+static int
+ubc_cs_convert_to_multilevel_hash(struct cs_blob *blob)
+{
+ const CS_CodeDirectory *old_cd, *cd;
+ CS_CodeDirectory *new_cd;
+ const CS_GenericBlob *entitlements;
+ vm_offset_t new_blob_addr;
+ vm_size_t new_blob_size;
+ vm_size_t new_cdsize;
+ int error;
+
+ uint32_t hashes_per_new_hash_shift = (uint32_t)(PAGE_SHIFT - blob->csb_hash_pageshift);
+
+ if (cs_debug > 1) {
+ printf("CODE SIGNING: Attempting to convert Code Directory for %lu -> %lu page shift\n",
+ (unsigned long)blob->csb_hash_pageshift, (unsigned long)PAGE_SHIFT);
+ }
+
+ old_cd = blob->csb_cd;
+
+ /* Up to the hashes, we can copy all data */
+ new_cdsize = ntohl(old_cd->hashOffset);
+ new_cdsize += (ntohl(old_cd->nCodeSlots) >> hashes_per_new_hash_shift) * old_cd->hashSize;
+
+ error = ubc_cs_reconstitute_code_signature(blob, new_cdsize,
+ &new_blob_addr, &new_blob_size, &new_cd,
+ &entitlements);
+ if (error != 0) {
+ printf("CODE SIGNING: Failed to reconsitute code signature: %d\n", error);
+ return error;
+ }
+
+ memcpy(new_cd, old_cd, ntohl(old_cd->hashOffset));
+
+ /* Update fields in the Code Directory structure */
+ new_cd->length = htonl((uint32_t)new_cdsize);
+
+ uint32_t nCodeSlots = ntohl(new_cd->nCodeSlots);
+ nCodeSlots >>= hashes_per_new_hash_shift;
+ new_cd->nCodeSlots = htonl(nCodeSlots);
+
+ new_cd->pageSize = PAGE_SHIFT; /* Not byte-swapped */
+
+ if ((ntohl(new_cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(new_cd->scatterOffset))) {
+ SC_Scatter *scatter = (SC_Scatter*)
+ ((char *)new_cd + ntohl(new_cd->scatterOffset));
+ /* iterate all scatter structs to scale their counts */
+ do {
+ uint32_t scount = ntohl(scatter->count);
+ uint32_t sbase = ntohl(scatter->base);
+
+ /* last scatter? */
+ if (scount == 0) {
+ break;
+ }
+
+ scount >>= hashes_per_new_hash_shift;
+ scatter->count = htonl(scount);
+
+ sbase >>= hashes_per_new_hash_shift;
+ scatter->base = htonl(sbase);
+
+ scatter++;
+ } while(1);
+ }
+
+ /* For each group of hashes, hash them together */
+ const unsigned char *src_base = (const unsigned char *)old_cd + ntohl(old_cd->hashOffset);
+ unsigned char *dst_base = (unsigned char *)new_cd + ntohl(new_cd->hashOffset);
+
+ uint32_t hash_index;
+ for (hash_index = 0; hash_index < nCodeSlots; hash_index++) {
+ union cs_hash_union mdctx;
+
+ uint32_t source_hash_len = old_cd->hashSize << hashes_per_new_hash_shift;
+ const unsigned char *src = src_base + hash_index * source_hash_len;
+ unsigned char *dst = dst_base + hash_index * new_cd->hashSize;
+
+ blob->csb_hashtype->cs_init(&mdctx);
+ blob->csb_hashtype->cs_update(&mdctx, src, source_hash_len);
+ blob->csb_hashtype->cs_final(dst, &mdctx);
+ }
+
+ error = cs_validate_csblob((const uint8_t *)new_blob_addr, new_blob_size, &cd, &entitlements);
+ if (error != 0) {
+
+ printf("CODE SIGNING: Failed to validate new Code Signing Blob: %d\n",
+ error);
+
+ ubc_cs_blob_deallocate(new_blob_addr, new_blob_size);
+ return error;
+ }
+
+ /* New Code Directory is ready for use, swap it out in the blob structure */
+ ubc_cs_blob_deallocate(blob->csb_mem_kaddr, blob->csb_mem_size);
+
+ blob->csb_mem_size = new_blob_size;
+ blob->csb_mem_kaddr = new_blob_addr;
+ blob->csb_cd = cd;
+ blob->csb_entitlements_blob = entitlements;
+
+ /* The blob has some cached attributes of the Code Directory, so update those */
+
+ blob->csb_hash_firstlevel_pagesize = blob->csb_hash_pagesize; /* Save the original page size */
+
+ blob->csb_hash_pagesize = PAGE_SIZE;
+ blob->csb_hash_pagemask = PAGE_MASK;
+ blob->csb_hash_pageshift = PAGE_SHIFT;
+ blob->csb_end_offset = ntohl(cd->codeLimit);
+ if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
+ const SC_Scatter *scatter = (const SC_Scatter*)
+ ((const char*)cd + ntohl(cd->scatterOffset));
+ blob->csb_start_offset = ((off_t)ntohl(scatter->base)) * PAGE_SIZE;
+ } else {
+ blob->csb_start_offset = 0;
+ }
+
+ return 0;
+}
+
+/*
+ * Validate the code signature blob, create a struct cs_blob wrapper
+ * and return it together with a pointer to the chosen code directory
+ * and entitlements blob.
+ *
+ * Note that this takes ownership of the memory as addr, mainly because
+ * this function can actually replace the passed in blob with another
+ * one, e.g. when performing multilevel hashing optimization.
