi.h> 34 #include <sys/sunddi.h> 35 #include <sys/modctl.h> 36 #include <sys/errno.h> 37 #include <sys/rwlock.h> 38 #include <sys/kmem.h> 39 #include <sys/door.h> 40 #include <sys/kobj.h> 41 42 #include <sys/crypto/common.h> 43 #include <sys/crypto/api.h> 44 #include <sys/crypto/spi.h> 45 #include <sys/crypto/impl.h> 46 #include <sys/crypto/sched_impl.h> 47 #include <sys/crypto/elfsign.h> 48 49 #ifdef DEBUG 50 int kcf_frmwrk_debug = 0; 51 52 #define KCF_FRMWRK_DEBUG(l, x) if (kcf_frmwrk_debug >= l) printf x 53 #else /* DEBUG */ 54 #define KCF_FRMWRK_DEBUG(l, x) 55 #endif /* DEBUG */ 56 57 /* 58 * Door to make upcalls to kcfd. kcfd will send us this 59 * handle when it is coming up. 60 */ 61 kmutex_t kcf_dh_lock; 62 door_handle_t kcf_dh = NULL; 63 64 65 static struct modlmisc modlmisc = { 66 &mod_miscops, "Kernel Crypto Framework" 67 }; 68 69 static struct modlinkage modlinkage = { 70 MODREV_1, (void *)&modlmisc, NULL 71 }; 72 73 static int rngtimer_started; 74 75 76 int 77 _init() 78 { 79 /* initialize the mechanisms tables supported out-of-the-box */ 80 kcf_init_mech_tabs(); 81 82 /* initialize the providers tables */ 83 kcf_prov_tab_init(); 84 85 /* initialize the policy table */ 86 kcf_policy_tab_init(); 87 88 /* initialize soft_config_list */ 89 kcf_soft_config_init(); 90 91 /* 92 * Initialize scheduling structures. Note that this does NOT 93 * start any threads since it might not be safe to do so. 94 */ 95 kcf_sched_init(); 96 97 /* initialize the RNG support structures */ 98 rngtimer_started = 0; 99 kcf_rnd_init(); 100 101 return (mod_install(&modlinkage)); 102 } 103 104 int 105 _info(struct modinfo *modinfop) 106 { 107 return (mod_info(&modlinkage, modinfop)); 108 } 109 110 /* 111 * We do not allow kcf to unload. 112 */ 113 int 114 _fini(void) 115 { 116 return (EBUSY); 117 } 118 119 /* 120 * Return a pointer to the modctl structure of the 121 * provider's module. 122 */ 123 struct modctl * 124 kcf_get_modctl(crypto_provider_info_t *pinfo) 125 { 126 struct modctl *mctlp; 127 128 /* Get the modctl struct for this module */ 129 if (pinfo->pi_provider_type == CRYPTO_SW_PROVIDER) 130 mctlp = mod_getctl(pinfo->pi_provider_dev.pd_sw); 131 else { 132 major_t major; 133 char *drvmod; 134 135 if ((major = 136 ddi_driver_major(pinfo->pi_provider_dev.pd_hw)) != -1) { 137 drvmod = ddi_major_to_name(major); 138 mctlp = mod_find_by_filename("drv", drvmod); 139 } else 140 return (NULL); 141 } 142 143 return (mctlp); 144 } 145 146 /* 147 * Check if signature verification is needed for a provider. 148 * 149 * Returns 0, if no verification is needed. Returns 1, if 150 * verification is needed. Returns -1, if there is an 151 * error. 152 */ 153 int 154 kcf_need_signature_verification(kcf_provider_desc_t *pd) 155 { 156 struct module *mp; 157 struct modctl *mctlp = pd->pd_mctlp; 158 crypto_ops_t *prov_ops = pd->pd_ops_vector; 159 160 if (pd->pd_prov_type == CRYPTO_LOGICAL_PROVIDER) 161 return (0); 162 163 if (mctlp == NULL || mctlp->mod_mp == NULL) 164 return (-1); 165 166 mp = (struct module *)mctlp->mod_mp; 167 168 /* 169 * Check if this provider needs to be verified. We always verify 170 * the module if it carries a signature. Any operation set which has 171 * a encryption/decryption component is a candidate for verification. 