From 4c82f6a26c26d42e39931b33ba7e7615bdacc0a5 Mon Sep 17 00:00:00 2001
From: Robert Holmes <robeholmes@gmail.com>
Date: Mon, 30 Sep 2019 11:50:07 +0800
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
 verify
Patch-mainline: Never, SUSE-specific
References: FATE#314508, FATE#316531

This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.

As such, kernel modules signed with keys from the MokList variable
were not successfully verified.

Joey:
Kernel mainline rejected this patch because the policy for what pre-boot
keys to trust within the Linux boundary very complex:

Reference: https://lkml.org/lkml/2019/4/25/964

Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Cc: linux-integrity@vger.kernel.org
Cc: keyrings@vger.kernel.org
Cc: stable@vger.kernel.org
Acked-by: Lee, Chun-Yi <jlee@suse.com>
---
 kernel/module_signing.c |   15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -38,8 +38,15 @@ int mod_verify_sig(const void *mod, stru
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_MODULE_SIGNATURE,
-				      NULL, NULL);
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+				     VERIFY_USE_SECONDARY_KEYRING,
+				     VERIFYING_MODULE_SIGNATURE,
+				     NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					     VERIFY_USE_PLATFORM_KEYRING,
+					     VERIFYING_MODULE_SIGNATURE,
+					     NULL, NULL);
+	}
+	return ret;
 }