+ */
+int
+cs_blob_create_validated(
+ vm_address_t * const addr,
+ vm_size_t size,
+ struct cs_blob ** const ret_blob,
+ CS_CodeDirectory const ** const ret_cd)
+{
+ struct cs_blob *blob;
+ int error = EINVAL;
+ const CS_CodeDirectory *cd;
+ const CS_GenericBlob *entitlements;
+ union cs_hash_union mdctx;
+ size_t length;
+
+ if (ret_blob)
+ *ret_blob = NULL;
+
+ blob = (struct cs_blob *) kalloc(sizeof (struct cs_blob));
+ if (blob == NULL) {
+ return ENOMEM;
+ }
+
+ /* fill in the new blob */
+ blob->csb_mem_size = size;
+ blob->csb_mem_offset = 0;
+ blob->csb_mem_kaddr = *addr;
+ blob->csb_flags = 0;
+ blob->csb_signer_type = CS_SIGNER_TYPE_UNKNOWN;
+ blob->csb_platform_binary = 0;
+ blob->csb_platform_path = 0;
+ blob->csb_teamid = NULL;
+ blob->csb_entitlements_blob = NULL;
+ blob->csb_entitlements = NULL;
+ blob->csb_reconstituted = false;
+
+ /* Transfer ownership. Even on error, this function will deallocate */
+ *addr = 0;
+
+ /*
+ * Validate the blob's contents
+ */
+ length = (size_t) size;
+ error = cs_validate_csblob((const uint8_t *)blob->csb_mem_kaddr,
+ length, &cd, &entitlements);
+ if (error) {
+
+ if (cs_debug)
+ printf("CODESIGNING: csblob invalid: %d\n", error);
+ /*
+ * The vnode checker can't make the rest of this function
+ * succeed if csblob validation failed, so bail */
+ goto out;
+
+ } else {
+ const unsigned char *md_base;
+ uint8_t hash[CS_HASH_MAX_SIZE];
+ int md_size;
+
+ blob->csb_cd = cd;
+ blob->csb_entitlements_blob = entitlements; /* may be NULL, not yet validated */
+ blob->csb_hashtype = cs_find_md(cd->hashType);
+ if (blob->csb_hashtype == NULL || blob->csb_hashtype->cs_digest_size > sizeof(hash))
+ panic("validated CodeDirectory but unsupported type");
+
+ blob->csb_hash_pageshift = cd->pageSize;
+ blob->csb_hash_pagesize = (1U << cd->pageSize);
+ blob->csb_hash_pagemask = blob->csb_hash_pagesize - 1;
+ blob->csb_hash_firstlevel_pagesize = 0;
+ blob->csb_flags = (ntohl(cd->flags) & CS_ALLOWED_MACHO) | CS_VALID;
+ blob->csb_end_offset = (((vm_offset_t)ntohl(cd->codeLimit) + blob->csb_hash_pagemask) & ~((vm_offset_t)blob->csb_hash_pagemask));
+ if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
+ const SC_Scatter *scatter = (const SC_Scatter*)
+ ((const char*)cd + ntohl(cd->scatterOffset));
+ blob->csb_start_offset = ((off_t)ntohl(scatter->base)) * blob->csb_hash_pagesize;
+ } else {
+ blob->csb_start_offset = 0;
+ }
+ /* compute the blob's cdhash */
+ md_base = (const unsigned char *) cd;
+ md_size = ntohl(cd->length);
+
+ blob->csb_hashtype->cs_init(&mdctx);
+ blob->csb_hashtype->cs_update(&mdctx, md_base, md_size);
+ blob->csb_hashtype->cs_final(hash, &mdctx);
+
+ memcpy(blob->csb_cdhash, hash, CS_CDHASH_LEN);
+ }
+
+ error = 0;
+
+out:
+ if (error != 0) {
+ cs_blob_free(blob);
+ blob = NULL;
+ cd = NULL;
+ }
+
+ if (ret_blob != NULL) {
+ *ret_blob = blob;
+ }
+ if (ret_cd != NULL) {
+ *ret_cd = cd;
+ }
+
+ return error;
+}
+
+/*
+ * Free a cs_blob previously created by cs_blob_create_validated.
+ */
+void
+cs_blob_free(
+ struct cs_blob * const blob)
+{
+ if (blob != NULL) {
+ if (blob->csb_mem_kaddr) {
+ ubc_cs_blob_deallocate(blob->csb_mem_kaddr, blob->csb_mem_size);
+ blob->csb_mem_kaddr = 0;
+ }
+ if (blob->csb_entitlements != NULL) {
+ osobject_release(blob->csb_entitlements);
+ blob->csb_entitlements = NULL;
+ }
+ kfree(blob, sizeof (*blob));
+ }
+}
+
+int
+ubc_cs_blob_add(
+ struct vnode *vp,
+ cpu_type_t cputype,
+ off_t base_offset,
+ vm_address_t *addr,
+ vm_size_t size,
+ struct image_params *imgp,
+ __unused int flags,
+ struct cs_blob **ret_blob)
+{
+ kern_return_t kr;
+ struct ubc_info *uip;
+ struct cs_blob *blob, *oblob;
+ int error;
+ CS_CodeDirectory const *cd;
+ off_t blob_start_offset, blob_end_offset;
+ boolean_t record_mtime;
+
+ record_mtime = FALSE;
+ if (ret_blob)
+ *ret_blob = NULL;
+
+ /* Create the struct cs_blob wrapper that will be attached to the vnode.
+ * Validates the passed in blob in the process. */
+ error = cs_blob_create_validated(addr, size, &blob, &cd);
+
+ if (error != 0) {
+ printf("malform code signature blob: %d\n", error);
+ return error;
+ }
+
+ blob->csb_cpu_type = cputype;
+ blob->csb_base_offset = base_offset;
+
+ /*
+ * Let policy module check whether the blob's signature is accepted.