172 */ 173 if (prov_ops->co_cipher_ops == NULL && prov_ops->co_dual_ops == NULL && 174 prov_ops->co_dual_cipher_mac_ops == NULL && 175 prov_ops->co_key_ops == NULL && prov_ops->co_sign_ops == NULL && 176 prov_ops->co_verify_ops == NULL && mp->sigdata == NULL) { 177 return (0); 178 } 179 180 /* 181 * See if this module has a proper signature section. 182 */ 183 if (mp->sigdata == NULL) { 184 return (-1); 185 } 186 187 mutex_enter(&pd->pd_lock); 188 pd->pd_state = KCF_PROV_UNVERIFIED; 189 mutex_exit(&pd->pd_lock); 190 191 return (1); 192 } 193 194 /* 195 * Do the signature verification on the given module. This function can 196 * be called from user context or kernel context. 197 * 198 * We call kcfd with the full pathname of the module to be 199 * verified. kcfd will return success/restricted/fail, signature length 200 * and the actual signature in the ELF section of the module. If kcfd 201 * returns success or restricted, we compare the signature and the length 202 * with the values that krtld stored in the module structure. We log an 203 * error message in case of a failure. 204 * 205 * The provider state is changed to KCF_PROV_READY on success. 206 */ 207 void 208 kcf_verify_signature(void *arg) 209 { 210 int rv; 211 int error = CRYPTO_MODVERIFICATION_FAILED; 212 door_arg_t darg; 213 door_handle_t ldh; 214 kcf_door_arg_t *kda; 215 char *filename; 216 kcf_provider_desc_t *pd = arg; 217 struct module *mp; 218 boolean_t do_notify = B_FALSE; 219 boolean_t modhold_done = B_FALSE; 220 struct modctl *mctlp = pd->pd_mctlp; 221 222 ASSERT(pd->pd_prov_type != CRYPTO_LOGICAL_PROVIDER); 223 ASSERT(mctlp != NULL); 224 225 for (;;) { 226 mutex_enter(&pd->pd_lock); 227 /* No need to do verification */ 228 if (pd->pd_state != KCF_PROV_UNVERIFIED) { 229 mutex_exit(&pd->pd_lock); 230 goto out; 231 } 232 mutex_exit(&pd->pd_lock); 233 234 mutex_enter(&mod_lock); 235 if (mctlp->mod_mp == NULL) { 236 mutex_exit(&mod_lock); 237 goto out; 238 } 239 240 /* 241 * This check is needed since a software provider can call 242 * us directly from the _init->crypto_register_provider path. 243 */ 244 if (pd->pd_prov_type == CRYPTO_SW_PROVIDER && 245 mctlp->mod_inprogress_thread == curthread) { 246 mutex_exit(&mod_lock); 247 modhold_done = B_FALSE; 248 break; 249 } 250 251 /* 252 * We could be in a race with the register thread or 253 * the unregister thread. So, retry if register or 254 * unregister is in progress. Note that we can't do 255 * mod_hold_by_modctl without this check since that 256 * could result in a deadlock with the other threads. 257 */ 258 if (mctlp->mod_busy) { 259 mutex_exit(&mod_lock); 260 /* delay for 10ms and try again */ 261 delay(drv_usectohz(10000)); 262 continue; 263 } 264 265 (void) mod_hold_by_modctl(mctlp, 266 MOD_WAIT_FOREVER | MOD_LOCK_HELD); 267 mutex_exit(&mod_lock); 268 modhold_done = B_TRUE; 269 break; 270 } 271 272 /* 273 * Check if the door is set up yet. This will be set when kcfd 274 * comes up. If not, we return and leave the provider state unchanged 275 * at KCF_PROV_UNVERIFIED. This will trigger the verification