chengshan / rpms / kernel

Forked from rpms/kernel 2 years ago
Clone
Justin Vreeland 794d92
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Justin Vreeland 794d92
From: Robert Holmes <robeholmes@gmail.com>
Justin Vreeland 794d92
Date: Tue, 23 Apr 2019 07:39:29 +0000
Justin Vreeland 794d92
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Justin Vreeland 794d92
 verify
Justin Vreeland 794d92
Justin Vreeland 794d92
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Justin Vreeland 794d92
platform keyring for signature verify") which, while adding the
Justin Vreeland 794d92
platform keyring for bzImage verification, neglected to also add
Justin Vreeland 794d92
this keyring for module verification.
Justin Vreeland 794d92
Justin Vreeland 794d92
As such, kernel modules signed with keys from the MokList variable
Justin Vreeland 794d92
were not successfully verified.
Justin Vreeland 794d92
Justin Vreeland 794d92
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Justin Vreeland 794d92
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Justin Vreeland 794d92
---
Justin Vreeland 794d92
 kernel/module_signing.c | 9 ++++++++-
Justin Vreeland 794d92
 1 file changed, 8 insertions(+), 1 deletion(-)
Justin Vreeland 794d92
Justin Vreeland 794d92
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Justin Vreeland 794d92
index 9d9fc678c91d..84ad75a53c83 100644
Justin Vreeland 794d92
--- a/kernel/module_signing.c
Justin Vreeland 794d92
+++ b/kernel/module_signing.c
Justin Vreeland 794d92
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Justin Vreeland 794d92
 	modlen -= sig_len + sizeof(ms);
Justin Vreeland 794d92
 	info->len = modlen;
Justin Vreeland 794d92
Justin Vreeland 794d92
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Justin Vreeland 794d92
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Justin Vreeland 794d92
 				      VERIFY_USE_SECONDARY_KEYRING,
Justin Vreeland 794d92
 				      VERIFYING_MODULE_SIGNATURE,
Justin Vreeland 794d92
 				      NULL, NULL);
Justin Vreeland 794d92
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Justin Vreeland 794d92
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Justin Vreeland 794d92
+				VERIFY_USE_PLATFORM_KEYRING,
Justin Vreeland 794d92
+				VERIFYING_MODULE_SIGNATURE,
Justin Vreeland 794d92
+				NULL, NULL);
Justin Vreeland 794d92
+	}
Justin Vreeland 794d92
+	return ret;
Justin Vreeland 794d92
 }
Justin Vreeland 794d92
-- 
Justin Vreeland 794d92
2.28.0
Justin Vreeland 794d92