+ */
+#if CONFIG_MACF
+ unsigned int cs_flags = blob->csb_flags;
+ unsigned int signer_type = blob->csb_signer_type;
+ error = mac_vnode_check_signature(vp, blob, imgp, &cs_flags, &signer_type, flags);
+ blob->csb_flags = cs_flags;
+ blob->csb_signer_type = signer_type;
+
+ if (error) {
+ if (cs_debug)
+ printf("check_signature[pid: %d], error = %d\n", current_proc()->p_pid, error);
+ goto out;
+ }
+ if ((flags & MAC_VNODE_CHECK_DYLD_SIM) && !(blob->csb_flags & CS_PLATFORM_BINARY)) {
+ if (cs_debug)
+ printf("check_signature[pid: %d], is not apple signed\n", current_proc()->p_pid);
+ error = EPERM;
+ goto out;
+ }
+#endif
+
+#if CONFIG_ENFORCE_SIGNED_CODE
+ /*
+ * Reconstitute code signature
+ */
+ {
+ vm_address_t new_mem_kaddr = 0;
+ vm_size_t new_mem_size = 0;
+
+ CS_CodeDirectory *new_cd = NULL;
+ CS_GenericBlob const *new_entitlements = NULL;
+
+ error = ubc_cs_reconstitute_code_signature(blob, 0,
+ &new_mem_kaddr, &new_mem_size,
+ &new_cd, &new_entitlements);
+
+ if (error != 0) {
+ printf("failed code signature reconstitution: %d\n", error);
+ goto out;
+ }
+
+ ubc_cs_blob_deallocate(blob->csb_mem_kaddr, blob->csb_mem_size);
+
+ blob->csb_mem_kaddr = new_mem_kaddr;
+ blob->csb_mem_size = new_mem_size;
+ blob->csb_cd = new_cd;
+ blob->csb_entitlements_blob = new_entitlements;
+ blob->csb_reconstituted = true;
+ }
+
+#endif
+
+
+ if (blob->csb_flags & CS_PLATFORM_BINARY) {
+ if (cs_debug > 1)
+ printf("check_signature[pid: %d]: platform binary\n", current_proc()->p_pid);
+ blob->csb_platform_binary = 1;
+ blob->csb_platform_path = !!(blob->csb_flags & CS_PLATFORM_PATH);
+ } else {
+ blob->csb_platform_binary = 0;
+ blob->csb_platform_path = 0;
+ blob->csb_teamid = csblob_parse_teamid(blob);
+ if (cs_debug > 1) {
+ if (blob->csb_teamid)
+ printf("check_signature[pid: %d]: team-id is %s\n", current_proc()->p_pid, blob->csb_teamid);
+ else
+ printf("check_signature[pid: %d]: no team-id\n", current_proc()->p_pid);
+ }
+ }
+
+ /*
+ * Validate the blob's coverage
+ */
+ blob_start_offset = blob->csb_base_offset + blob->csb_start_offset;
+ blob_end_offset = blob->csb_base_offset + blob->csb_end_offset;
+
+ if (blob_start_offset >= blob_end_offset ||
+ blob_start_offset < 0 ||
+ blob_end_offset <= 0) {
+ /* reject empty or backwards blob */
+ error = EINVAL;
+ goto out;
+ }
+
+ if (ubc_cs_supports_multilevel_hash(blob)) {
+ error = ubc_cs_convert_to_multilevel_hash(blob);
+ if (error != 0) {
+ printf("failed multilevel hash conversion: %d\n", error);
+ goto out;
+ }
+ blob->csb_reconstituted = true;
+ }
+
+ vnode_lock(vp);
+ if (! UBCINFOEXISTS(vp)) {
+ vnode_unlock(vp);
+ error = ENOENT;
+ goto out;
+ }
+ uip = vp->v_ubcinfo;
+
+ /* check if this new blob overlaps with an existing blob */
+ for (oblob = uip->cs_blobs;
+ oblob != NULL;
+ oblob = oblob->csb_next) {
+ off_t oblob_start_offset, oblob_end_offset;
+
+ if (blob->csb_signer_type != oblob->csb_signer_type) { // signer type needs to be the same for slices
+ vnode_unlock(vp);
+ error = EALREADY;
+ goto out;
+ } else if (blob->csb_platform_binary) { //platform binary needs to be the same for app slices
+ if (!oblob->csb_platform_binary) {
+ vnode_unlock(vp);
+ error = EALREADY;
+ goto out;
+ }
+ } else if (blob->csb_teamid) { //teamid binary needs to be the same for app slices
+ if (oblob->csb_platform_binary ||
+ oblob->csb_teamid == NULL ||
+ strcmp(oblob->csb_teamid, blob->csb_teamid) != 0) {
+ vnode_unlock(vp);
+ error = EALREADY;
+ goto out;
+ }
+ } else { // non teamid binary needs to be the same for app slices
+ if (oblob->csb_platform_binary ||
+ oblob->csb_teamid != NULL) {
+ vnode_unlock(vp);
+ error = EALREADY;
+ goto out;
+ }
+ }
+
+ oblob_start_offset = (oblob->csb_base_offset +
+ oblob->csb_start_offset);
+ oblob_end_offset = (oblob->csb_base_offset +
+ oblob->csb_end_offset);
+ if (blob_start_offset >= oblob_end_offset ||
+ blob_end_offset <= oblob_start_offset) {
+ /* no conflict with this existing blob */
+ } else {
+ /* conflict ! */
+ if (blob_start_offset == oblob_start_offset &&
+ blob_end_offset == oblob_end_offset &&
+ blob->csb_mem_size == oblob->csb_mem_size &&
+ blob->csb_flags == oblob->csb_flags &&
+ (blob->csb_cpu_type == CPU_TYPE_ANY ||
+ oblob->csb_cpu_type == CPU_TYPE_ANY ||
+ blob->csb_cpu_type == oblob->csb_cpu_type) &&
+ !bcmp(blob->csb_cdhash,
+ oblob->csb_cdhash,
+ CS_CDHASH_LEN)) {
+ /*
+ * We already have this blob:
+ * we'll return success but
+ * throw away the new blob.
