From patchwork Tue Feb 15 19:39:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Michal_Such=C3=A1nek?= X-Patchwork-Id: 12747576 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4502CC43217 for ; Tue, 15 Feb 2022 19:40:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243799AbiBOTkq (ORCPT ); Tue, 15 Feb 2022 14:40:46 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243788AbiBOTkh (ORCPT ); Tue, 15 Feb 2022 14:40:37 -0500 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 926A2DEC8; Tue, 15 Feb 2022 11:40:21 -0800 (PST) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 2966E212BF; Tue, 15 Feb 2022 19:40:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1644954020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=; b=aKlJB4z2LkeDmU9Wa0mMaGs6IIOIRehwJLlbsagMlfiCcxE4Vmg8XMaKdc69NsJMOTP0kQ 6m3gUONyR41Y1JsLuaRlHdm5T0T5CgDHBD4NKdU5H0EGbKgFCfdFIyPtAQQ9PdZVpMEtkw yrYtZluMYfIUqDwYid34Yoy17UJjae0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1644954020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=; b=zA2og9PY6JLNwNbmuaeKtddqBDmkioJbLp4aWfNO14CRENxwEHInpG/XdjAayhh6IrPC7d aDUWFnUPxNtd9/AA== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) by relay2.suse.de (Postfix) with ESMTP id E3D36A3B88; Tue, 15 Feb 2022 19:40:19 +0000 (UTC) From: Michal Suchanek Cc: Michal Suchanek , Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, linux-modules@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, stable@kernel.org Subject: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification Date: Tue, 15 Feb 2022 20:39:41 +0100 Message-Id: <840433bc93a58d6dfc4d96c34c0c3b158a0e669d.1644953683.git.msuchanek@suse.de> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") adds support for use of platform keyring in kexec verification but support for modules is missing. Add support for verification of modules with keys from platform keyring as well. Fixes: 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring") Cc: linux-modules@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: stable@kernel.org Signed-off-by: Michal Suchanek --- kernel/module_signing.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 8723ae70ea1f..5e1624294874 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -38,8 +38,14 @@ int mod_verify_sig(const void *mod, struct load_info *info) modlen -= sig_len + sizeof(ms); info->len = modlen; - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; }