diff options
author | Jeremy Cline <jcline@redhat.com> | 2019-04-23 14:21:09 +0000 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2019-04-23 14:21:09 +0000 |
commit | 3313b2c33243db60692efa7592f4d8500ba513a5 (patch) | |
tree | fc464624e0b458242455fc72355e2324406cb046 /KEYS-Make-use-of-platform-keyring-for-module-signature.patch | |
parent | 8f968e6f02434f4d0702fa562a1b364a353757c2 (diff) | |
download | kernel-3313b2c33243db60692efa7592f4d8500ba513a5.tar.gz kernel-3313b2c33243db60692efa7592f4d8500ba513a5.tar.xz kernel-3313b2c33243db60692efa7592f4d8500ba513a5.zip |
Check module signatures with the platform keyring (if enabled)
Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.
The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.
Diffstat (limited to 'KEYS-Make-use-of-platform-keyring-for-module-signature.patch')
-rw-r--r-- | KEYS-Make-use-of-platform-keyring-for-module-signature.patch | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch new file mode 100644 index 000000000..a13dcdba5 --- /dev/null +++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch @@ -0,0 +1,54 @@ +From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001 +From: Robert Holmes <robeholmes@gmail.com> +Date: Tue, 23 Apr 2019 07:39:29 +0000 +Subject: [PATCH] KEYS: Make use of platform keyring for module signature + verify + +This patch completes commit 278311e417be ("kexec, KEYS: Make use of +platform keyring for signature verify") which, while adding the +platform keyring for bzImage verification, neglected to also add +this keyring for module verification. + +As such, kernel modules signed with keys from the MokList variable +were not successfully verified. + +Signed-off-by: Robert Holmes <robeholmes@gmail.com> +--- + kernel/module_signing.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index 6b9a926fd86b..cf94220e9154 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) + { + struct module_signature ms; + size_t sig_len, modlen = info->len; ++ int ret; + + pr_devel("==>%s(,%zu)\n", __func__, modlen); + +@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info) + return -EBADMSG; + } + +- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_MODULE_SIGNATURE, +- NULL, NULL); ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ } ++ return ret; + } +-- +2.21.0 + |