From patchwork Fri Mar 31 14:30:21 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ahelenia_Ziemia=C5=84ska?=
 <nabijaczleweli@nabijaczleweli.xyz>
X-Patchwork-Id: 77799
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp617992vqo;
        Fri, 31 Mar 2023 07:47:23 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350buqVHw12vP9UQM3wNKfszywCFEMMYdo+K36K9b3fWMl6Tpat6sXr+YZSB8bsT2UMk5XqYG
X-Received: by 2002:a05:6402:70c:b0:502:5288:e37a with SMTP id
 w12-20020a056402070c00b005025288e37amr9354638edx.6.1680274043296;
        Fri, 31 Mar 2023 07:47:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1680274043; cv=none;
        d=google.com; s=arc-20160816;
        b=cxMk0rBnpfftFQAFxpZsTsu+2Ke7BGoPjIgUblLq+i2rfJV+oFyZ4zp8WQgbUlZl1o
         S1a5FckhtMkhe+mB48ASFslapfubdg9QL+lo+O4+Hm/EqlUoCPY3GM0Q32HY9RVu3EGF
         2mka85hOgPiQz2O8zfQyNoq4ZFJCM5QAFNJ3Te1tkrMor/UYhKPmsC/8BbZ5owsw9eYG
         Es4b05E5Xj9E4lw53vHo5CmZF6hrPnbgYdsteKB15ZXQuh6Sj7AuHJruF+Tm0CZZ5YM+
         CtLamDSbVZZLfgVhjaHa56OAb0MG1EvTQxXq7zK3EiZKvvumA9kbcyJNJQhgut45VdZC
         pDeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:to:user-agent:content-disposition:mime-version
         :message-id:subject:cc:from:date:dkim-signature;
        bh=pUZUuOCw/evylrc+aATnGuIBbQYsZbxYZSfyy7PmPNw=;
        b=p06n8d3bUUbA8Pd9aAShHeV+cmSKNLraWZgB4ApjauVhrng6Ew5CpT8nfLAwgCG8W1
         TbaSkEPMTKUuhJnfr4UO6U3yAvOmk4+WMT5dyQcWYtXeLVwfOAKkcaDhAgzMvYBipR9n
         mO6npYFEZEzWADOzs7V7Pq2nUgyXYdJ+75qkDCWxrtj1el3PkdQk/HUYL/XPHgx3Wnio
         fAP/4Q/d+asg4arF7kMNvvQ7A+++41yB1UJAWUXatKOq0uNFbVyJ70natq4TuVDlJwQk
         GrEIovbdI8tbDLiDilbrPJ9oo1HuGV0Yq4ZVT/1oiGbNcMvHjuXKfurd1pNWsNCAMDmZ
         suMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202211
 header.b=P4iu4Saw;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 i2-20020aa7c702000000b004fa760de417si2251634edq.122.2023.03.31.07.46.59;
        Fri, 31 Mar 2023 07:47:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@nabijaczleweli.xyz header.s=202211
 header.b=P4iu4Saw;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232822AbjCaObz (ORCPT <rfc822;dexuan.linux@gmail.com>
        + 99 others); Fri, 31 Mar 2023 10:31:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34352 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232747AbjCaObx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Mar 2023 10:31:53 -0400
Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id C74B220625;
        Fri, 31 Mar 2023 07:31:13 -0700 (PDT)
Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250])
        by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id D4D9A4A28;
        Fri, 31 Mar 2023 16:30:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz;
        s=202211; t=1680273022;
        bh=kZL8+56e6lv/MMMqFC565eCb5So9E645Hgn/mf2GmaQ=;
        h=Date:From:Cc:Subject:From;
        b=P4iu4Sawnk9VTuEhTwtIDc8lh1rkP9olUGgxqiEq/8aFQcI9+njuFp8yIWxh661kx
         Tg2mBERMbmiOD4MZCOr1KiYufuqNae3nZKmMvH7poPckvSB4qWC676u/QqblwSj1/t
         UzB8ZQx4gGmVKGhxkRjk+ZBHyPuizi+2T3KJJROfc5jPmB/vOleG/g0FFMIEDUzPyQ
         ahy3d2Wd0r29Jji/slAHTi2EDdAUXW6Yf/kB8JbVflQqOXl8/NwBUy9FMryLjgWWnG
         UpeZE+3rueQ7yFA3QbCfXDzYL0Qf24Cr4K01+6y8x6gPCGO8aPYfagSUDPexWB27es
         PEK+KbCCtZRNw==
Date: Fri, 31 Mar 2023 16:30:21 +0200
From: Ahelenia =?utf-8?q?Ziemia=C5=84ska?= <nabijaczleweli@nabijaczleweli.xyz>
Cc: Luis Chamberlain <mcgrof@kernel.org>,
        "open list:MODULE SUPPORT" <linux-modules@vger.kernel.org>,
        "open list:MODULE SUPPORT" <linux-kernel@vger.kernel.org>
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
 verification
Message-ID: <qvgp2il2co4iyxkzxvcs4p2bpyilqsbfgcprtpfrsajwae2etc@3z2s2o52i3xg>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: NeoMutt/20230322
X-Spam-Status: No, score=1.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,MISSING_HEADERS,PDS_RDNS_DYNAMIC_FP,
        RDNS_DYNAMIC,SPF_HELO_PASS,SPF_PASS autolearn=no autolearn_force=no
        version=3.4.6
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
To: unlisted-recipients:; (no To-header on input)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1761895035143418642?=
X-GMAIL-MSGID: =?utf-8?q?1761895035143418642?=

This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.

This key policy matches what's used for kexec.

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
---

Notes:
    Debian has carried an equivalent patch since 5.3.9-1:
      https://bugs.debian.org/935945
      https://bugs.debian.org/1030200
    in
      https://salsa.debian.org/kernel-team/linux/-/commit/0e65c8f3e316d6f0fc30f091dd47dba2ac616529
    and it appears the true origin is some version of
      https://gitlab.com/cki-project/kernel-ark/-/commit/b697ff5e26974fee8fcd31a1e221e9dd41515efc

 kernel/module/signing.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..71d6248cf9ec 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,16 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_MODULE_SIGNATURE,
-				      NULL, NULL);
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+				     VERIFY_USE_SECONDARY_KEYRING,
+				     VERIFYING_MODULE_SIGNATURE,
+				     NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	return ret;
 }
 
 int module_sig_check(struct load_info *info, int flags)