From patchwork Fri Mar 31 14:30:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?= X-Patchwork-Id: 13196051 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54807C76196 for ; Fri, 31 Mar 2023 14:31:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231423AbjCaOby (ORCPT ); Fri, 31 Mar 2023 10:31:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232747AbjCaObx (ORCPT ); Fri, 31 Mar 2023 10:31:53 -0400 Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C74B220625; Fri, 31 Mar 2023 07:31:13 -0700 (PDT) Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id D4D9A4A28; Fri, 31 Mar 2023 16:30:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202211; t=1680273022; bh=kZL8+56e6lv/MMMqFC565eCb5So9E645Hgn/mf2GmaQ=; h=Date:From:Cc:Subject:From; b=P4iu4Sawnk9VTuEhTwtIDc8lh1rkP9olUGgxqiEq/8aFQcI9+njuFp8yIWxh661kx Tg2mBERMbmiOD4MZCOr1KiYufuqNae3nZKmMvH7poPckvSB4qWC676u/QqblwSj1/t UzB8ZQx4gGmVKGhxkRjk+ZBHyPuizi+2T3KJJROfc5jPmB/vOleG/g0FFMIEDUzPyQ ahy3d2Wd0r29Jji/slAHTi2EDdAUXW6Yf/kB8JbVflQqOXl8/NwBUy9FMryLjgWWnG UpeZE+3rueQ7yFA3QbCfXDzYL0Qf24Cr4K01+6y8x6gPCGO8aPYfagSUDPexWB27es PEK+KbCCtZRNw== Date: Fri, 31 Mar 2023 16:30:21 +0200 From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= Cc: Luis Chamberlain , "open list:MODULE SUPPORT" , "open list:MODULE SUPPORT" Subject: [PATCH] KEYS: Make use of platform keyring for module signature verification Message-ID: MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20230322 To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: This allows a cert in DB to be used to sign modules, in addition to certs in the MoK and built-in keyrings. This key policy matches what's used for kexec. Signed-off-by: Ahelenia ZiemiaƄska --- Notes: Debian has carried an equivalent patch since 5.3.9-1: https://bugs.debian.org/935945 https://bugs.debian.org/1030200 in https://salsa.debian.org/kernel-team/linux/-/commit/0e65c8f3e316d6f0fc30f091dd47dba2ac616529 and it appears the true origin is some version of https://gitlab.com/cki-project/kernel-ark/-/commit/b697ff5e26974fee8fcd31a1e221e9dd41515efc kernel/module/signing.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..71d6248cf9ec 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -61,10 +61,16 @@ int mod_verify_sig(const void *mod, struct load_info *info) modlen -= sig_len + sizeof(ms); info->len = modlen; - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } int module_sig_check(struct load_info *info, int flags)