Add some dependent patches for the module signing fixup

3 files changed, 186 insertions, 1 deletions

diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
new file mode 100644
index 000000000..816c4f0ea
--- /dev/null
+++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
@@ -0,0 +1,85 @@
+From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Mon, 21 Jan 2019 17:59:28 +0800
+Subject: [PATCH] integrity, KEYS: add a reference to platform keyring
+
+commit 9dc92c45177a ("integrity: Define a trusted platform keyring")
+introduced a .platform keyring for storing preboot keys, used for
+verifying kernel image signatures. Currently only IMA-appraisal is able
+to use the keyring to verify kernel images that have their signature
+stored in xattr.
+
+This patch exposes the .platform keyring, making it accessible for
+verifying PE signed kernel images as well.
+
+Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+---
+ certs/system_keyring.c        | 10 ++++++++++
+ include/keys/system_keyring.h |  8 ++++++++
+ security/integrity/digsig.c   |  3 +++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 81728717523d..da055e901df4 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+ static struct key *secondary_trusted_keys;
+ #endif
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++static struct key *platform_trusted_keys;
++#endif
+ 
+ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
+ 
+ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
++
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++void __init set_platform_trusted_keys(struct key *keyring)
++{
++	platform_trusted_keys = keyring;
++}
++#endif
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 359c2f936004..42a93eda331c 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void)
+ }
+ #endif /* CONFIG_IMA_BLACKLIST_KEYRING */
+ 
++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
++	defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
++extern void __init set_platform_trusted_keys(struct key *keyring);
++#else
++static inline void set_platform_trusted_keys(struct key *keyring)
++{
++}
++#endif
+ 
+ #endif /* _KEYS_SYSTEM_KEYRING_H */
+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
+index f45d6edecf99..e19c2eb72c51 100644
+--- a/security/integrity/digsig.c
++++ b/security/integrity/digsig.c
+@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm,
+ 		pr_info("Can't allocate %s keyring (%d)\n",
+ 			keyring_name[id], err);
+ 		keyring[id] = NULL;
++	} else {
++		if (id == INTEGRITY_KEYRING_PLATFORM)
++			set_platform_trusted_keys(keyring[id]);
+ 	}
+ 
+ 	return err;
+-- 
+2.20.1
+
diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
new file mode 100644
index 000000000..af0d926e7
--- /dev/null
+++ b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
@@ -0,0 +1,98 @@
+From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001
+From: Kairui Song <kasong@redhat.com>
+Date: Mon, 21 Jan 2019 17:59:29 +0800
+Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature
+ verify
+
+This patch allows the kexec_file_load syscall to verify the PE signed
+kernel image signature based on the preboot keys stored in the .platform
+keyring, as fall back, if the signature verification failed due to not
+finding the public key in the secondary or builtin keyrings.
+
+This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
+VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
+should verify the signature using platform keyring.  Also, decrease
+the error message log level when verification failed with -ENOKEY,
+so that if called tried multiple time with different keyring it
+won't generate extra noises.
+
+Signed-off-by: Kairui Song <kasong@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part)
+[zohar@linux.ibm.com: tweaked the first paragraph of the patch description,
+ and fixed checkpatch warning.]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++---
+ certs/system_keyring.c            | 13 ++++++++++++-
+ include/linux/verification.h      |  1 +
+ 3 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
+index 278cd07228dd..e1215a600064 100644
+--- a/arch/x86/kernel/kexec-bzimage64.c
++++ b/arch/x86/kernel/kexec-bzimage64.c
+@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data)
+ #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+ {
+-	return verify_pefile_signature(kernel, kernel_len,
+-				       VERIFY_USE_SECONDARY_KEYRING,
+-				       VERIFYING_KEXEC_PE_SIGNATURE);
++	int ret;
++
++	ret = verify_pefile_signature(kernel, kernel_len,
++				      VERIFY_USE_SECONDARY_KEYRING,
++				      VERIFYING_KEXEC_PE_SIGNATURE);
++	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++		ret = verify_pefile_signature(kernel, kernel_len,
++					      VERIFY_USE_PLATFORM_KEYRING,
++					      VERIFYING_KEXEC_PE_SIGNATURE);
++	}
++	return ret;
+ }
+ #endif
+ 
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index da055e901df4..c05c29ae4d5d 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
+ #else
+ 		trusted_keys = builtin_trusted_keys;
+ #endif
++	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
++		trusted_keys = platform_trusted_keys;
++#else
++		trusted_keys = NULL;
++#endif
++		if (!trusted_keys) {
++			ret = -ENOKEY;
++			pr_devel("PKCS#7 platform keyring is not available\n");
++			goto error;
++		}
+ 	}
+ 	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ 	if (ret < 0) {
+ 		if (ret == -ENOKEY)
+-			pr_err("PKCS#7 signature not signed with a trusted key\n");
++			pr_devel("PKCS#7 signature not signed with a trusted key\n");
+ 		goto error;
+ 	}
+ 
+diff --git a/include/linux/verification.h b/include/linux/verification.h
+index cfa4730d607a..018fb5f13d44 100644
+--- a/include/linux/verification.h
++++ b/include/linux/verification.h
+@@ -17,6 +17,7 @@
+  * should be used.
+  */
+ #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
++#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
+ 
+ /*
+  * The use to which an asymmetric key is being put.
+-- 
+2.20.1
+
diff --git a/kernel.spec b/kernel.spec
index 053009915..b117cb82c 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -619,8 +619,10 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch
 Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1701096
+Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch
+Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
-Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+Patch523: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 
 # CVE-2019-3900 rhbz 1698757 1702940
 Patch524: net-vhost_net-fix-possible-infinite-loop.patch