From patchwork Tue Feb 15 19:39:38 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Suchanek <msuchanek@suse.de>
X-Patchwork-Id: 12747568
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id E05C5C433F5
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 15 Feb 2022 19:41:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=vOMBoWdPiNyGaTRKEM2RFWXJcuyWeI2Eag6SwTi6lHs=; b=CWGidFcI4UpmFn
	5nGUXH9CfBDa8krRGVd4Tc6e3ww2HUsyn5/4lRK9sJEARSVMnxC2jwjOYBGbrqQAu7nSfTB9kuylU
	Ls7yXC6/ATnfNs1ZwwPDc4mWa6+Z6t/sVpCpTx31eM82+1f0I6kMVv5/IJ56vAIOi21zRN+fMqbu9
	+RcH8T7g/JRrsznuW8SbsBvvwgtoWdITSYeePkIJ/XXENxuJzVSLLmOzDKoxdXfjSVtyBLdTJfEql
	/Rid23se0d1ycd9NK19YTKrUeaaz323b/EahzeLtIHrUuPlu3zIJNr94wmJmS+lOCgfsTXTzSWg2e
	cvAaCvu+ktsNiY4QXbBQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nK3ge-004MGc-BI; Tue, 15 Feb 2022 19:40:32 +0000
Received: from smtp-out1.suse.de ([195.135.220.28])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nK3gO-004MBS-4B; Tue, 15 Feb 2022 19:40:17 +0000
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
 by smtp-out1.suse.de (Postfix) with ESMTP id 204E42112A;
 Tue, 15 Feb 2022 19:40:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1644954014;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=/Xag/tiYIWZjYv+wxtYhQ+mbygAAZdHDwq6nPQfuZzo=;
 b=Fjdwzsuxb9ZxQn/KzDhNEM1i3t8Jg1CLxu4AXw4xy8OCPM6Z5b7DevDOj5kfhMEGo+vRUD
 zjmIIjGVbOvcRnkjy1Mk5+oEZocOyZBi/e5u5l2CFNssckXTQOWkRfq5S13zn6LSQZnh6h
 NZU/J/MyJFptCBTVmv3F+NK+9ccFgvg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1644954014;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=/Xag/tiYIWZjYv+wxtYhQ+mbygAAZdHDwq6nPQfuZzo=;
 b=f86nJeBFiwa8nt/hv1OO6lAbHJRRZ7eOgXRZxhJhheKW1mRwObnmFtHwvqdvv9Uj/2QAF8
 dSFa6e5gxSq2ZCCQ==
Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127])
 by relay2.suse.de (Postfix) with ESMTP id DD1BDA3B81;
 Tue, 15 Feb 2022 19:40:13 +0000 (UTC)
From: Michal Suchanek <msuchanek@suse.de>
To: 
Cc: Michal Suchanek <msuchanek@suse.de>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
 Alexander Gordeev <agordeev@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
 Sven Schnelle <svens@linux.ibm.com>, Philipp Rudo <prudo@redhat.com>,
 Baoquan He <bhe@redhat.com>, Alexander Egorenkov <egorenar@linux.ibm.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>,
 James Morse <james.morse@arm.com>, Dave Young <dyoung@redhat.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
 Martin Schwidefsky <schwidefsky@de.ibm.com>,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-s390@vger.kernel.org, kexec@lists.infradead.org,
 keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
 stable@kernel.org
Subject: [PATCH 1/4] Fix arm64 kexec forbidding kernels signed with keys in
 the secondary keyring to boot
Date: Tue, 15 Feb 2022 20:39:38 +0100
Message-Id: 
 <83b3583f35c50c609739a8d857d14e8410293373.1644953683.git.msuchanek@suse.de>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1644953683.git.msuchanek@suse.de>
References: <cover.1644953683.git.msuchanek@suse.de>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220215_114016_381380_68032738 
X-CRM114-Status: UNSURE (   9.90  )
X-CRM114-Notice: Please train this message.
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

commit d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Cherry-picked from
commit ea93102f3224 ("Fix kexec forbidding kernels signed with keys in the secondary keyring to boot")

Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Acked-by: Baoquan He <bhe@redhat.com>
---
 arch/arm64/kernel/kexec_image.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..1fbf2ee7c005 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -133,7 +133,8 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
+	return verify_pefile_signature(kernel, kernel_len,
+				       VERIFY_USE_SECONDARY_KEYRING,
 				       VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif

