diff --git a/patches.kernel.org/6.2.12-092-asymmetric_keys-log-on-fatal-failures-in-PE-pk.patch b/patches.kernel.org/6.2.12-092-asymmetric_keys-log-on-fatal-failures-in-PE-pk.patch new file mode 100644 index 0000000..8d4fac5 --- /dev/null +++ b/patches.kernel.org/6.2.12-092-asymmetric_keys-log-on-fatal-failures-in-PE-pk.patch @@ -0,0 +1,159 @@ +From: Robbie Harwood +Date: Mon, 20 Feb 2023 12:12:54 -0500 +Subject: [PATCH] asymmetric_keys: log on fatal failures in PE/pkcs7 +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 + +[ Upstream commit 3584c1dbfffdabf8e3dc1dd25748bb38dd01cd43 ] + +These particular errors can be encountered while trying to kexec when +secureboot lockdown is in place. Without this change, even with a +signed debug build, one still needs to reboot the machine to add the +appropriate dyndbg parameters (since lockdown blocks debugfs). + +Accordingly, upgrade all pr_debug() before fatal error into pr_warn(). + +Signed-off-by: Robbie Harwood +Signed-off-by: David Howells +cc: Jarkko Sakkinen +cc: Eric Biederman +cc: Herbert Xu +cc: keyrings@vger.kernel.org +cc: linux-crypto@vger.kernel.org +cc: kexec@lists.infradead.org +Link: https://lore.kernel.org/r/20230220171254.592347-3-rharwood@redhat.com/ # v2 +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + crypto/asymmetric_keys/pkcs7_verify.c | 10 +++++----- + crypto/asymmetric_keys/verify_pefile.c | 24 ++++++++++++------------ + 2 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c +index f6321c78..3da32813 100644 +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -79,16 +79,16 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, + } + + if (sinfo->msgdigest_len != sig->digest_size) { +- pr_debug("Sig %u: Invalid digest size (%u)\n", +- sinfo->index, sinfo->msgdigest_len); ++ pr_warn("Sig %u: Invalid digest size (%u)\n", ++ sinfo->index, sinfo->msgdigest_len); + ret = -EBADMSG; + goto error; + } + + if (memcmp(sig->digest, sinfo->msgdigest, + sinfo->msgdigest_len) != 0) { +- pr_debug("Sig %u: Message digest doesn't match\n", +- sinfo->index); ++ pr_warn("Sig %u: Message digest doesn't match\n", ++ sinfo->index); + ret = -EKEYREJECTED; + goto error; + } +@@ -478,7 +478,7 @@ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, + const void *data, size_t datalen) + { + if (pkcs7->data) { +- pr_debug("Data already supplied\n"); ++ pr_warn("Data already supplied\n"); + return -EINVAL; + } + pkcs7->data = data; +diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c +index fe1bb374..22beaf22 100644 +--- a/crypto/asymmetric_keys/verify_pefile.c ++++ b/crypto/asymmetric_keys/verify_pefile.c +@@ -74,7 +74,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + break; + + default: +- pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic); ++ pr_warn("Unknown PEOPT magic = %04hx\n", pe32->magic); + return -ELIBBAD; + } + +@@ -95,7 +95,7 @@ static int pefile_parse_binary(const void *pebuf, unsigned int pelen, + ctx->certs_size = ddir->certs.size; + + if (!ddir->certs.virtual_address || !ddir->certs.size) { +- pr_debug("Unsigned PE binary\n"); ++ pr_warn("Unsigned PE binary\n"); + return -ENODATA; + } + +@@ -127,7 +127,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + unsigned len; + + if (ctx->sig_len < sizeof(wrapper)) { +- pr_debug("Signature wrapper too short\n"); ++ pr_warn("Signature wrapper too short\n"); + return -ELIBBAD; + } + +@@ -142,16 +142,16 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + * rounded up since 0.110. + */ + if (wrapper.length > ctx->sig_len) { +- pr_debug("Signature wrapper bigger than sig len (%x > %x)\n", +- ctx->sig_len, wrapper.length); ++ pr_warn("Signature wrapper bigger than sig len (%x > %x)\n", ++ ctx->sig_len, wrapper.length); + return -ELIBBAD; + } + if (wrapper.revision != WIN_CERT_REVISION_2_0) { +- pr_debug("Signature is not revision 2.0\n"); ++ pr_warn("Signature is not revision 2.0\n"); + return -ENOTSUPP; + } + if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) { +- pr_debug("Signature certificate type is not PKCS\n"); ++ pr_warn("Signature certificate type is not PKCS\n"); + return -ENOTSUPP; + } + +@@ -164,7 +164,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + ctx->sig_offset += sizeof(wrapper); + ctx->sig_len -= sizeof(wrapper); + if (ctx->sig_len < 4) { +- pr_debug("Signature data missing\n"); ++ pr_warn("Signature data missing\n"); + return -EKEYREJECTED; + } + +@@ -198,7 +198,7 @@ static int pefile_strip_sig_wrapper(const void *pebuf, + return 0; + } + not_pkcs7: +- pr_debug("Signature data not PKCS#7\n"); ++ pr_warn("Signature data not PKCS#7\n"); + return -ELIBBAD; + } + +@@ -341,8 +341,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + digest_size = crypto_shash_digestsize(tfm); + + if (digest_size != ctx->digest_len) { +- pr_debug("Digest size mismatch (%zx != %x)\n", +- digest_size, ctx->digest_len); ++ pr_warn("Digest size mismatch (%zx != %x)\n", ++ digest_size, ctx->digest_len); + ret = -EBADMSG; + goto error_no_desc; + } +@@ -373,7 +373,7 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, + * PKCS#7 certificate. + */ + if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) { +- pr_debug("Digest mismatch\n"); ++ pr_warn("Digest mismatch\n"); + ret = -EKEYREJECTED; + } else { + pr_debug("The digests match!\n"); +-- +2.35.3 + diff --git a/series.conf b/series.conf index 152be86..bc3b318 100644 --- a/series.conf +++ b/series.conf @@ -2319,6 +2319,7 @@ patches.kernel.org/6.2.12-089-hwmon-peci-cputemp-Fix-miscalculated-DTS-for-S.patch patches.kernel.org/6.2.12-090-hwmon-xgene-Fix-ioremap-and-memremap-leak.patch patches.kernel.org/6.2.12-091-verify_pefile-relax-wrapper-length-check.patch + patches.kernel.org/6.2.12-092-asymmetric_keys-log-on-fatal-failures-in-PE-pk.patch ######################################################## # Build fixes that apply to the vanilla kernel too.