+ */
+ if (oblob->csb_cpu_type == CPU_TYPE_ANY) {
+ /*
+ * The old blob matches this one
+ * but doesn't have any CPU type.
+ * Update it with whatever the caller
+ * provided this time.
+ */
+ oblob->csb_cpu_type = cputype;
+ }
+
+ /* The signature is still accepted, so update the
+ * generation count. */
+ uip->cs_add_gen = cs_blob_generation_count;
+
+ vnode_unlock(vp);
+ if (ret_blob)
+ *ret_blob = oblob;
+ error = EAGAIN;
+ goto out;
+ } else {
+ /* different blob: reject the new one */
+ vnode_unlock(vp);
+ error = EALREADY;
+ goto out;
+ }
+ }
+
+ }
+
+
+ /* mark this vnode's VM object as having "signed pages" */
+ kr = memory_object_signed(uip->ui_control, TRUE);
+ if (kr != KERN_SUCCESS) {
+ vnode_unlock(vp);
+ error = ENOENT;
+ goto out;
+ }
+
+ if (uip->cs_blobs == NULL) {
+ /* loading 1st blob: record the file's current "modify time" */
+ record_mtime = TRUE;
+ }
+
+ /* set the generation count for cs_blobs */
+ uip->cs_add_gen = cs_blob_generation_count;
+
+ /*
+ * Add this blob to the list of blobs for this vnode.
+ * We always add at the front of the list and we never remove a
+ * blob from the list, so ubc_cs_get_blobs() can return whatever
+ * the top of the list was and that list will remain valid
+ * while we validate a page, even after we release the vnode's lock.
+ */
+ blob->csb_next = uip->cs_blobs;
+ uip->cs_blobs = blob;
+
+ OSAddAtomic(+1, &cs_blob_count);
+ if (cs_blob_count > cs_blob_count_peak) {
+ cs_blob_count_peak = cs_blob_count; /* XXX atomic ? */
+ }
+ OSAddAtomic((SInt32) +blob->csb_mem_size, &cs_blob_size);
+ if ((SInt32) cs_blob_size > cs_blob_size_peak) {
+ cs_blob_size_peak = (SInt32) cs_blob_size; /* XXX atomic ? */
+ }
+ if ((UInt32) blob->csb_mem_size > cs_blob_size_max) {
+ cs_blob_size_max = (UInt32) blob->csb_mem_size;
+ }
+
+ if (cs_debug > 1) {
+ proc_t p;
+ const char *name = vnode_getname_printable(vp);
+ p = current_proc();
+ printf("CODE SIGNING: proc %d(%s) "
+ "loaded %s signatures for file (%s) "
+ "range 0x%llx:0x%llx flags 0x%x\n",
+ p->p_pid, p->p_comm,
+ blob->csb_cpu_type == -1 ? "detached" : "embedded",
+ name,
+ blob->csb_base_offset + blob->csb_start_offset,
+ blob->csb_base_offset + blob->csb_end_offset,
+ blob->csb_flags);
+ vnode_putname_printable(name);
+ }
+
+ vnode_unlock(vp);
+
+ if (record_mtime) {
+ vnode_mtime(vp, &uip->cs_mtime, vfs_context_current());
+ }
+
+ if (ret_blob)
+ *ret_blob = blob;
+
+ error = 0; /* success ! */
+
+out:
+ if (error) {
+ if (cs_debug)
+ printf("check_signature[pid: %d]: error = %d\n", current_proc()->p_pid, error);
+
+ cs_blob_free(blob);
+ }
+
+ if (error == EAGAIN) {
+ /*
+ * See above: error is EAGAIN if we were asked
+ * to add an existing blob again. We cleaned the new
+ * blob and we want to return success.
+ */
+ error = 0;
+ }
+
+ return error;
+}
+
+void
+csvnode_print_debug(struct vnode *vp)
+{
+ const char *name = NULL;
+ struct ubc_info *uip;
+ struct cs_blob *blob;
+
+ name = vnode_getname_printable(vp);
+ if (name) {
+ printf("csvnode: name: %s\n", name);
+ vnode_putname_printable(name);
+ }
+
+ vnode_lock_spin(vp);
+
+ if (! UBCINFOEXISTS(vp)) {
+ blob = NULL;
+ goto out;
+ }
+
+ uip = vp->v_ubcinfo;
+ for (blob = uip->cs_blobs; blob != NULL; blob = blob->csb_next) {
+ printf("csvnode: range: %lu -> %lu flags: 0x%08x platform: %s path: %s team: %s\n",
+ (unsigned long)blob->csb_start_offset,
+ (unsigned long)blob->csb_end_offset,
+ blob->csb_flags,
+ blob->csb_platform_binary ? "yes" : "no",
+ blob->csb_platform_path ? "yes" : "no",
+ blob->csb_teamid ? blob->csb_teamid : "<NO-TEAM>");
+ }
+
+out:
+ vnode_unlock(vp);
+
+}
+
+struct cs_blob *
+ubc_cs_blob_get(
+ struct vnode *vp,
+ cpu_type_t cputype,
+ off_t offset)
+{
+ struct ubc_info *uip;
+ struct cs_blob *blob;
+ off_t offset_in_blob;
+
+ vnode_lock_spin(vp);
+
+ if (! UBCINFOEXISTS(vp)) {
+ blob = NULL;
+ goto out;
+ }
+
+ uip = vp->v_ubcinfo;
+ for (blob = uip->cs_blobs;
+ blob != NULL;
+ blob = blob->csb_next) {
+ if (cputype != -1 && blob->csb_cpu_type == cputype) {
+ break;
+ }
+ if (offset != -1) {
+ offset_in_blob = offset - blob->csb_base_offset;
+ if (offset_in_blob >= blob->csb_start_offset &&
+ offset_in_blob < blob->csb_end_offset) {
+ /* our offset is covered by this blob */
+ break;
+ }
+ }
+ }
+
+out:
+ vnode_unlock(vp);
+
+ return blob;
+}
+
+static void
+ubc_cs_free(
+ struct ubc_info *uip)
+{
+ struct cs_blob *blob, *next_blob;
+
+ for (blob = uip->cs_blobs;
+ blob != NULL;
+ blob = next_blob) {
+ next_blob = blob->csb_next;
+ OSAddAtomic(-1, &cs_blob_count);
+ OSAddAtomic((SInt32) -blob->csb_mem_size, &cs_blob_size);
+ cs_blob_free(blob);
+ }
+#if CHECK_CS_VALIDATION_BITMAP
+ ubc_cs_validation_bitmap_deallocate( uip->ui_vnode );
+#endif
+ uip->cs_blobs = NULL;
+}
+
+/* check cs blob generation on vnode
+ * returns:
+ * 0 : Success, the cs_blob attached is current
+ * ENEEDAUTH : Generation count mismatch. Needs authentication again.
