Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp527445imm; Fri, 8 Jun 2018 00:29:45 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJROrE3ETCOnOdOHDvpiMuYgqRJFM+IYoE/Rij/J5otrs8EBOivIT0EWBLt6S9DGRlKurzh X-Received: by 2002:a63:3c07:: with SMTP id j7-v6mr4237171pga.440.1528442985200; Fri, 08 Jun 2018 00:29:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528442985; cv=none; d=google.com; s=arc-20160816; b=ZZzoVx8Hz4IlWoDi3hMC1dj7ddFW6cTaS+W/ZJoxo52CV3tpnhOFj1QHBH0IGyTNYX F46VJ7QPjQbnRgdvfyPP0WUWf/c61eTor6DbPFae0XIoHNTtkZkve6wErfHmHmjpi4de yCmDeqLLDKv7vDQILvQLkhdahRytyHT7MhEViRO9hoYzBbPJ4tMoHSacsTwyEeJIPMWu ojF3H+xJyIvMG8qWIg/QRk47/jG9PrLuh+RJE844S2nOZNPI3hrCBr781D+b+Ssv7b7N 5H1lLJMp5wL7Ibw7bqGXl9uhteyoSczDnKYCZyyvrwC3cSTtsX08K2GBkA+hw7f6wlOt HQ4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=EmrjnErJ0sZEun0B1kkrJitnE6NbcRULHgThp8X7QXU=; b=q7YDtwR9NxRgXabHhwAonnUDTZvzDSbWmKzMnzzqu5supOdNpb9uxYREBnLIZZoAvo mNucr0h002fo0I6IkIV6J6B6BkMtJg1lsEhvIrrwHlc06pB9uUL7DsStxQWYhSNmbXhy +EglQgieXE37e4UgZU0AeUqYf+optpogshvrnzH8J4XZKn16FxO7J1tN3fr/gCR6cAKH mVfdLW8v7teaxpVQuT/U0NzQSGkxR97vyGKLGZdiycqB0EogxGl6ut9b5L0R/eE8lrPg a/EDwUq6qV4UHrHR2flveeLLSB9OoE7VWpiN38j/PbKz6MASSUWiMDlz/CClrnX7H0/9 V13w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e1-v6si253237pli.576.2018.06.08.00.29.30; Fri, 08 Jun 2018 00:29:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752478AbeFHH3B (ORCPT + 99 others); Fri, 8 Jun 2018 03:29:01 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58486 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751021AbeFHH3A (ORCPT ); Fri, 8 Jun 2018 03:29:00 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A2985401EF04; Fri, 8 Jun 2018 07:28:59 +0000 (UTC) Received: from dhcp-128-65.nay.redhat.com (ovpn-12-137.pek2.redhat.com [10.72.12.137]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F4A61C5B2; Fri, 8 Jun 2018 07:28:51 +0000 (UTC) Date: Fri, 8 Jun 2018 15:28:48 +0800 From: Dave Young To: David Howells Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org, David Woodhouse , mathew.j.martineau@linux.intel.com, Laura Abbott , jwboyer@redhat.com Subject: Re: [PATCH] certs: always use secondary keyring first if possible Message-ID: <20180608072848.GA7773@dhcp-128-65.nay.redhat.com> References: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> <20171214102513.GA2371@dhcp-128-65.nay.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171214102513.GA2371@dhcp-128-65.nay.redhat.com> User-Agent: Mutt/1.9.5 (2018-04-13) X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 08 Jun 2018 07:28:59 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 08 Jun 2018 07:28:59 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dyoung@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/14/17 at 06:25pm, Dave Young wrote: > On 11/18/17 at 12:47pm, Dave Young wrote: > > Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current > > users of verify_pkcs7_signature are below: > > net/wireless/reg.c : uses its own trusted_keys > > kernel/module_signing.c : pass NULL trusted_keys > > crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys > > > > For both module and pefile verification, there is no reason to use builtin > > keys only. Actually in Fedora kernel module signing code passes 1UL, but > > kexec code does not pass 1UL for pefile verification thus we have below bug > > https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > > > > Drop the hard code 1UL checking so that pefile verification can use > > secondary keyring as well. > > > > Signed-off-by: Dave Young > > --- > > certs/system_keyring.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > --- linux-x86.orig/certs/system_keyring.c > > +++ linux-x86/certs/system_keyring.c > > @@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d > > goto error; > > > > if (!trusted_keys) { > > - trusted_keys = builtin_trusted_keys; > > - } else if (trusted_keys == (void *)1UL) { > > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > > trusted_keys = secondary_trusted_keys; > > #else > > Another ping. > > If the (-1UL) is really needed, below file need update to use it > But I think it is ugly.. > crypto/asymmetric_keys/verify_pefile.c Ping again. Can anyone response to this issue? Let me describe more details about the problem: In Fedora kernel there is a patch below which is not upstreamed: https://src.fedoraproject.org/rpms/kernel/blob/master/f/Fix-for-module-sig-verification.patch It has below changes: --- diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 937c844..d3d6f95 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) } return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - NULL, VERIFYING_MODULE_SIGNATURE, + (void *)1UL, VERIFYING_MODULE_SIGNATURE, NULL, NULL); } --- Above change is needed because the verify_pkcs7_signature is doing below: --- if (!trusted_keys) { trusted_keys = builtin_trusted_keys; } else if (trusted_keys == (void *)1UL) { #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING trusted_keys = secondary_trusted_keys; #else trusted_keys = builtin_trusted_keys; #endif } --- The trusted_keys is an argument passed to verify_pkcs7_signature function. We can see that users of this function must pass "-1UL" as trusted_keys to use secondary keyring. This "-1UL" is not documented and it looks a hardcode api. Besides of the module signing code, actually as I mentioned in the patch log kexec/kdump also need passing "-1UL" to use the secondary keyring. But why do we need that hack? If I understand it correctly if use secondary then builtin can still be used, see commit log of d3bfe84129f65e0af2450743ebdab33d161d01c9: If the secondary keyring is enabled, a link is created from that to .builtin_trusted_keys so that the the latter will automatically be searched too if the secondary keyring is searched. So why not directly use secondary in case trusted_keys == NULL? I'm not familar with the certs/keyring code, if I'm wrong please correct me. -- Thanks Dave