diff options
author | Jeremy Cline <jcline@redhat.com> | 2020-04-23 16:47:21 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2020-04-23 16:47:21 -0400 |
commit | d1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236 (patch) | |
tree | 842b7a6410c2572bc8c1643196f83d2e19d80e1e /0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch | |
parent | 4f478aae8055f932b9a8fdd88d93db6b9da5709e (diff) | |
download | kernel-d1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236.tar.gz kernel-d1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236.tar.xz kernel-d1b6f8c7af0eb9a0a44b2d4723e58dde5eafa236.zip |
kernel-5.7.0-0.rc2.20200423git7adc4b399952.1
* Thu Apr 23 2020 CKI@GitLab <cki-project@redhat.com> [5.7.0-0.rc2.20200423git7adc4b399952.1]
- 7adc4b399952 rebase
- Match template format in kernel.spec.template ("Justin M. Forbes")
- Break out the Patches into individual files for dist-git ("Justin M. Forbes")
- Break the Red Hat patch into individual commits (Jeremy Cline)
- Adjust module filtering so CONFIG_DRM_DP_CEC can be set (Jeremy Cline)
- Add a script to generate release tags and branches (Jeremy Cline)
- Set CONFIG_VDPA for fedora ("Justin M. Forbes")
- Provide defaults in ark-rebase-patches.sh (Jeremy Cline)
- Default ark-rebase-patches.sh to not report issues (Jeremy Cline)
Resolves: rhbz#
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Diffstat (limited to '0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch')
-rw-r--r-- | 0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch b/0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch new file mode 100644 index 000000000..928a411db --- /dev/null +++ b/0001-KEYS-Make-use-of-platform-keyring-for-module-signatu.patch @@ -0,0 +1,44 @@ +From 0e4630025e6155b15d2a1226e86b701eeb57e7f1 Mon Sep 17 00:00:00 2001 +From: Robert Holmes <robeholmes@gmail.com> +Date: Tue, 23 Apr 2019 07:39:29 +0000 +Subject: [PATCH] KEYS: Make use of platform keyring for module signature + verify + +This patch completes commit 278311e417be ("kexec, KEYS: Make use of +platform keyring for signature verify") which, while adding the +platform keyring for bzImage verification, neglected to also add +this keyring for module verification. + +As such, kernel modules signed with keys from the MokList variable +were not successfully verified. + +Signed-off-by: Robert Holmes <robeholmes@gmail.com> +Signed-off-by: Jeremy Cline <jcline@redhat.com> +--- + kernel/module_signing.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index 9d9fc678c91d..84ad75a53c83 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) + modlen -= sig_len + sizeof(ms); + info->len = modlen; + +- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ } ++ return ret; + } +-- +2.26.0 + |