+ */
+int
+ubc_cs_generation_check(
+ struct vnode *vp)
+{
+ int retval = ENEEDAUTH;
+
+ vnode_lock_spin(vp);
+
+ if (UBCINFOEXISTS(vp) && vp->v_ubcinfo->cs_add_gen == cs_blob_generation_count) {
+ retval = 0;
+ }
+
+ vnode_unlock(vp);
+ return retval;
+}
+
+int
+ubc_cs_blob_revalidate(
+ struct vnode *vp,
+ struct cs_blob *blob,
+ struct image_params *imgp,
+ int flags
+ )
+{
+ int error = 0;
+ const CS_CodeDirectory *cd = NULL;
+ const CS_GenericBlob *entitlements = NULL;
+ size_t size;
+ assert(vp != NULL);
+ assert(blob != NULL);
+
+ size = blob->csb_mem_size;
+ error = cs_validate_csblob((const uint8_t *)blob->csb_mem_kaddr,
+ size, &cd, &entitlements);
+ if (error) {
+ if (cs_debug) {
+ printf("CODESIGNING: csblob invalid: %d\n", error);
+ }
+ goto out;
+ }
+
+ unsigned int cs_flags = (ntohl(cd->flags) & CS_ALLOWED_MACHO) | CS_VALID;
+ unsigned int signer_type = CS_SIGNER_TYPE_UNKNOWN;
+
+ if (blob->csb_reconstituted) {
+ /*
+ * Code signatures that have been modified after validation
+ * cannot be revalidated inline from their in-memory blob.
+ *
+ * That's okay, though, because the only path left that relies
+ * on revalidation of existing in-memory blobs is the legacy
+ * detached signature database path, which only exists on macOS,
+ * which does not do reconstitution of any kind.
+ */
+ if (cs_debug) {
+ printf("CODESIGNING: revalidate: not inline revalidating reconstituted signature.\n");
+ }
+
+ /*
+ * EAGAIN tells the caller that they may reread the code
+ * signature and try attaching it again, which is the same
+ * thing they would do if there was no cs_blob yet in the
+ * first place.
+ *
+ * Conveniently, after ubc_cs_blob_add did a successful
+ * validation, it will detect that a matching cs_blob (cdhash,
+ * offset, arch etc.) already exists, and return success
+ * without re-adding a cs_blob to the vnode.
+ */
+ return EAGAIN;
+ }
+
+ /* callout to mac_vnode_check_signature */
+#if CONFIG_MACF
+ error = mac_vnode_check_signature(vp, blob, imgp, &cs_flags, &signer_type, flags);
+ if (cs_debug && error) {
+ printf("revalidate: check_signature[pid: %d], error = %d\n", current_proc()->p_pid, error);
+ }
+#else
+ (void)flags;
+ (void)signer_type;
+#endif
+
+ /* update generation number if success */
+ vnode_lock_spin(vp);
+ blob->csb_flags = cs_flags;
+ blob->csb_signer_type = signer_type;
+ if (UBCINFOEXISTS(vp)) {
+ if (error == 0)
+ vp->v_ubcinfo->cs_add_gen = cs_blob_generation_count;
+ else
+ vp->v_ubcinfo->cs_add_gen = 0;
+ }
+
+ vnode_unlock(vp);
+
+out:
+ return error;
+}
+
+void
+cs_blob_reset_cache()
+{
+ /* incrementing odd no by 2 makes sure '0' is never reached. */
+ OSAddAtomic(+2, &cs_blob_generation_count);
+ printf("Reseting cs_blob cache from all vnodes. \n");
+}
+
+struct cs_blob *
+ubc_get_cs_blobs(
+ struct vnode *vp)
+{
+ struct ubc_info *uip;
+ struct cs_blob *blobs;
+
+ /*
+ * No need to take the vnode lock here. The caller must be holding
+ * a reference on the vnode (via a VM mapping or open file descriptor),
+ * so the vnode will not go away. The ubc_info stays until the vnode
+ * goes away. And we only modify "blobs" by adding to the head of the
+ * list.
+ * The ubc_info could go away entirely if the vnode gets reclaimed as
+ * part of a forced unmount. In the case of a code-signature validation
+ * during a page fault, the "paging_in_progress" reference on the VM
+ * object guarantess that the vnode pager (and the ubc_info) won't go
+ * away during the fault.
+ * Other callers need to protect against vnode reclaim by holding the
+ * vnode lock, for example.
