diff options
author | Jeremy Cline <jcline@redhat.com> | 2019-04-23 14:21:09 +0000 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2019-04-23 15:48:39 +0000 |
commit | 86957a079dd8ed0b3ada2069c8f3dff74adfcb6a (patch) | |
tree | 7985a9d8f477346da9ef8347c7abd545e27950a1 /kernel.spec | |
parent | 6ba41ac9d453c3371f9d6f652d9face0a1bf9fc4 (diff) | |
download | kernel-86957a079dd8ed0b3ada2069c8f3dff74adfcb6a.tar.gz kernel-86957a079dd8ed0b3ada2069c8f3dff74adfcb6a.tar.xz kernel-86957a079dd8ed0b3ada2069c8f3dff74adfcb6a.zip |
Check module signatures with the platform keyring (if enabled)
Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.
The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.
Diffstat (limited to 'kernel.spec')
-rw-r--r-- | kernel.spec | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/kernel.spec b/kernel.spec index 30e58a93b..2f4e38231 100644 --- a/kernel.spec +++ b/kernel.spec @@ -539,8 +539,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch Patch201: efi-lockdown.patch -Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch - # bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -637,6 +635,10 @@ Patch519: nfsd-wake-waiters-blocked-on-file_lock-before-deleting-it.patch # CVE-2019-9503 rhbz 1701842 1701843 Patch520: 0001-brcmfmac-add-subtype-check-for-event-handling-in-dat.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1701096 +# Submitted upstream at https://lkml.org/lkml/2019/4/23/89 +Patch521: KEYS-Make-use-of-platform-keyring-for-module-signature.patch + # END OF PATCH DEFINITIONS %endif @@ -1910,6 +1912,9 @@ fi # # %changelog +* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com> +- Allow modules signed by keys in the platform keyring (rbhz 1701096) + * Tue Apr 23 2019 Justin M. Forbes <jforbes@fedoraproject.org> - Fix CVE-2019-9503 rhbz 1701842 1701843 |