Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <20180111120157.23qceywzi6omvvkb@dwarf.suse.cz>
References: <20180111120157.23qceywzi6omvvkb@dwarf.suse.cz> <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk> <151024869793.28329.4817577607302613028.stgit@warthog.procyon.org.uk> <20180111115915.dejachty3l7fwpmf@dwarf.suse.cz>
To: Jiri Bohac <jbohac@suse.cz>
Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org,
        gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, jforbes@redhat.com,
        Chun-Yi Lee <joeyli.kernel@gmail.com>
Subject: Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4581.1516120311.1@warthog.procyon.org.uk>
Date: Tue, 16 Jan 2018 16:31:51 +0000
Message-ID: <4582.1516120311@warthog.procyon.org.uk>
Sender: linux-kernel-owner@vger.kernel.org

I think that your code isn't quite right.  Looking at the patched code:

    #ifdef CONFIG_KEXEC_SIG
	sig_err = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
					   image->kernel_buf_len);
	if (sig_err)
		pr_debug("kernel signature verification failed.\n");
	else
		pr_debug("kernel signature verification successful.\n");
    #endif

	if (sig_err && IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
		ret = sig_err;
		goto out;
	}

If the signature check fails because the signature is bad, but
CONFIG_KEXEC_SIG_FORCE=n then it now won't fail when it should.

If sig_err is -EKEYREJECTED, -EKEYEXPIRED or -EKEYREVOKED then it must fail,
even if the signature check isn't forced.

David