of 276 * the module later when kcfd is up. This is safe as we NEVER use 277 * a provider that has not been verified yet. 278 */ 279 mutex_enter(&kcf_dh_lock); 280 if (kcf_dh == NULL) { 281 mutex_exit(&kcf_dh_lock); 282 goto out; 283 } 284 285 ldh = kcf_dh; 286 door_ki_hold(ldh); 287 mutex_exit(&kcf_dh_lock); 288 289 mp = (struct module *)mctlp->mod_mp; 290 filename = mp->filename; 291 KCF_FRMWRK_DEBUG(2, ("Verifying module: %s\n", filename)); 292 293 kda = kmem_alloc(sizeof (kcf_door_arg_t) + mp->sigsize, KM_SLEEP); 294 kda->da_version = KCF_KCFD_VERSION1; 295 kda->da_iskernel = B_TRUE; 296 bcopy(filename, kda->da_u.filename, strlen(filename) + 1); 297 298 darg.data_ptr = (char *)kda; 299 darg.data_size = sizeof (kcf_door_arg_t) + mp->sigsize; 300 darg.desc_ptr = NULL; 301 darg.desc_num = 0; 302 darg.rbuf = (char *)kda; 303 darg.rsize = sizeof (kcf_door_arg_t); 304 305 /* 306 * Make door upcall. door_ki_upcall() checks for validity of the handle. 307 */ 308 rv = door_ki_upcall_limited(ldh, &darg, NULL, SIZE_MAX, 0); 309 310 if (rv == 0) { 311 kcf_door_arg_t *rkda = (kcf_door_arg_t *)darg.rbuf; 312 313 KCF_FRMWRK_DEBUG(2, 314 ("passed: %d\n", rkda->da_u.result.status)); 315 KCF_FRMWRK_DEBUG(2, 316 ("signature length: %d\n", rkda->da_u.result.siglen)); 317 KCF_FRMWRK_DEBUG(2, 318 ("signature: %p\n", (void*)rkda->da_u.result.signature)); 319 320 321 /* Check kcfd result and compare against module struct fields */ 322 if (((rkda->da_u.result.status != ELFSIGN_SUCCESS) && 323 (rkda->da_u.result.status != ELFSIGN_RESTRICTED)) || 324 !(rkda->da_u.result.siglen == mp->sigsize) || 325 (bcmp(rkda->da_u.result.signature, mp->sigdata, 326 mp->sigsize))) { 327 cmn_err(CE_WARN, "Module verification failed for %s.", 328 filename); 329 } else { 330 error = 0; 331 } 332 333 if (rkda->da_u.result.status == ELFSIGN_RESTRICTED) { 334 pd->pd_flags |= KCF_PROV_RESTRICTED; 335 KCF_FRMWRK_DEBUG(2, ("provider is restricted\n")); 336 } 337 338 if (rkda != kda) 339 kmem_free(rkda, darg.rsize); 340 341 } else { 342 cmn_err(CE_WARN, "Module verification door upcall failed " 343 "for %s. errno = %d", filename, rv); 344 } 345 346 kmem_free(kda, sizeof (kcf_door_arg_t) + mp->sigsize); 347 door_ki_rele(ldh); 348 349 mutex_enter(&pd->pd_lock); 350 /* change state only if the original state is unchanged */ 351 if (pd->pd_state == KCF_PROV_UNVERIFIED) { 352 if (error == 0) { 353 pd->pd_state = KCF_PROV_READY; 354 do_notify = B_TRUE; 355 } else { 356 pd->pd_state = KCF_PROV_VERIFICATION_FAILED; 357 } 358 } 359 mutex_exit(&pd->pd_lock); 360 361 if (do_notify) { 362 /* Dispatch events for this new provider */ 363 kcf_do_notify(pd, B_TRUE); 364 } 365 366 out: 367 if (modhold_done) 368 mod_release_mod(mctlp); 369 KCF_PROV_REFRELE(pd); 370 } 371 372 /* called from the CRYPTO_LOAD_DOOR ioctl */ 373 int 374 crypto_load_door(uint_t did) 375 { 376 mutex_enter(&kcf_dh_lock); 377 kcf_dh = door_ki_lookup(did); 378 mutex_exit(&kcf_dh_lock); 379 380 verify_unverified_providers(); 381 382 /* Start the timeout handler to get random numbers */ 383 if (rngtimer_started == 0) { 384 kcf_rnd_schedule_timeout(B_TRUE); 385 rngtimer_started = 1; 386 } 387 388 return (0); 389 } 390