+ */
+
+ if (! UBCINFOEXISTS(vp)) {
+ blobs = NULL;
+ goto out;
+ }
+
+ uip = vp->v_ubcinfo;
+ blobs = uip->cs_blobs;
+
+out:
+ return blobs;
+}
+
+void
+ubc_get_cs_mtime(
+ struct vnode *vp,
+ struct timespec *cs_mtime)
+{
+ struct ubc_info *uip;
+
+ if (! UBCINFOEXISTS(vp)) {
+ cs_mtime->tv_sec = 0;
+ cs_mtime->tv_nsec = 0;
+ return;
+ }
+
+ uip = vp->v_ubcinfo;
+ cs_mtime->tv_sec = uip->cs_mtime.tv_sec;
+ cs_mtime->tv_nsec = uip->cs_mtime.tv_nsec;
+}
+
+unsigned long cs_validate_page_no_hash = 0;
+unsigned long cs_validate_page_bad_hash = 0;
+static boolean_t
+cs_validate_hash(
+ struct cs_blob *blobs,
+ memory_object_t pager,
+ memory_object_offset_t page_offset,
+ const void *data,
+ vm_size_t *bytes_processed,
+ unsigned *tainted)
+{
+ union cs_hash_union mdctx;
+ struct cs_hash const *hashtype = NULL;
+ unsigned char actual_hash[CS_HASH_MAX_SIZE];
+ unsigned char expected_hash[CS_HASH_MAX_SIZE];
+ boolean_t found_hash;
+ struct cs_blob *blob;
+ const CS_CodeDirectory *cd;
+ const unsigned char *hash;
+ boolean_t validated;
+ off_t offset; /* page offset in the file */
+ size_t size;
+ off_t codeLimit = 0;
+ const char *lower_bound, *upper_bound;
+ vm_offset_t kaddr, blob_addr;
+
+ /* retrieve the expected hash */
+ found_hash = FALSE;
+
+ for (blob = blobs;
+ blob != NULL;
+ blob = blob->csb_next) {
+ offset = page_offset - blob->csb_base_offset;
+ if (offset < blob->csb_start_offset ||
+ offset >= blob->csb_end_offset) {
+ /* our page is not covered by this blob */
+ continue;
+ }
+
+ /* blob data has been released */
+ kaddr = blob->csb_mem_kaddr;
+ if (kaddr == 0) {
+ continue;
+ }
+
+ blob_addr = kaddr + blob->csb_mem_offset;
+ lower_bound = CAST_DOWN(char *, blob_addr);
+ upper_bound = lower_bound + blob->csb_mem_size;
+
+ cd = blob->csb_cd;
+ if (cd != NULL) {
+ /* all CD's that have been injected is already validated */
+
+ hashtype = blob->csb_hashtype;
+ if (hashtype == NULL)
+ panic("unknown hash type ?");
+ if (hashtype->cs_digest_size > sizeof(actual_hash))
+ panic("hash size too large");
+ if (offset & blob->csb_hash_pagemask)
+ panic("offset not aligned to cshash boundary");
+
+ codeLimit = ntohl(cd->codeLimit);
+
+ hash = hashes(cd, (uint32_t)(offset>>blob->csb_hash_pageshift),
+ hashtype->cs_size,
+ lower_bound, upper_bound);
+ if (hash != NULL) {
+ bcopy(hash, expected_hash, hashtype->cs_size);
+ found_hash = TRUE;
+ }
+
+ break;
+ }
+ }
+
+ if (found_hash == FALSE) {
+ /*
+ * We can't verify this page because there is no signature
+ * for it (yet). It's possible that this part of the object
+ * is not signed, or that signatures for that part have not
+ * been loaded yet.
+ * Report that the page has not been validated and let the
+ * caller decide if it wants to accept it or not.
+ */
+ cs_validate_page_no_hash++;
+ if (cs_debug > 1) {
+ printf("CODE SIGNING: cs_validate_page: "
+ "mobj %p off 0x%llx: no hash to validate !?\n",
+ pager, page_offset);
+ }
+ validated = FALSE;
+ *tainted = 0;
+ } else {
+
+ *tainted = 0;
+
+ size = blob->csb_hash_pagesize;
+ *bytes_processed = size;
+
+ const uint32_t *asha1, *esha1;
+ if ((off_t)(offset + size) > codeLimit) {
+ /* partial page at end of segment */
+ assert(offset < codeLimit);
+ size = (size_t) (codeLimit & blob->csb_hash_pagemask);
+ *tainted |= CS_VALIDATE_NX;
+ }
+
+ hashtype->cs_init(&mdctx);
+
+ if (blob->csb_hash_firstlevel_pagesize) {
+ const unsigned char *partial_data = (const unsigned char *)data;
+ size_t i;
+ for (i=0; i < size;) {
+ union cs_hash_union partialctx;
+ unsigned char partial_digest[CS_HASH_MAX_SIZE];
+ size_t partial_size = MIN(size-i, blob->csb_hash_firstlevel_pagesize);
+
+ hashtype->cs_init(&partialctx);
+ hashtype->cs_update(&partialctx, partial_data, partial_size);
+ hashtype->cs_final(partial_digest, &partialctx);
+
+ /* Update cumulative multi-level hash */
+ hashtype->cs_update(&mdctx, partial_digest, hashtype->cs_size);
+ partial_data = partial_data + partial_size;
+ i += partial_size;
+ }
+ } else {
+ hashtype->cs_update(&mdctx, data, size);
+ }
+ hashtype->cs_final(actual_hash, &mdctx);
+
+ asha1 = (const uint32_t *) actual_hash;
+ esha1 = (const uint32_t *) expected_hash;
