From patchwork Fri Mar 31 14:30:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?= X-Patchwork-Id: 77799 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp617992vqo; Fri, 31 Mar 2023 07:47:23 -0700 (PDT) X-Google-Smtp-Source: AKy350buqVHw12vP9UQM3wNKfszywCFEMMYdo+K36K9b3fWMl6Tpat6sXr+YZSB8bsT2UMk5XqYG X-Received: by 2002:a05:6402:70c:b0:502:5288:e37a with SMTP id w12-20020a056402070c00b005025288e37amr9354638edx.6.1680274043296; Fri, 31 Mar 2023 07:47:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680274043; cv=none; d=google.com; s=arc-20160816; b=cxMk0rBnpfftFQAFxpZsTsu+2Ke7BGoPjIgUblLq+i2rfJV+oFyZ4zp8WQgbUlZl1o S1a5FckhtMkhe+mB48ASFslapfubdg9QL+lo+O4+Hm/EqlUoCPY3GM0Q32HY9RVu3EGF 2mka85hOgPiQz2O8zfQyNoq4ZFJCM5QAFNJ3Te1tkrMor/UYhKPmsC/8BbZ5owsw9eYG Es4b05E5Xj9E4lw53vHo5CmZF6hrPnbgYdsteKB15ZXQuh6Sj7AuHJruF+Tm0CZZ5YM+ CtLamDSbVZZLfgVhjaHa56OAb0MG1EvTQxXq7zK3EiZKvvumA9kbcyJNJQhgut45VdZC pDeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:user-agent:content-disposition:mime-version :message-id:subject:cc:from:date:dkim-signature; bh=pUZUuOCw/evylrc+aATnGuIBbQYsZbxYZSfyy7PmPNw=; b=p06n8d3bUUbA8Pd9aAShHeV+cmSKNLraWZgB4ApjauVhrng6Ew5CpT8nfLAwgCG8W1 TbaSkEPMTKUuhJnfr4UO6U3yAvOmk4+WMT5dyQcWYtXeLVwfOAKkcaDhAgzMvYBipR9n mO6npYFEZEzWADOzs7V7Pq2nUgyXYdJ+75qkDCWxrtj1el3PkdQk/HUYL/XPHgx3Wnio fAP/4Q/d+asg4arF7kMNvvQ7A+++41yB1UJAWUXatKOq0uNFbVyJ70natq4TuVDlJwQk GrEIovbdI8tbDLiDilbrPJ9oo1HuGV0Yq4ZVT/1oiGbNcMvHjuXKfurd1pNWsNCAMDmZ suMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202211 header.b=P4iu4Saw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i2-20020aa7c702000000b004fa760de417si2251634edq.122.2023.03.31.07.46.59; Fri, 31 Mar 2023 07:47:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202211 header.b=P4iu4Saw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232822AbjCaObz (ORCPT + 99 others); Fri, 31 Mar 2023 10:31:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232747AbjCaObx (ORCPT ); Fri, 31 Mar 2023 10:31:53 -0400 Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C74B220625; Fri, 31 Mar 2023 07:31:13 -0700 (PDT) Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id D4D9A4A28; Fri, 31 Mar 2023 16:30:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202211; t=1680273022; bh=kZL8+56e6lv/MMMqFC565eCb5So9E645Hgn/mf2GmaQ=; h=Date:From:Cc:Subject:From; b=P4iu4Sawnk9VTuEhTwtIDc8lh1rkP9olUGgxqiEq/8aFQcI9+njuFp8yIWxh661kx Tg2mBERMbmiOD4MZCOr1KiYufuqNae3nZKmMvH7poPckvSB4qWC676u/QqblwSj1/t UzB8ZQx4gGmVKGhxkRjk+ZBHyPuizi+2T3KJJROfc5jPmB/vOleG/g0FFMIEDUzPyQ ahy3d2Wd0r29Jji/slAHTi2EDdAUXW6Yf/kB8JbVflQqOXl8/NwBUy9FMryLjgWWnG UpeZE+3rueQ7yFA3QbCfXDzYL0Qf24Cr4K01+6y8x6gPCGO8aPYfagSUDPexWB27es PEK+KbCCtZRNw== Date: Fri, 31 Mar 2023 16:30:21 +0200 From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= Cc: Luis Chamberlain , "open list:MODULE SUPPORT" , "open list:MODULE SUPPORT" Subject: [PATCH] KEYS: Make use of platform keyring for module signature verification Message-ID: MIME-Version: 1.0 Content-Disposition: inline User-Agent: NeoMutt/20230322 X-Spam-Status: No, score=1.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,MISSING_HEADERS,PDS_RDNS_DYNAMIC_FP, RDNS_DYNAMIC,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761895035143418642?= X-GMAIL-MSGID: =?utf-8?q?1761895035143418642?= This allows a cert in DB to be used to sign modules, in addition to certs in the MoK and built-in keyrings. This key policy matches what's used for kexec. Signed-off-by: Ahelenia ZiemiaƄska --- Notes: Debian has carried an equivalent patch since 5.3.9-1: https://bugs.debian.org/935945 https://bugs.debian.org/1030200 in https://salsa.debian.org/kernel-team/linux/-/commit/0e65c8f3e316d6f0fc30f091dd47dba2ac616529 and it appears the true origin is some version of https://gitlab.com/cki-project/kernel-ark/-/commit/b697ff5e26974fee8fcd31a1e221e9dd41515efc kernel/module/signing.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..71d6248cf9ec 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -61,10 +61,16 @@ int mod_verify_sig(const void *mod, struct load_info *info) modlen -= sig_len + sizeof(ms); info->len = modlen; - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } int module_sig_check(struct load_info *info, int flags)