potatogim / rpms / kernel

Forked from rpms/kernel 3 years ago
Clone
Pablo Greco 7b2c62
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
Pablo Greco 7b2c62
From: Robert Holmes <robeholmes@gmail.com>
Pablo Greco 7b2c62
Date: Tue, 23 Apr 2019 07:39:29 +0000
Pablo Greco 7b2c62
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Pablo Greco 7b2c62
 verify
Pablo Greco 7b2c62
Pablo Greco 7b2c62
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Pablo Greco 7b2c62
platform keyring for signature verify") which, while adding the
Pablo Greco 7b2c62
platform keyring for bzImage verification, neglected to also add
Pablo Greco 7b2c62
this keyring for module verification.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
As such, kernel modules signed with keys from the MokList variable
Pablo Greco 7b2c62
were not successfully verified.
Pablo Greco 7b2c62
Pablo Greco 7b2c62
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Pablo Greco 7b2c62
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Pablo Greco 7b2c62
---
Pablo Greco 7b2c62
 kernel/module_signing.c | 9 ++++++++-
Pablo Greco 7b2c62
 1 file changed, 8 insertions(+), 1 deletion(-)
Pablo Greco 7b2c62
Pablo Greco 7b2c62
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Pablo Greco 7b2c62
index 9d9fc678c91d..84ad75a53c83 100644
Pablo Greco 7b2c62
--- a/kernel/module_signing.c
Pablo Greco 7b2c62
+++ b/kernel/module_signing.c
Pablo Greco 7b2c62
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Pablo Greco 7b2c62
 	modlen -= sig_len + sizeof(ms);
Pablo Greco 7b2c62
 	info->len = modlen;
Pablo Greco 7b2c62
Pablo Greco 7b2c62
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco 7b2c62
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco 7b2c62
 				      VERIFY_USE_SECONDARY_KEYRING,
Pablo Greco 7b2c62
 				      VERIFYING_MODULE_SIGNATURE,
Pablo Greco 7b2c62
 				      NULL, NULL);
Pablo Greco 7b2c62
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Pablo Greco 7b2c62
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Pablo Greco 7b2c62
+				VERIFY_USE_PLATFORM_KEYRING,
Pablo Greco 7b2c62
+				VERIFYING_MODULE_SIGNATURE,
Pablo Greco 7b2c62
+				NULL, NULL);
Pablo Greco 7b2c62
+	}
Pablo Greco 7b2c62
+	return ret;
Pablo Greco 7b2c62
 }
Pablo Greco 7b2c62
-- 
Pablo Greco 7b2c62
2.28.0
Pablo Greco 7b2c62