From patchwork Tue Feb 15 19:39:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Suchanek <msuchanek@suse.de>
X-Patchwork-Id: 12747569
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 6550CC433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 15 Feb 2022 19:42:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=WlkuMF+AUTTLNLYMZnJ7En977ZW5seFI0ElRHNvSDiI=; b=RCdOkPBPNULnQK
	MS4HyN8iOtMPfdFb0L6G9WR/LKNh8iwDBW2Ux9Gm1R8fbQHCBru/KF69gfbX/gMKnZTWbOdOv6Tfo
	cr1jV0MbNuzrdHZTejto/S1agaHgH1G/of6h9YVYkmcM5gqoYms7mYRRWK/g10MsGAtOmRQ64+BPr
	Uafu1i4m4ri9tKmEcU6yafZbLyrin+KwdAOgyGFCdNEaSwr6Bh1kDP8+WYEVhkHnjKqayoYdgM6T+
	Zq+lcsD65j0el0XhG0c+xvrxtCbGJczDDprTsV4LLN8L2MJ3ebwFsonzcw17hND6MzL5uRo17qsF9
	PV1SJfSISvqlxXnesROA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nK3gy-004MN3-94; Tue, 15 Feb 2022 19:40:52 +0000
Received: from smtp-out2.suse.de ([195.135.220.29])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nK3gP-004MCN-Uq; Tue, 15 Feb 2022 19:40:19 +0000
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
 by smtp-out2.suse.de (Postfix) with ESMTP id B09F61F39A;
 Tue, 15 Feb 2022 19:40:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1644954016;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=DGUOnL4eb1J1D0pFPnIDYxSa1sO10AgM2xSKYQcLTEE=;
 b=cJW1P+L/QmgeUUEz9Y1zUVPpfhejzLydDhiK0Cc6eEsg6uQXBZKz40P+/8Q9YXX9k8rlKl
 b625pXH+7QEP3FIWByvk6RX88OrNb8fb/aWIQwc83tugiYUwfnswwsUP7m1XjmUP8CAYH7
 rvEAZyB/vHMtreosWGpWVajiTQU8Wfg=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1644954016;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=DGUOnL4eb1J1D0pFPnIDYxSa1sO10AgM2xSKYQcLTEE=;
 b=35x2kEA8v1pCAlROHWtUCn3jRUAIkHXiQlViAb1mQH9R9pLnO9oXX85jcsbsf9lrd58AKJ
 95W7LBx68H5TqZAQ==
Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127])
 by relay2.suse.de (Postfix) with ESMTP id 7D68DA3B83;
 Tue, 15 Feb 2022 19:40:16 +0000 (UTC)
From: Michal Suchanek <msuchanek@suse.de>
To: 
Cc: Michal Suchanek <msuchanek@suse.de>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
 Alexander Gordeev <agordeev@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
 Sven Schnelle <svens@linux.ibm.com>, Philipp Rudo <prudo@redhat.com>,
 Baoquan He <bhe@redhat.com>, Alexander Egorenkov <egorenar@linux.ibm.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>,
 James Morse <james.morse@arm.com>, Dave Young <dyoung@redhat.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
 Martin Schwidefsky <schwidefsky@de.ibm.com>,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-s390@vger.kernel.org, kexec@lists.infradead.org,
 keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
 stable@kernel.org
Subject: [PATCH 2/4] kexec, KEYS,
 arm64: Make use of platform keyring for signature verification
Date: Tue, 15 Feb 2022 20:39:39 +0100
Message-Id: 
 <7581dcfe676024aa438beddecbf162e4ec81ccfc.1644953683.git.msuchanek@suse.de>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1644953683.git.msuchanek@suse.de>
References: <cover.1644953683.git.msuchanek@suse.de>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220215_114018_185784_FB256E43 
X-CRM114-Status: UNSURE (   9.98  )
X-CRM114-Notice: Please train this message.
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
adds platform keyring support on x86 kexec but not arm64.

Add platform keyring support on arm64 as well.

Fixes: 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 arch/arm64/kernel/kexec_image.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 1fbf2ee7c005..3dee7b2d8336 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -133,9 +133,17 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len,
-				       VERIFY_USE_SECONDARY_KEYRING,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
 }
 #endif
 

