diff options
Diffstat (limited to '0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch')
-rw-r--r-- | 0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch | 98 |
1 files changed, 0 insertions, 98 deletions
diff --git a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch b/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch deleted file mode 100644 index af0d926e7..000000000 --- a/0001-kexec-KEYS-Make-use-of-platform-keyring-for-signatur.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 278311e417be60f7caef6fcb12bda4da2711ceff Mon Sep 17 00:00:00 2001 -From: Kairui Song <kasong@redhat.com> -Date: Mon, 21 Jan 2019 17:59:29 +0800 -Subject: [PATCH] kexec, KEYS: Make use of platform keyring for signature - verify - -This patch allows the kexec_file_load syscall to verify the PE signed -kernel image signature based on the preboot keys stored in the .platform -keyring, as fall back, if the signature verification failed due to not -finding the public key in the secondary or builtin keyrings. - -This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous -VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature -should verify the signature using platform keyring. Also, decrease -the error message log level when verification failed with -ENOKEY, -so that if called tried multiple time with different keyring it -won't generate extra noises. - -Signed-off-by: Kairui Song <kasong@redhat.com> -Cc: David Howells <dhowells@redhat.com> -Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part) -[zohar@linux.ibm.com: tweaked the first paragraph of the patch description, - and fixed checkpatch warning.] -Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> ---- - arch/x86/kernel/kexec-bzimage64.c | 14 +++++++++++--- - certs/system_keyring.c | 13 ++++++++++++- - include/linux/verification.h | 1 + - 3 files changed, 24 insertions(+), 4 deletions(-) - -diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c -index 278cd07228dd..e1215a600064 100644 ---- a/arch/x86/kernel/kexec-bzimage64.c -+++ b/arch/x86/kernel/kexec-bzimage64.c -@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data) - #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG - static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) - { -- return verify_pefile_signature(kernel, kernel_len, -- VERIFY_USE_SECONDARY_KEYRING, -- VERIFYING_KEXEC_PE_SIGNATURE); -+ int ret; -+ -+ ret = verify_pefile_signature(kernel, kernel_len, -+ VERIFY_USE_SECONDARY_KEYRING, -+ VERIFYING_KEXEC_PE_SIGNATURE); -+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { -+ ret = verify_pefile_signature(kernel, kernel_len, -+ VERIFY_USE_PLATFORM_KEYRING, -+ VERIFYING_KEXEC_PE_SIGNATURE); -+ } -+ return ret; - } - #endif - -diff --git a/certs/system_keyring.c b/certs/system_keyring.c -index da055e901df4..c05c29ae4d5d 100644 ---- a/certs/system_keyring.c -+++ b/certs/system_keyring.c -@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len, - #else - trusted_keys = builtin_trusted_keys; - #endif -+ } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) { -+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING -+ trusted_keys = platform_trusted_keys; -+#else -+ trusted_keys = NULL; -+#endif -+ if (!trusted_keys) { -+ ret = -ENOKEY; -+ pr_devel("PKCS#7 platform keyring is not available\n"); -+ goto error; -+ } - } - ret = pkcs7_validate_trust(pkcs7, trusted_keys); - if (ret < 0) { - if (ret == -ENOKEY) -- pr_err("PKCS#7 signature not signed with a trusted key\n"); -+ pr_devel("PKCS#7 signature not signed with a trusted key\n"); - goto error; - } - -diff --git a/include/linux/verification.h b/include/linux/verification.h -index cfa4730d607a..018fb5f13d44 100644 ---- a/include/linux/verification.h -+++ b/include/linux/verification.h -@@ -17,6 +17,7 @@ - * should be used. - */ - #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) -+#define VERIFY_USE_PLATFORM_KEYRING ((struct key *)2UL) - - /* - * The use to which an asymmetric key is being put. --- -2.20.1 - |