summaryrefslogtreecommitdiffstats
path: root/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
diff options
context:
space:
mode:
Diffstat (limited to 'KEYS-Make-use-of-platform-keyring-for-module-signature.patch')
-rw-r--r--KEYS-Make-use-of-platform-keyring-for-module-signature.patch54
1 files changed, 54 insertions, 0 deletions
diff --git a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
new file mode 100644
index 000000000..a13dcdba5
--- /dev/null
+++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
@@ -0,0 +1,54 @@
+From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
+From: Robert Holmes <robeholmes@gmail.com>
+Date: Tue, 23 Apr 2019 07:39:29 +0000
+Subject: [PATCH] KEYS: Make use of platform keyring for module signature
+ verify
+
+This patch completes commit 278311e417be ("kexec, KEYS: Make use of
+platform keyring for signature verify") which, while adding the
+platform keyring for bzImage verification, neglected to also add
+this keyring for module verification.
+
+As such, kernel modules signed with keys from the MokList variable
+were not successfully verified.
+
+Signed-off-by: Robert Holmes <robeholmes@gmail.com>
+---
+ kernel/module_signing.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/module_signing.c b/kernel/module_signing.c
+index 6b9a926fd86b..cf94220e9154 100644
+--- a/kernel/module_signing.c
++++ b/kernel/module_signing.c
+@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ {
+ struct module_signature ms;
+ size_t sig_len, modlen = info->len;
++ int ret;
+
+ pr_devel("==>%s(,%zu)\n", __func__, modlen);
+
+@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
+ return -EBADMSG;
+ }
+
+- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+- VERIFY_USE_SECONDARY_KEYRING,
+- VERIFYING_MODULE_SIGNATURE,
+- NULL, NULL);
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ VERIFY_USE_SECONDARY_KEYRING,
++ VERIFYING_MODULE_SIGNATURE,
++ NULL, NULL);
++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
++ VERIFY_USE_PLATFORM_KEYRING,
++ VERIFYING_MODULE_SIGNATURE,
++ NULL, NULL);
++ }
++ return ret;
+ }
+--
+2.21.0
+
generated by cgit (git 2.34.1) at 2024-05-01 01:56:58 +0000