|
Lee, Chun-Yi |
261191 |
From 4c82f6a26c26d42e39931b33ba7e7615bdacc0a5 Mon Sep 17 00:00:00 2001
|
|
Lee, Chun-Yi |
261191 |
From: Robert Holmes <robeholmes@gmail.com>
|
|
Lee, Chun-Yi |
261191 |
Date: Mon, 30 Sep 2019 11:50:07 +0800
|
|
Lee, Chun-Yi |
261191 |
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
|
|
Lee, Chun-Yi |
261191 |
verify
|
|
Lee, Chun-Yi |
261191 |
Patch-mainline: Never, SUSE-specific
|
|
Lee, Chun-Yi |
261191 |
References: FATE#314508, FATE#316531, bsc#1209006
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
|
|
Lee, Chun-Yi |
261191 |
platform keyring for signature verify") which, while adding the
|
|
Lee, Chun-Yi |
261191 |
platform keyring for bzImage verification, neglected to also add
|
|
Lee, Chun-Yi |
261191 |
this keyring for module verification.
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
As such, kernel modules signed with keys from the MokList variable
|
|
Lee, Chun-Yi |
261191 |
were not successfully verified.
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
Joey Lee:
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
- Kernel mainline rejected this patch because the policy for what pre-boot
|
|
Lee, Chun-Yi |
261191 |
keys to trust within the Linux boundary very complex:
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
Reference: https://lkml.org/lkml/2019/4/25/964
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
- For openSUSE Tumbleweed, maybe we can remove this patch after upstream
|
|
Lee, Chun-Yi |
261191 |
provides a official solution for using MOK to verify kernel module.
|
|
Lee, Chun-Yi |
261191 |
The closest solution when this patch be applied to Tumbleweed kernel
|
|
Lee, Chun-Yi |
261191 |
is Eric Snowberg's solution:
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
[PATCH v5 0/6] Add CA enforcement keyring restrictions
|
|
Lee, Chun-Yi |
261191 |
https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
Eric's solution allows CA in MOK be loaded to .secondary keyring. Then the
|
|
Lee, Chun-Yi |
261191 |
CA can veirfy other keys for loading to .ima or .secondary keyring by keyctl
|
|
Lee, Chun-Yi |
261191 |
tool. Other non-CA MOKs can only be used for kexec. (bsc#1209006)
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
Signed-off-by: Rober+t Holmes <robeholmes@gmail.com>
|
|
Lee, Chun-Yi |
261191 |
Cc: linux-integrity@vger.kernel.org
|
|
Lee, Chun-Yi |
261191 |
Cc: keyrings@vger.kernel.org
|
|
Lee, Chun-Yi |
261191 |
Cc: stable@vger.kernel.org
|
|
Lee, Chun-Yi |
261191 |
Acked-by: Lee, Chun-Yi <jlee@suse.com>
|
|
Lee, Chun-Yi |
261191 |
---
|
|
Lee, Chun-Yi |
261191 |
kernel/module/signing.c | 9 ++++++++-
|
|
Lee, Chun-Yi |
261191 |
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
--- a/kernel/module/signing.c
|
|
Lee, Chun-Yi |
261191 |
+++ b/kernel/module/signing.c
|
|
Lee, Chun-Yi |
261191 |
@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, stru
|
|
Lee, Chun-Yi |
261191 |
modlen -= sig_len + sizeof(ms);
|
|
Lee, Chun-Yi |
261191 |
info->len = modlen;
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Lee, Chun-Yi |
261191 |
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Lee, Chun-Yi |
261191 |
VERIFY_USE_SECONDARY_KEYRING,
|
|
Lee, Chun-Yi |
261191 |
VERIFYING_MODULE_SIGNATURE,
|
|
Lee, Chun-Yi |
261191 |
NULL, NULL);
|
|
Lee, Chun-Yi |
261191 |
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
|
|
Lee, Chun-Yi |
261191 |
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
|
Lee, Chun-Yi |
261191 |
+ VERIFY_USE_PLATFORM_KEYRING,
|
|
Lee, Chun-Yi |
261191 |
+ VERIFYING_MODULE_SIGNATURE,
|
|
Lee, Chun-Yi |
261191 |
+ NULL, NULL);
|
|
Lee, Chun-Yi |
261191 |
+ }
|
|
Lee, Chun-Yi |
261191 |
+ return ret;
|
|
Lee, Chun-Yi |
261191 |
}
|
|
Lee, Chun-Yi |
261191 |
|
|
Lee, Chun-Yi |
261191 |
int module_sig_check(struct load_info *info, int flags)
|