|
Justin Vreeland |
794d92 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
Justin Vreeland |
794d92 |
From: Robert Holmes <robeholmes@gmail.com>
|
|
Justin Vreeland |
794d92 |
Date: Tue, 23 Apr 2019 07:39:29 +0000
|
|
Justin Vreeland |
794d92 |
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
|
|
Justin Vreeland |
794d92 |
verify
|
|
Justin Vreeland |
794d92 |
|
|
Justin Vreeland |
794d92 |
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
|
|
Justin Vreeland |
794d92 |
platform keyring for signature verify") which, while adding the
|
|
Justin Vreeland |
794d92 |
platform keyring for bzImage verification, neglected to also add
|
|
Justin Vreeland |
794d92 |
this keyring for module verification.
|
|
Justin Vreeland |
794d92 |
|
|
Justin Vreeland |
794d92 |
As such, kernel modules signed with keys from the MokList variable
|
|
Justin Vreeland |
794d92 |
were not successfully verified.
|
|
Justin Vreeland |
794d92 |
|
|
Justin Vreeland |
794d92 |
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
|
|
Justin Vreeland |
794d92 |
Signed-off-by: Jeremy Cline <jcline@redhat.com>
|
|
Justin Vreeland |
794d92 |
---
|
|
Justin Vreeland |
794d92 |
kernel/module_signing.c | 9 ++++++++-
|
|
Justin Vreeland |
794d92 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
Justin Vreeland |
794d92 |
|
|
Justin Vreeland |
794d92 |
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
|
Justin Vreeland |
794d92 |
index 9d9fc678c91d..84ad75a53c83 100644
|
|
Justin Vreeland |
794d92 |
--- a/kernel/module_signing.c
|
|
Justin Vreeland |
794d92 |
+++ b/kernel/module_signing.c
|
|
Justin Vreeland |
794d92 |
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
|
|
Justin Vreeland |
794d92 |
modlen -= sig_len + sizeof(ms);
|
|
Justin Vreeland |
794d92 |
info->len = modlen;
|
|
Justin Vreeland |
794d92 |
|
|
Justin Vreeland |
794d92 |
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Justin Vreeland |
794d92 |
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Justin Vreeland |
794d92 |
VERIFY_USE_SECONDARY_KEYRING,
|
|
Justin Vreeland |
794d92 |
VERIFYING_MODULE_SIGNATURE,
|
|
Justin Vreeland |
794d92 |
NULL, NULL);
|
|
Justin Vreeland |
794d92 |
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
|
|
Justin Vreeland |
794d92 |
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Justin Vreeland |
794d92 |
+ VERIFY_USE_PLATFORM_KEYRING,
|
|
Justin Vreeland |
794d92 |
+ VERIFYING_MODULE_SIGNATURE,
|
|
Justin Vreeland |
794d92 |
+ NULL, NULL);
|
|
Justin Vreeland |
794d92 |
+ }
|
|
Justin Vreeland |
794d92 |
+ return ret;
|
|
Justin Vreeland |
794d92 |
}
|
|
Justin Vreeland |
794d92 |
--
|
|
Justin Vreeland |
794d92 |
2.28.0
|
|
Justin Vreeland |
794d92 |
|