diff --git a/patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch b/patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch new file mode 100644 index 0000000..5fdacd0 --- /dev/null +++ b/patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch @@ -0,0 +1,66 @@ +From 4c82f6a26c26d42e39931b33ba7e7615bdacc0a5 Mon Sep 17 00:00:00 2001 +From: Robert Holmes +Date: Mon, 30 Sep 2019 11:50:07 +0800 +Subject: [PATCH] KEYS: Make use of platform keyring for module signature + verify +Patch-mainline: Never, SUSE-specific +References: FATE#314508, FATE#316531, bsc#1209006 + +This patch completes commit 278311e417be ("kexec, KEYS: Make use of +platform keyring for signature verify") which, while adding the +platform keyring for bzImage verification, neglected to also add +this keyring for module verification. + +As such, kernel modules signed with keys from the MokList variable +were not successfully verified. + + +Joey Lee: + +- Kernel mainline rejected this patch because the policy for what pre-boot + keys to trust within the Linux boundary very complex: + + Reference: https://lkml.org/lkml/2019/4/25/964 + +- For openSUSE Tumbleweed, maybe we can remove this patch after upstream + provides a official solution for using MOK to verify kernel module. + The closest solution when this patch be applied to Tumbleweed kernel + is Eric Snowberg's solution: + + [PATCH v5 0/6] Add CA enforcement keyring restrictions + https://lore.kernel.org/lkml/20230302164652.83571-1-eric.snowberg@oracle.com/T/ + + Eric's solution allows CA in MOK be loaded to .secondary keyring. Then the + CA can veirfy other keys for loading to .ima or .secondary keyring by keyctl + tool. Other non-CA MOKs can only be used for kexec. (bsc#1209006) + +Signed-off-by: Rober+t Holmes +Cc: linux-integrity@vger.kernel.org +Cc: keyrings@vger.kernel.org +Cc: stable@vger.kernel.org +Acked-by: Lee, Chun-Yi +--- + kernel/module/signing.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/kernel/module/signing.c ++++ b/kernel/module/signing.c +@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, stru + modlen -= sig_len + sizeof(ms); + info->len = modlen; + +- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ } ++ return ret; + } + + int module_sig_check(struct load_info *info, int flags) diff --git a/series.conf b/series.conf index beb188a..0dcd2b4 100644 --- a/series.conf +++ b/series.conf @@ -143,6 +143,9 @@ # Security ######################################################## + # Module signing / secure boot + patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch + # Bug 1198101 - VUL-0: shim: openSUSE tumbleweed not fully locked down? Add opensuse-cert-prompt back to openSUSE shim # Lock down functions for secure boot patches.suse/0001-security-lockdown-expose-a-hook-to-lock-the-kernel-down.patch