+
+ if (bcmp(expected_hash, actual_hash, hashtype->cs_size) != 0) {
+ if (cs_debug) {
+ printf("CODE SIGNING: cs_validate_page: "
+ "mobj %p off 0x%llx size 0x%lx: "
+ "actual [0x%x 0x%x 0x%x 0x%x 0x%x] != "
+ "expected [0x%x 0x%x 0x%x 0x%x 0x%x]\n",
+ pager, page_offset, size,
+ asha1[0], asha1[1], asha1[2],
+ asha1[3], asha1[4],
+ esha1[0], esha1[1], esha1[2],
+ esha1[3], esha1[4]);
+ }
+ cs_validate_page_bad_hash++;
+ *tainted |= CS_VALIDATE_TAINTED;
+ } else {
+ if (cs_debug > 10) {
+ printf("CODE SIGNING: cs_validate_page: "
+ "mobj %p off 0x%llx size 0x%lx: "
+ "SHA1 OK\n",
+ pager, page_offset, size);
+ }
+ }
+ validated = TRUE;
+ }
+
+ return validated;
+}
+
+boolean_t
+cs_validate_range(
+ struct vnode *vp,
+ memory_object_t pager,
+ memory_object_offset_t page_offset,
+ const void *data,
+ vm_size_t dsize,
+ unsigned *tainted)
+{
+ vm_size_t offset_in_range;
+ boolean_t all_subranges_validated = TRUE; /* turn false if any subrange fails */
+
+ struct cs_blob *blobs = ubc_get_cs_blobs(vp);
+
+ *tainted = 0;
+
+ for (offset_in_range = 0;
+ offset_in_range < dsize;
+ /* offset_in_range updated based on bytes processed */) {
+ unsigned subrange_tainted = 0;
+ boolean_t subrange_validated;
+ vm_size_t bytes_processed = 0;
+
+ subrange_validated = cs_validate_hash(blobs,
+ pager,
+ page_offset + offset_in_range,
+ (const void *)((const char *)data + offset_in_range),
+ &bytes_processed,
+ &subrange_tainted);
+
+ *tainted |= subrange_tainted;
+
+ if (bytes_processed == 0) {
+ /* Cannote make forward progress, so return an error */
+ all_subranges_validated = FALSE;
+ break;
+ } else if (subrange_validated == FALSE) {
+ all_subranges_validated = FALSE;
+ /* Keep going to detect other types of failures in subranges */
+ }
+
+ offset_in_range += bytes_processed;
+ }
+
+ return all_subranges_validated;
+}
+
+int
+ubc_cs_getcdhash(
+ vnode_t vp,
+ off_t offset,
+ unsigned char *cdhash)
+{
+ struct cs_blob *blobs, *blob;
+ off_t rel_offset;
+ int ret;
+
+ vnode_lock(vp);
+
+ blobs = ubc_get_cs_blobs(vp);
+ for (blob = blobs;
+ blob != NULL;
+ blob = blob->csb_next) {
+ /* compute offset relative to this blob */
+ rel_offset = offset - blob->csb_base_offset;
+ if (rel_offset >= blob->csb_start_offset &&
+ rel_offset < blob->csb_end_offset) {
+ /* this blob does cover our "offset" ! */
+ break;
+ }
+ }
+
+ if (blob == NULL) {
+ /* we didn't find a blob covering "offset" */
+ ret = EBADEXEC; /* XXX any better error ? */
+ } else {
+ /* get the SHA1 hash of that blob */
+ bcopy(blob->csb_cdhash, cdhash, sizeof (blob->csb_cdhash));
+ ret = 0;
+ }
+
+ vnode_unlock(vp);
+
+ return ret;
+}
+
+boolean_t
+ubc_cs_is_range_codesigned(
+ vnode_t vp,
+ mach_vm_offset_t start,
+ mach_vm_size_t size)
+{
+ struct cs_blob *csblob;
+ mach_vm_offset_t blob_start;
+ mach_vm_offset_t blob_end;
+
+ if (vp == NULL) {
+ /* no file: no code signature */
+ return FALSE;
+ }
+ if (size == 0) {
+ /* no range: no code signature */
+ return FALSE;
+ }
+ if (start + size < start) {
+ /* overflow */
+ return FALSE;
+ }
+
+ csblob = ubc_cs_blob_get(vp, -1, start);
+ if (csblob == NULL) {
+ return FALSE;
+ }
+
+ /*
+ * We currently check if the range is covered by a single blob,
+ * which should always be the case for the dyld shared cache.
+ * If we ever want to make this routine handle other cases, we
+ * would have to iterate if the blob does not cover the full range.
+ */
+ blob_start = (mach_vm_offset_t) (csblob->csb_base_offset +
+ csblob->csb_start_offset);
+ blob_end = (mach_vm_offset_t) (csblob->csb_base_offset +
+ csblob->csb_end_offset);
+ if (blob_start > start || blob_end < (start + size)) {
+ /* range not fully covered by this code-signing blob */
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+#if CHECK_CS_VALIDATION_BITMAP
+#define stob(s) (((atop_64(round_page_64(s))) + 07) >> 3)
+extern boolean_t root_fs_upgrade_try;
+
+/*
+ * Should we use the code-sign bitmap to avoid repeated code-sign validation?
+ * Depends:
+ * a) Is the target vnode on the root filesystem?
+ * b) Has someone tried to mount the root filesystem read-write?
+ * If answers are (a) yes AND (b) no, then we can use the bitmap.
