From 4c82f6a26c26d42e39931b33ba7e7615bdacc0a5 Mon Sep 17 00:00:00 2001

From: Robert Holmes <robeholmes@gmail.com>

Date: Mon, 30 Sep 2019 11:50:07 +0800

Subject: [PATCH] KEYS: Make use of platform keyring for module signature

 verify

Patch-mainline: Never, SUSE-specific

References: FATE#314508, FATE#316531, bsc#1209006

This patch completes commit 278311e417be ("kexec, KEYS: Make use of

platform keyring for signature verify") which, while adding the

platform keyring for bzImage verification, neglected to also add

this keyring for module verification.

As such, kernel modules signed with keys from the MokList variable

were not successfully verified.

Joey Lee:

- Kernel mainline rejected this patch because the policy for what pre-boot

  keys to trust within the Linux boundary very complex:

   Reference: https://lkml.org/lkml/2019/4/25/964

- For openSUSE Tumbleweed, maybe we can remove this patch after upstream

  provides a official solution for using MOK to verify kernel module. 

  The closest solution when this patch be applied to Tumbleweed kernel

  is Eric Snowberg's solution:

  [PATCH v5 0/6] Add CA enforcement keyring restrictions

  https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/

  Eric's solution allows CA in MOK be loaded to .secondary keyring. Then the

  CA can veirfy other keys for loading to .ima or .secondary keyring by keyctl

  tool. Other non-CA MOKs can only be used for kexec. (bsc#1209006)

Signed-off-by: Rober+t Holmes <robeholmes@gmail.com>

Cc: linux-integrity@vger.kernel.org

Cc: keyrings@vger.kernel.org

Cc: stable@vger.kernel.org

Acked-by: Lee, Chun-Yi <jlee@suse.com>

---

 kernel/module/signing.c |    9 ++++++++-

 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/module/signing.c

+++ b/kernel/module/signing.c

@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, stru

 	modlen -= sig_len + sizeof(ms);

 	info->len = modlen;

-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,

+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,

 				      VERIFY_USE_SECONDARY_KEYRING,

 				      VERIFYING_MODULE_SIGNATURE,

 				      NULL, NULL);

+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {

+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,

+					     VERIFY_USE_PLATFORM_KEYRING,

+					     VERIFYING_MODULE_SIGNATURE,

+					     NULL, NULL);

+	}

+	return ret;

 }

 int module_sig_check(struct load_info *info, int flags)