From patchwork Tue Feb 15 19:39:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Suchanek <msuchanek@suse.de>
X-Patchwork-Id: 12747570
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 5CCAFC433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 15 Feb 2022 19:42:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=NfLog4lXSmT1lo5xvx7hTY+Nh8oGrTVMgCdLkGH3tmA=; b=YOsY630gCvoOBp
	PRB0I98Uv/DQNLfYERRer0SkMBsBBbGkIvc2cIia/I1qrqT/Ldb4jZIuWFDK0KzqtbfjYwVnCN74x
	JBA5Fqc/CALJBxYkqvnQXPB5K5jc0DAgC/qb2oOvuOYceCqhFIO88k1x6S2XDdOEM7cIxvMgHm9/c
	7sWW49ylzAEmzR9o5OxFFSSqr4loBtEDATRSE9OupaV5RA1lveRF0lf/OdxKQ3873nYZj0lGU9r+5
	W9hQRD37LdqxJR1AGiWtrE6jemK26cj9N5piuBsUJff9X1SWjwbQRN2z/qbCpgq2nmuBl5YeXZyc5
	jMO2G4vciFRQdseheS/A==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nK3hT-004MaM-TU; Tue, 15 Feb 2022 19:41:24 +0000
Received: from smtp-out1.suse.de ([195.135.220.28])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nK3gR-004MCv-R5; Tue, 15 Feb 2022 19:40:21 +0000
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
 by smtp-out1.suse.de (Postfix) with ESMTP id 925FC212BC;
 Tue, 15 Feb 2022 19:40:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1644954018;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=paASHUob1sIoerzV6STcfpbtVsZc1wGF58vxL8uX3EY=;
 b=Bdn/l637OdkswNZQSSm2sZAlaHzVip/VSOE91vJVdILHC2dxFlD7JKAkDg3IttcZbIiDAQ
 9lPczQnE+i97i48qMfZ2/lZyLNxEfViLsQKdQllfovuB1SF2za1PucpFrLLkQ+gJbAr5ki
 paH2VI/pjoXhQrkCCWf35uJEQUHOxb0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1644954018;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=paASHUob1sIoerzV6STcfpbtVsZc1wGF58vxL8uX3EY=;
 b=YXLOvClTKrsVp4RnU/YCSGih1ibEVb01h7+4vRxPi+YOxT47hsBbvaY4Z7ExOxKRLsKWuz
 eZuUqF0VptfxEXDw==
Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127])
 by relay2.suse.de (Postfix) with ESMTP id 580E1A3B87;
 Tue, 15 Feb 2022 19:40:18 +0000 (UTC)
From: Michal Suchanek <msuchanek@suse.de>
To: 
Cc: Michal Suchanek <msuchanek@suse.de>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
 Alexander Gordeev <agordeev@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
 Sven Schnelle <svens@linux.ibm.com>, Philipp Rudo <prudo@redhat.com>,
 Baoquan He <bhe@redhat.com>, Alexander Egorenkov <egorenar@linux.ibm.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>,
 James Morse <james.morse@arm.com>, Dave Young <dyoung@redhat.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
 Martin Schwidefsky <schwidefsky@de.ibm.com>,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-s390@vger.kernel.org, Philipp Rudo <prudo@linux.ibm.com>,
 kexec@lists.infradead.org, keyrings@vger.kernel.org,
 linux-security-module@vger.kernel.org, stable@kernel.org
Subject: [PATCH 3/4] kexec, KEYS,
 s390: Make use of built-in and secondary keyring for signature
 verification
Date: Tue, 15 Feb 2022 20:39:40 +0100
Message-Id: 
 <9f8b71f368843568d7dd6764f8c8a68b1f3a9bbc.1644953683.git.msuchanek@suse.de>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1644953683.git.msuchanek@suse.de>
References: <cover.1644953683.git.msuchanek@suse.de>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220215_114020_059330_4208A158 
X-CRM114-Status: GOOD (  10.72  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
adds support for KEXEC_SIG verification with keys from platform keyring
but the built-in keys and secondary keyring are not used.

Add support for the built-in keys and secondary keyring as x86 does.

Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
Cc: Philipp Rudo <prudo@linux.ibm.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index 8f43575a4dd3..fc6d5f58debe 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
 	const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
 	struct module_signature *ms;
 	unsigned long sig_len;
+	int ret;
 
 	/* Skip signature verification when not secure IPLed. */
 	if (!ipl_secure_flag)
@@ -65,11 +66,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
 		return -EBADMSG;
 	}
 
-	return verify_pkcs7_signature(kernel, kernel_len,
-				      kernel + kernel_len, sig_len,
-				      VERIFY_USE_PLATFORM_KEYRING,
-				      VERIFYING_MODULE_SIGNATURE,
-				      NULL, NULL);
+	ret = verify_pkcs7_signature(kernel, kernel_len,
+				     kernel + kernel_len, sig_len,
+				     VERIFY_USE_SECONDARY_KEYRING,
+				     VERIFYING_MODULE_SIGNATURE,
+				     NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+		ret = verify_pkcs7_signature(kernel, kernel_len,
+					     kernel + kernel_len, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	return ret;
 }
 #endif /* CONFIG_KEXEC_SIG */
 

