kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   253eb56fa7f33dbaa3c18fc1c23fe68858b4e84f
  2.   patches.suse
  3.   KEYS-Make-use-of-platform-keyring-for-module-signatu.patch
Blob Blame History Raw 
From 4c82f6a26c26d42e39931b33ba7e7615bdacc0a5 Mon Sep 17 00:00:00 2001
From: Robert Holmes <robeholmes@gmail.com>
Date: Mon, 30 Sep 2019 11:50:07 +0800
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
 verify
Patch-mainline: Never, SUSE-specific
References: FATE#314508, FATE#316531, bsc#1209006

This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.

As such, kernel modules signed with keys from the MokList variable
were not successfully verified.


Joey Lee:

- Kernel mainline rejected this patch because the policy for what pre-boot
  keys to trust within the Linux boundary very complex:

   Reference: https://lkml.org/lkml/2019/4/25/964

- For openSUSE Tumbleweed, maybe we can remove this patch after upstream
  provides a official solution for using MOK to verify kernel module. 
  The closest solution when this patch be applied to Tumbleweed kernel
  is Eric Snowberg's solution:

  [PATCH v5 0/6] Add CA enforcement keyring restrictions
  https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/

  Eric's solution allows CA in MOK be loaded to .secondary keyring. Then the
  CA can veirfy other keys for loading to .ima or .secondary keyring by keyctl
  tool. Other non-CA MOKs can only be used for kexec. (bsc#1209006)

Signed-off-by: Rober+t Holmes <robeholmes@gmail.com>
Cc: linux-integrity@vger.kernel.org
Cc: keyrings@vger.kernel.org
Cc: stable@vger.kernel.org
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
 kernel/module/signing.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, stru
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 				      VERIFY_USE_SECONDARY_KEYRING,
 				      VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	}
+	return ret;
 }
 
 int module_sig_check(struct load_info *info, int flags)
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.