rpms / kernel

Clone
Source Code
GIT

Blame KEYS-Make-use-of-platform-keyring-for-module-signature.patch

26 Label_NFS f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 main oneoffs private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 private-nhorman-sgx-v15 rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   eb83b04a061cf2d6f4c71835e02d992b21554ac8
  2.   KEYS-Make-use-of-platform-keyring-for-module-signature.patch
Blob History Raw
Jeremy Cline 3313b2c 
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
Jeremy Cline 3313b2c 
From: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline 3313b2c 
Date: Tue, 23 Apr 2019 07:39:29 +0000
Jeremy Cline 3313b2c 
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Jeremy Cline 3313b2c 
 verify
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Jeremy Cline 3313b2c 
platform keyring for signature verify") which, while adding the
Jeremy Cline 3313b2c 
platform keyring for bzImage verification, neglected to also add
Jeremy Cline 3313b2c 
this keyring for module verification.
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
As such, kernel modules signed with keys from the MokList variable
Jeremy Cline 3313b2c 
were not successfully verified.
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline 3313b2c 
---
Jeremy Cline 3313b2c 
 kernel/module_signing.c | 16 ++++++++++++----
Jeremy Cline 3313b2c 
 1 file changed, 12 insertions(+), 4 deletions(-)
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Jeremy Cline 3313b2c 
index 6b9a926fd86b..cf94220e9154 100644
Jeremy Cline 3313b2c 
--- a/kernel/module_signing.c
Jeremy Cline 3313b2c 
+++ b/kernel/module_signing.c
Jeremy Cline 3313b2c 
@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Jeremy Cline 3313b2c 
 {
Jeremy Cline 3313b2c 
 	struct module_signature ms;
Jeremy Cline 3313b2c 
 	size_t sig_len, modlen = info->len;
Jeremy Cline 3313b2c 
+	int ret;
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
 	pr_devel("==>%s(,%zu)\n", __func__, modlen);
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Jeremy Cline 3313b2c 
 		return -EBADMSG;
Jeremy Cline 3313b2c 
 	}
Jeremy Cline 3313b2c
Jeremy Cline 3313b2c 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2c 
-				      VERIFY_USE_SECONDARY_KEYRING,
Jeremy Cline 3313b2c 
-				      VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2c 
-				      NULL, NULL);
Jeremy Cline 3313b2c 
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2c 
+				     VERIFY_USE_SECONDARY_KEYRING,
Jeremy Cline 3313b2c 
+				     VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2c 
+				     NULL, NULL);
Jeremy Cline 3313b2c 
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Jeremy Cline 3313b2c 
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2c 
+					     VERIFY_USE_PLATFORM_KEYRING,
Jeremy Cline 3313b2c 
+					     VERIFYING_MODULE_SIGNATURE,
Jeremy Cline 3313b2c 
+					     NULL, NULL);
Jeremy Cline 3313b2c 
+	}
Jeremy Cline 3313b2c 
+	return ret;
Jeremy Cline 3313b2c 
 }
Jeremy Cline 3313b2c 
--
Jeremy Cline 3313b2c 
2.21.0
Jeremy Cline 3313b2c
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.