Jeremy Cline 3313b2
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
Jeremy Cline 3313b2
From: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline 3313b2
Date: Tue, 23 Apr 2019 07:39:29 +0000
Jeremy Cline 3313b2
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
Jeremy Cline 3313b2
 verify
Jeremy Cline 3313b2
Jeremy Cline 3313b2
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
Jeremy Cline 3313b2
platform keyring for signature verify") which, while adding the
Jeremy Cline 3313b2
platform keyring for bzImage verification, neglected to also add
Jeremy Cline 3313b2
this keyring for module verification.
Jeremy Cline 3313b2
Jeremy Cline 3313b2
As such, kernel modules signed with keys from the MokList variable
Jeremy Cline 3313b2
were not successfully verified.
Jeremy Cline 3313b2
Jeremy Cline 3313b2
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Jeremy Cline e21e52
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Jeremy Cline 3313b2
---
Jeremy Cline 3313b2
 kernel/module_signing.c | 16 ++++++++++++----
Jeremy Cline 3313b2
 1 file changed, 12 insertions(+), 4 deletions(-)
Jeremy Cline 3313b2
Jeremy Cline 3313b2
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
Jeremy Cline e21e52
index 9d9fc678c91d..84ad75a53c83 100644
Jeremy Cline 3313b2
--- a/kernel/module_signing.c
Jeremy Cline 3313b2
+++ b/kernel/module_signing.c
Jeremy Cline e21e52
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
Jeremy Cline e21e52
 	modlen -= sig_len + sizeof(ms);
Jeremy Cline e21e52
 	info->len = modlen;
Jeremy Cline 3313b2
 
Jeremy Cline 3313b2
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline 3313b2
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline e21e52
 				      VERIFY_USE_SECONDARY_KEYRING,
Jeremy Cline e21e52
 				      VERIFYING_MODULE_SIGNATURE,
Jeremy Cline e21e52
 				      NULL, NULL);
Jeremy Cline 3313b2
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
Jeremy Cline 3313b2
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
Jeremy Cline e21e52
+				VERIFY_USE_PLATFORM_KEYRING,
Jeremy Cline e21e52
+				VERIFYING_MODULE_SIGNATURE,
Jeremy Cline e21e52
+				NULL, NULL);
Jeremy Cline 3313b2
+	}
Jeremy Cline 3313b2
+	return ret;
Jeremy Cline 3313b2
 }
Jeremy Cline 3313b2
-- 
Jeremy Cline 3313b2
2.21.0