Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1796858imu; Tue, 6 Nov 2018 04:36:37 -0800 (PST) X-Google-Smtp-Source: AJdET5f26s3w+PZvD7wQYY/RSJD4t1JJ8NU9IaTNjEqF5pMWWKlL7pRSw1Y73St6yITttWc+DfyJ X-Received: by 2002:a63:4745:: with SMTP id w5mr24132599pgk.377.1541507797535; Tue, 06 Nov 2018 04:36:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541507797; cv=none; d=google.com; s=arc-20160816; b=K8cBEig7tDipuFJFLy5aONnjISBT8gygwQlyIE1zhVpm4fqIpEa6ctBaOuqBTO7Qdf b347N9w6NuCYkOGg75Wfffs9/vSsn1thCqp2CrRg5t/4YcU6OOEUnUUVJ7/Jk4I/NaWk B/AojcxKEIeX8ECtz6mERXFvEw9Zopx4JKTDCTP0izrEJov1OCWK4Tx75Scq3Zwaaq3E c0ovZczxabDZo/O65Vj18Ww8zN4RAJLbSgEFrv+8maaqRsvus6BQyqCwH/PQ61xdk3iF H8oV7oT/ZeEbKiTRHFtWvp9JsyHBvHVsUMStjy3ZX1wuJc3aQomX5Mx7B7UVa2gU3z5K OUZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Uc7rQUzq3I/uoZstKoTzmznr9ORcx12eyRuQd59g1hc=; b=i6uD/8ILx7LZ0JI/ogyGAPSQaxljqJ2d4+onqc8kCH2oF3seT92jcE54OrsZxaO2vA Eont5I34tjpXv1l/he5PudEbbNk8OgTyAI9KZqrjCC61UqwE+hTl5cFydDYnVMljCcx1 ZhR39oYjelUisq5ks9zp+gmQ1nHwIlOSXBV1kbLPSF+VMXxx62zbsVl4EcqpAg9wTPeF /vu5wH45b9AJn43oNuZZ+aqKyPdH/7o7TF0ef3Ptl5JMUTYMtnmm3lB6GGNfr3dqNEpy oTa5EawzZZAZDSIHL/0cJDS4Qf5GqFl+gIHiTmGOogfEqhVTbu3HRO8C2q91OKDfkAv9 Zgvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yQydLxYt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v69si36617467pgb.3.2018.11.06.04.36.21; Tue, 06 Nov 2018 04:36:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yQydLxYt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387910AbeKFWAq (ORCPT + 99 others); Tue, 6 Nov 2018 17:00:46 -0500 Received: from mail.kernel.org ([198.145.29.99]:48868 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387704AbeKFWAq (ORCPT ); Tue, 6 Nov 2018 17:00:46 -0500 Received: from linux-8ccs (nat.nue.novell.com [195.135.221.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D60962085B; Tue, 6 Nov 2018 12:35:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541507745; bh=D5eiSkrbMck53qRKWNhEaa5TUUz6vLOwfR5xPG4uIl8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=yQydLxYtJmDJ4WX2iT8AdRNHLam421ebq/r6z4wrGEzZqAXzTbE1d0PnPdQLZsk5x iiDMptXzUk+r9JCwoRgobzBwwrvVb8JXwwqIhmVqG13l66wEbcMDhPIJhkNpgAAJ+t emOLsgciLIXEnl6fwaDTYmAhvTbTN6ELLsDqeaUw= Date: Tue, 6 Nov 2018 13:35:40 +0100 From: Jessica Yu To: Ke Wu Cc: David Howells , linux-kernel@vger.kernel.org Subject: Re: [PATCH] modsign: use all trusted keys to verify module signature Message-ID: <20181106123540.GA20115@linux-8ccs> References: <20181022222614.41016-1-mikewu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20181022222614.41016-1-mikewu@google.com> X-OS: Linux linux-8ccs 4.12.14-lp150.12.22-default x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Ke Wu [22/10/18 15:26 -0700]: >Make mod_verify_sig to use all trusted keys. This allows keys in >secondary_trusted_keys to be used to verify PKCS#7 signature on a >kernel module. > >Signed-off-by: Ke Wu >--- > kernel/module_signing.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/kernel/module_signing.c b/kernel/module_signing.c >index f2075ce8e4b3..a8b923ba1a39 100644 >--- a/kernel/module_signing.c >+++ b/kernel/module_signing.c >@@ -83,6 +83,6 @@ int mod_verify_sig(const void *mod, struct load_info *info) > } > > return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, >- NULL, VERIFYING_MODULE_SIGNATURE, >+ (void *)1UL, VERIFYING_MODULE_SIGNATURE, > NULL, NULL); > } I've just stumbled on commit 817aef260037f ("Replace magic for trusting the secondary keyring with #define"), so we should probably use VERIFY_USE_SECONDARY_KEYRING in place of (void *)1UL. Thanks, Jessica