imperfectism / rpms / kernel

Forked from rpms/kernel 4 years ago
Clone
Pablo Greco d6c4c4
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
Pablo Greco d6c4c4
From: Robert Holmes <robeholmes@gmail.com>
Pablo Greco d6c4c4
Date: Tue, 23 Apr 2019 07:39:29 +0000
Pablo Greco d6c4c4
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Pablo Greco d6c4c4
 verify
Pablo Greco d6c4c4
Pablo Greco d6c4c4
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Pablo Greco d6c4c4
platform keyring for signature verify") which, while adding the
Pablo Greco d6c4c4
platform keyring for bzImage verification, neglected to also add
Pablo Greco d6c4c4
this keyring for module verification.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
As such, kernel modules signed with keys from the MokList variable
Pablo Greco d6c4c4
were not successfully verified.
Pablo Greco d6c4c4
Pablo Greco d6c4c4
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Pablo Greco d6c4c4
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco d6c4c4
---
Pablo Greco d6c4c4
 kernel/module_signing.c | 16 ++++++++++++----
Pablo Greco d6c4c4
 1 file changed, 12 insertions(+), 4 deletions(-)
Pablo Greco d6c4c4
Pablo Greco d6c4c4
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Pablo Greco d6c4c4
index 9d9fc678c91d..84ad75a53c83 100644
Pablo Greco d6c4c4
--- a/kernel/module_signing.c
Pablo Greco d6c4c4
+++ b/kernel/module_signing.c
Pablo Greco d6c4c4
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Pablo Greco d6c4c4
 	modlen -= sig_len + sizeof(ms);
Pablo Greco d6c4c4
 	info->len = modlen;
Pablo Greco d6c4c4
 
Pablo Greco d6c4c4
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco d6c4c4
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco d6c4c4
 				      VERIFY_USE_SECONDARY_KEYRING,
Pablo Greco d6c4c4
 				      VERIFYING_MODULE_SIGNATURE,
Pablo Greco d6c4c4
 				      NULL, NULL);
Pablo Greco d6c4c4
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Pablo Greco d6c4c4
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco d6c4c4
+				VERIFY_USE_PLATFORM_KEYRING,
Pablo Greco d6c4c4
+				VERIFYING_MODULE_SIGNATURE,
Pablo Greco d6c4c4
+				NULL, NULL);
Pablo Greco d6c4c4
+	}
Pablo Greco d6c4c4
+	return ret;
Pablo Greco d6c4c4
 }
Pablo Greco d6c4c4
-- 
Pablo Greco d6c4c4
2.21.0