diff options
author | Laura Abbott <labbott@redhat.com> | 2019-04-23 16:24:31 -0700 |
---|---|---|
committer | Laura Abbott <labbott@redhat.com> | 2019-04-29 07:13:47 -0700 |
commit | d6d35c97991e0205d7055222426b82b7cc891bad (patch) | |
tree | 3e45fb98eaf45566e428023ce41a27f9e64973d9 | |
parent | cec20d0a29f3111dc17c0d1a0356d0946a5bf5e8 (diff) | |
download | kernel-d6d35c97991e0205d7055222426b82b7cc891bad.tar.gz kernel-d6d35c97991e0205d7055222426b82b7cc891bad.tar.xz kernel-d6d35c97991e0205d7055222426b82b7cc891bad.zip |
Add some dependent patches for the module signing fixup
-rw-r--r-- | 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch | 85 | ||||
-rw-r--r-- | 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch | 98 | ||||
-rw-r--r-- | kernel.spec | 4 |
3 files changed, 186 insertions, 1 deletions
diff --git a/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch new file mode 100644 index 000000000..816c4f0ea --- /dev/null +++ b/0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch @@ -0,0 +1,85 @@ +From 219a3e8676f3132d27b530c7d2d6bcab89536b57 Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:28 +0800 +Subject: [PATCH] integrity, KEYS: add a reference to platform keyring + +commit 9dc92c45177a ("integrity: Define a trusted platform keyring") +introduced a .platform keyring for storing preboot keys, used for +verifying kernel image signatures. Currently only IMA-appraisal is able +to use the keyring to verify kernel images that have their signature +stored in xattr. + +This patch exposes the .platform keyring, making it accessible for +verifying PE signed kernel images as well. + +Suggested-by: Mimi Zohar <zohar@linux.ibm.com> +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +[zohar@linux.ibm.com: fixed checkpatch errors, squashed with patch fix] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + certs/system_keyring.c | 10 ++++++++++ + include/keys/system_keyring.h | 8 ++++++++ + security/integrity/digsig.c | 3 +++ + 3 files changed, 21 insertions(+) + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 81728717523d..da055e901df4 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -24,6 +24,9 @@ static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + static struct key *secondary_trusted_keys; + #endif ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++static struct key *platform_trusted_keys; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; +@@ -266,3 +269,10 @@ int verify_pkcs7_signature(const void *data, size_t len, + EXPORT_SYMBOL_GPL(verify_pkcs7_signature); + + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ ++ ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++void __init set_platform_trusted_keys(struct key *keyring) ++{ ++ platform_trusted_keys = keyring; ++} ++#endif +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 359c2f936004..42a93eda331c 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -61,5 +61,13 @@ static inline struct key *get_ima_blacklist_keyring(void) + } + #endif /* CONFIG_IMA_BLACKLIST_KEYRING */ + ++#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \ ++ defined(CONFIG_SYSTEM_TRUSTED_KEYRING) ++extern void __init set_platform_trusted_keys(struct key *keyring); ++#else ++static inline void set_platform_trusted_keys(struct key *keyring) ++{ ++} ++#endif + + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index f45d6edecf99..e19c2eb72c51 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -87,6 +87,9 @@ static int __integrity_init_keyring(const unsigned int id, key_perm_t perm, + pr_info("Can't allocate %s keyring (%d)\n", + keyring_name[id], err); + keyring[id] = NULL; ++ } else { ++ if (id == INTEGRITY_KEYRING_PLATFORM) ++ set_platform_trusted_keys(keyring[id]); + } + + return err; +-- +2.20.1 + diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch new file mode 100644 index 000000000..af0d926e7 --- /dev/null +++ b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch @@ -0,0 +1,98 @@ +From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001 +From: Kairui Song <kasong@redhat.com> +Date: Mon, 21 Jan 2019 17:59:29 +0800 +Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature + verify + +This patch allows the kexec_file_load syscall to verify the PE signed +kernel image signature based on the preboot keys stored in the .platform +keyring, as fall back, if the signature verification failed due to not +finding the public key in the secondary or builtin keyrings. + +This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous +VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature +should verify the signature using platform keyring. Also, decrease +the error message log level when verification failed with -ENOKEY, +so that if called tried multiple time with different keyring it +won't generate extra noises. + +Signed-off-by: Kairui Song <kasong@redhat.com> +Cc: David Howells <dhowells@redhat.com> +Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part) +[zohar@linux.ibm.com: tweaked the first paragraph of the patch description, + and fixed checkpatch warning.] +Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> +--- + arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++--- + certs/system_keyring.c | 13 ++++++++++++- + include/linux/verification.h | 1 + + 3 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c +index 278cd07228dd..e1215a600064 100644 +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data) + #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG + static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) + { +- return verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); ++ int ret; ++ ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ } ++ return ret; + } + #endif + +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index da055e901df4..c05c29ae4d5d 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len, + #else + trusted_keys = builtin_trusted_keys; + #endif ++ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { ++#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING ++ trusted_keys = platform_trusted_keys; ++#else ++ trusted_keys = NULL; ++#endif ++ if (!trusted_keys) { ++ ret = -ENOKEY; ++ pr_devel("PKCS#7 platform keyring is not available\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { + if (ret == -ENOKEY) +- pr_err("PKCS#7 signature not signed with a trusted key\n"); ++ pr_devel("PKCS#7 signature not signed with a trusted key\n"); + goto error; + } + +diff --git a/include/linux/verification.h b/include/linux/verification.h +index cfa4730d607a..018fb5f13d44 100644 +--- a/include/linux/verification.h ++++ b/include/linux/verification.h +@@ -17,6 +17,7 @@ + * should be used. + */ + #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) ++#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) + + /* + * The use to which an asymmetric key is being put. +-- +2.20.1 + diff --git a/kernel.spec b/kernel.spec index 053009915..b117cb82c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -619,8 +619,10 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1701096 +Patch521: 0001-integrity-KEYS-add-a-reference-to-platform-keyring.patch +Patch522: 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch # Submitted upstream at https://lkml.org/lkml/2019/4/23/89 -Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch +Patch523: KEYS-Make-use-of-platform-keyring-for-module-signature.patch # CVE-2019-3900 rhbz 1698757 1702940 Patch524: net-vhost_net-fix-possible-infinite-loop.patch |