+ */
+#define USE_CODE_SIGN_BITMAP(vp) ( (vp != NULL) && (vp->v_mount != NULL) && (vp->v_mount->mnt_flag & MNT_ROOTFS) && !root_fs_upgrade_try)
+kern_return_t
+ubc_cs_validation_bitmap_allocate(
+ vnode_t vp)
+{
+ kern_return_t kr = KERN_SUCCESS;
+ struct ubc_info *uip;
+ char *target_bitmap;
+ vm_object_size_t bitmap_size;
+
+ if ( ! USE_CODE_SIGN_BITMAP(vp) || (! UBCINFOEXISTS(vp))) {
+ kr = KERN_INVALID_ARGUMENT;
+ } else {
+ uip = vp->v_ubcinfo;
+
+ if ( uip->cs_valid_bitmap == NULL ) {
+ bitmap_size = stob(uip->ui_size);
+ target_bitmap = (char*) kalloc( (vm_size_t)bitmap_size );
+ if (target_bitmap == 0) {
+ kr = KERN_NO_SPACE;
+ } else {
+ kr = KERN_SUCCESS;
+ }
+ if( kr == KERN_SUCCESS ) {
+ memset( target_bitmap, 0, (size_t)bitmap_size);
+ uip->cs_valid_bitmap = (void*)target_bitmap;
+ uip->cs_valid_bitmap_size = bitmap_size;
+ }
+ }
+ }
+ return kr;
+}
+
+kern_return_t
+ubc_cs_check_validation_bitmap (
+ vnode_t vp,
+ memory_object_offset_t offset,
+ int optype)
+{
+ kern_return_t kr = KERN_SUCCESS;
+
+ if ( ! USE_CODE_SIGN_BITMAP(vp) || ! UBCINFOEXISTS(vp)) {
+ kr = KERN_INVALID_ARGUMENT;
+ } else {
+ struct ubc_info *uip = vp->v_ubcinfo;
+ char *target_bitmap = uip->cs_valid_bitmap;
+
+ if ( target_bitmap == NULL ) {
+ kr = KERN_INVALID_ARGUMENT;
+ } else {
+ uint64_t bit, byte;
+ bit = atop_64( offset );
+ byte = bit >> 3;
+
+ if ( byte > uip->cs_valid_bitmap_size ) {
+ kr = KERN_INVALID_ARGUMENT;
+ } else {
+
+ if (optype == CS_BITMAP_SET) {
+ target_bitmap[byte] |= (1 << (bit & 07));
+ kr = KERN_SUCCESS;
+ } else if (optype == CS_BITMAP_CLEAR) {
+ target_bitmap[byte] &= ~(1 << (bit & 07));
+ kr = KERN_SUCCESS;
+ } else if (optype == CS_BITMAP_CHECK) {
+ if ( target_bitmap[byte] & (1 << (bit & 07))) {
+ kr = KERN_SUCCESS;
+ } else {
+ kr = KERN_FAILURE;
+ }
+ }
+ }
+ }
+ }
+ return kr;
+}
+
+void
+ubc_cs_validation_bitmap_deallocate(
+ vnode_t vp)
+{
+ struct ubc_info *uip;
+ void *target_bitmap;
+ vm_object_size_t bitmap_size;
+
+ if ( UBCINFOEXISTS(vp)) {
+ uip = vp->v_ubcinfo;
+
+ if ( (target_bitmap = uip->cs_valid_bitmap) != NULL ) {
+ bitmap_size = uip->cs_valid_bitmap_size;
+ kfree( target_bitmap, (vm_size_t) bitmap_size );
+ uip->cs_valid_bitmap = NULL;
+ }
+ }
+}
+#else
+kern_return_t ubc_cs_validation_bitmap_allocate(__unused vnode_t vp){
+ return KERN_INVALID_ARGUMENT;
+}
+
+kern_return_t ubc_cs_check_validation_bitmap(
+ __unused struct vnode *vp,
+ __unused memory_object_offset_t offset,
+ __unused int optype){
+
+ return KERN_INVALID_ARGUMENT;
+}
+
+void ubc_cs_validation_bitmap_deallocate(__unused vnode_t vp){
+ return;
+}
+#endif /* CHECK_CS_VALIDATION_BITMAP */
+
+#if PMAP_CS
+kern_return_t
+cs_associate_blob_with_mapping(
+ void *pmap,
+ vm_map_offset_t start,
+ vm_map_size_t size,
+ vm_object_offset_t offset,
+ void *blobs_p)
+{
+ off_t blob_start_offset, blob_end_offset;
+ kern_return_t kr;
+ struct cs_blob *blobs, *blob;
+ vm_offset_t kaddr;
+ struct pmap_cs_code_directory *cd_entry = NULL;
+
+ if (!pmap_cs) {
+ return KERN_NOT_SUPPORTED;
+ }
+
+ blobs = (struct cs_blob *)blobs_p;
+
+ for (blob = blobs;
+ blob != NULL;
+ blob = blob->csb_next) {
+ blob_start_offset = (blob->csb_base_offset +
+ blob->csb_start_offset);
+ blob_end_offset = (blob->csb_base_offset +
+ blob->csb_end_offset);
+ if ((off_t) offset < blob_start_offset ||
+ (off_t) offset >= blob_end_offset ||
+ (off_t) (offset + size) <= blob_start_offset ||
+ (off_t) (offset + size) > blob_end_offset) {
+ continue;
+ }
+ kaddr = blob->csb_mem_kaddr;
+ if (kaddr == 0) {
+ /* blob data has been released */
+ continue;
+ }
+ cd_entry = blob->csb_pmap_cs_entry;
+ if (cd_entry == NULL) {
+ continue;
+ }
+
+ break;
+ }
+
+ if (cd_entry != NULL) {
+ kr = pmap_cs_associate(pmap,
+ cd_entry,
+ start,
+ size);
+ } else {
+ kr = KERN_CODESIGN_ERROR;
+ }
+#if 00
+ printf("FBDP %d[%s] pmap_cs_associate(%p,%p,0x%llx,0x%llx) -> kr=0x%x\n", proc_selfpid(), &(current_proc()->p_comm[0]), pmap, cd_entry, (uint64_t)start, (uint64_t)size, kr);
+ kr = KERN_SUCCESS;
+#endif
+ return kr;
+}
+#endif /* PMAP_CS */