Jeremy Cline 3313b2
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
Jeremy Cline 3313b2
From: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline 3313b2
Date: Tue, 23 Apr 2019 07:39:29 +0000
Jeremy Cline 3313b2
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Jeremy Cline 3313b2
 verify
Jeremy Cline 3313b2
Jeremy Cline 3313b2
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Jeremy Cline 3313b2
platform keyring for signature verify") which, while adding the
Jeremy Cline 3313b2
platform keyring for bzImage verification, neglected to also add
Jeremy Cline 3313b2
this keyring for module verification.
Jeremy Cline 3313b2
Jeremy Cline 3313b2
As such, kernel modules signed with keys from the MokList variable
Jeremy Cline 3313b2
were not successfully verified.
Jeremy Cline 3313b2
Jeremy Cline 3313b2
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline 3313b2
---
Jeremy Cline 3313b2
 kernel/module_signing.c | 16 ++++++++++++----
Jeremy Cline 3313b2
 1 file changed, 12 insertions(+), 4 deletions(-)
Jeremy Cline 3313b2
Jeremy Cline 3313b2
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Jeremy Cline 3313b2
index 6b9a926fd86b..cf94220e9154 100644
Jeremy Cline 3313b2
--- a/kernel/module_signing.c
Jeremy Cline 3313b2
+++ b/kernel/module_signing.c
Jeremy Cline 3313b2
@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Jeremy Cline 3313b2
 {
Jeremy Cline 3313b2
 	struct module_signature ms;
Jeremy Cline 3313b2
 	size_t sig_len, modlen = info->len;
Jeremy Cline 3313b2
+	int ret;
Jeremy Cline 3313b2
 
Jeremy Cline 3313b2
 	pr_devel("==>%s(,%zu)\n", __func__, modlen);
Jeremy Cline 3313b2
 
Jeremy Cline 3313b2
@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Jeremy Cline 3313b2
 		return -EBADMSG;
Jeremy Cline 3313b2
 	}
Jeremy Cline 3313b2
 
Jeremy Cline 3313b2
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2
-				      VERIFY_USE_SECONDARY_KEYRING,
Jeremy Cline 3313b2
-				      VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2
-				      NULL, NULL);
Jeremy Cline 3313b2
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2
+				     VERIFY_USE_SECONDARY_KEYRING,
Jeremy Cline 3313b2
+				     VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2
+				     NULL, NULL);
Jeremy Cline 3313b2
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Jeremy Cline 3313b2
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2
+					     VERIFY_USE_PLATFORM_KEYRING,
Jeremy Cline 3313b2
+					     VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2
+					     NULL, NULL);
Jeremy Cline 3313b2
+	}
Jeremy Cline 3313b2
+	return ret;
Jeremy Cline 3313b2
 }
Jeremy Cline 3313b2
-- 
Jeremy Cline 3313b2
2.21.0
Jeremy Cline 3313b2