From patchwork Tue Feb 15 19:39:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Suchanek <msuchanek@suse.de>
X-Patchwork-Id: 12747571
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id F14BFC433EF
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 15 Feb 2022 19:43:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:
	Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=0MQaxWEriL0bMzF1AQCy+wUWxBCa8SZZM68zVE78t3w=; b=S8takxFZls0poh
	Pq9USYO6Us/soVjx68ZqjT6YG6rC6rlQnJESLUzGuEMrCE0qaaRHokP2m/gTRK2DwrrEjpqNyuhrn
	emmSDfEmq26IGyAHGZwlmlN/Th/RZBdsGrFpUYbxPmgWLN0e9XQn1Ew6uKMmW5ITALuI1Lcf6ZxpX
	iln1piwpepAm8OCTpUfS+xVZkdSIFjQWjHEx+20eRejOKEuu3oxTdK1b4Iu2oul971GT5iCvcb6kL
	DYag9HXQU618c4buM050QIZ5UDH25RO7Xv3bIlmIrsylX0vJ947aWYCN0GOUs2iRcHVWaV7hioKca
	9gGFH+wt1FqlPy6xIb/g==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nK3hv-004Mmk-If; Tue, 15 Feb 2022 19:41:52 +0000
Received: from smtp-out1.suse.de ([195.135.220.28])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nK3gT-004MDV-Fw
 for linux-arm-kernel@lists.infradead.org; Tue, 15 Feb 2022 19:40:22 +0000
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
 by smtp-out1.suse.de (Postfix) with ESMTP id 2966E212BF;
 Tue, 15 Feb 2022 19:40:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_rsa;
 t=1644954020;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=;
 b=aKlJB4z2LkeDmU9Wa0mMaGs6IIOIRehwJLlbsagMlfiCcxE4Vmg8XMaKdc69NsJMOTP0kQ
 6m3gUONyR41Y1JsLuaRlHdm5T0T5CgDHBD4NKdU5H0EGbKgFCfdFIyPtAQQ9PdZVpMEtkw
 yrYtZluMYfIUqDwYid34Yoy17UJjae0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
 s=susede2_ed25519; t=1644954020;
 h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
 mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=;
 b=zA2og9PY6JLNwNbmuaeKtddqBDmkioJbLp4aWfNO14CRENxwEHInpG/XdjAayhh6IrPC7d
 aDUWFnUPxNtd9/AA==
Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127])
 by relay2.suse.de (Postfix) with ESMTP id E3D36A3B88;
 Tue, 15 Feb 2022 19:40:19 +0000 (UTC)
From: Michal Suchanek <msuchanek@suse.de>
To: 
Cc: Michal Suchanek <msuchanek@suse.de>,
 Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>,
 Alexander Gordeev <agordeev@linux.ibm.com>,
 Christian Borntraeger <borntraeger@linux.ibm.com>,
 Sven Schnelle <svens@linux.ibm.com>, Philipp Rudo <prudo@redhat.com>,
 Baoquan He <bhe@redhat.com>, Alexander Egorenkov <egorenar@linux.ibm.com>,
 AKASHI Takahiro <takahiro.akashi@linaro.org>,
 James Morse <james.morse@arm.com>, Dave Young <dyoung@redhat.com>,
 Mimi Zohar <zohar@linux.ibm.com>, Kairui Song <kasong@redhat.com>,
 Martin Schwidefsky <schwidefsky@de.ibm.com>,
 linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 linux-s390@vger.kernel.org, linux-modules@vger.kernel.org,
 keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
 stable@kernel.org
Subject: [PATCH 4/4] module,
 KEYS: Make use of platform keyring for signature verification
Date: Tue, 15 Feb 2022 20:39:41 +0100
Message-Id: 
 <840433bc93a58d6dfc4d96c34c0c3b158a0e669d.1644953683.git.msuchanek@suse.de>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <cover.1644953683.git.msuchanek@suse.de>
References: <cover.1644953683.git.msuchanek@suse.de>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220215_114021_721235_FB32B4C4 
X-CRM114-Status: GOOD (  11.00  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
adds support for use of platform keyring in kexec verification but
support for modules is missing.

Add support for verification of modules with keys from platform keyring
as well.

Fixes: 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
Cc: linux-modules@vger.kernel.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
---
 kernel/module_signing.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 8723ae70ea1f..5e1624294874 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -38,8 +38,14 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_MODULE_SIGNATURE,
-				      NULL, NULL);
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+				     VERIFY_USE_SECONDARY_KEYRING,
+				     VERIFYING_MODULE_SIGNATURE,
+				     NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	return ret;
 }