Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2484157imu; Tue, 6 Nov 2018 15:45:05 -0800 (PST) X-Google-Smtp-Source: AJdET5d1Tyq4YY4q5L3YQwHUYgyCYYJHL0Ah4akuc1eyFOjvvqFC63SVJBvvVOjb8t+mNjp2ySEF X-Received: by 2002:a17:902:b486:: with SMTP id y6-v6mr28681866plr.263.1541547905244; Tue, 06 Nov 2018 15:45:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541547905; cv=none; d=google.com; s=arc-20160816; b=Yn1Ce7NNdfY6aqYbV9lIpuDVnkW105wX/1y3o1ecUL7mIzY1o/uf7bsgF2yz4bkvZt 8oxp6aSw2ZuVcPEEs0hj3R5JVt8yFGVVzkHuLCtto/x+A0K3I5oU1rJcPhdvo64tjdPi Igs4eyWZSL3FvotgUAi5kBOWkt7CWQd8gGXvAGk7W9ebEqv8+y3GsJmEePtte01qSxHE B/jbn4OnSkbb94nR6pnEv2tg+wqSaNBmOl5oiHCj3q58+nIVLnJ2gytsZkf5SxS+DmvG EHdtyQohImCZry239IEcmD3vL/WRbIXKq4eYUV4GdbtDwvxLDCa63nXr1jMi38Z8cl74 ARxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=JzT+g1DyVK0RCYgiq7kipbM1x/+NWgJ0z8J8CTpmR94=; b=ykao3vexdSSBLw3Erj7eQbBSNyBsAajOiGTF5a7tH4ARYGlmJMFt8gMRD3FJXf48ra xOgAt+TR9MIBOui4kasPcRYDHJp2yx0oPddnHRavCgDstiU13hGa2spELjP2i/c66yD/ j/f+5JQjURnb+3+QXaRdFivr7rl11NTvu2kTPcUUh55kFbjh/J4cnY2g8SoPbdoDlSuA EIQxtJ7AbSazdSi/GoNrSOqf2twim/VxaWic7UgEjW+cFUcW4YPt0YThWjLgB8Pv8KlD MUyqkaG42T2s6nlUR002Gwkrfl7wSwpmnLmMB118USIBf/wg+hlu0PleHQWK9a925xGH 0+Zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vP34rVtX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q13-v6si45355051pgq.526.2018.11.06.15.44.48; Tue, 06 Nov 2018 15:45:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vP34rVtX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730977AbeKGIvK (ORCPT + 99 others); Wed, 7 Nov 2018 03:51:10 -0500 Received: from mail-qk1-f194.google.com ([209.85.222.194]:40446 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726462AbeKGIvK (ORCPT ); Wed, 7 Nov 2018 03:51:10 -0500 Received: by mail-qk1-f194.google.com with SMTP id y16so18372015qki.7 for ; Tue, 06 Nov 2018 15:23:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JzT+g1DyVK0RCYgiq7kipbM1x/+NWgJ0z8J8CTpmR94=; b=vP34rVtXDRsGguxG8GY2V2poJXhxcPEX36ALqT0JmA57/l6gYrEbxj+Zyxkq6j9Okw VOzv6dqFN6N1FuAx7Ek58+SZHl6/ngXHnnXHwuqA/9xatb+36qrc4w3/mxEw11ew5JnK TUlNq1pfNmQ0euHUjM3sjLQ8RCFoSc64pLGERsyM3wUkR17TkhJEr5wlAvsU2wuLwIkZ WYRtwsAMGBlKZgwinwxF/sTRBwoPKVJ8GOI/Ez5MBLhWFNZfJgw6nohZsybZ1T5scK8W gnjmPdhMYI69VPX145t8zi+LjVTrvgjKLeZ/ixrI1k8lcOsT7lipfVvJdQGn2MfxMiYI geFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JzT+g1DyVK0RCYgiq7kipbM1x/+NWgJ0z8J8CTpmR94=; b=OuV4biQ+7icJ3kyCan7PTamFSabv+eUY7uc7R2jywjEL7r9caSx8LyBMLdCW3CmEv3 Vofze0ncJf4bnEx2agpUqDrCVQp86CulVyAgZ2xgYltjo/8vsDDc80ksEk5f+QcdbC4A NtuU5no8puD7JOxV4HRocEwHCfcL8ciSM+q0ZXwrp/aYxepRiI+QPZrFhB4sbA6P6qCr eO8c5VGCWO8yS5cdG75P7ba3zkGKjYZqyCHLlbgrC5kpmoLW4mHfMlPQy148hJTaj1i/ y/4/elPylOHWDWbYRz6iRbmEDOJ/QwvAX2b8HdznBQZVp+8SCFNvl6kvLTfoA40krznw xfHQ== X-Gm-Message-State: AGRZ1gKwlU5bCNBMggXc6tPzCEs6yrkTs1KX3neUUkp0VgMIi0gvPIGV 1O9zoT5UL/Px2ZXPFshGJTO/NgoVXLsV2qZ1Zny2IA== X-Received: by 2002:a37:d4d9:: with SMTP id s86mr26733675qks.190.1541546610786; Tue, 06 Nov 2018 15:23:30 -0800 (PST) MIME-Version: 1.0 References: <20181022222614.41016-1-mikewu@google.com> <20181106232130.33932-1-mikewu@google.com> In-Reply-To: <20181106232130.33932-1-mikewu@google.com> From: Ke Wu Date: Tue, 6 Nov 2018 15:23:19 -0800 Message-ID: Subject: Re: [PATCH v2] modsign: use all trusted keys to verify module signature To: jeyu@kernel.org, dhowells@redhat.com Cc: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Thanks for the comment! I switched to use VERIFY_USE_SECONDARY_KEYRING, please take a look. On Tue, Nov 6, 2018 at 3:21 PM Ke Wu wrote: > > Make mod_verify_sig to use all trusted keys. This allows keys in > secondary_trusted_keys to be used to verify PKCS#7 signature on a > kernel module. > > Signed-off-by: Ke Wu > --- > Changelog since v1: > - Use VERIFY_USE_SECONDARY_KEYRING rather than (void *)1UL > > kernel/module_signing.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/kernel/module_signing.c b/kernel/module_signing.c > index f2075ce8e4b3..6b9a926fd86b 100644 > --- a/kernel/module_signing.c > +++ b/kernel/module_signing.c > @@ -83,6 +83,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) > } > > return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, > - NULL, VERIFYING_MODULE_SIGNATURE, > + VERIFY_USE_SECONDARY_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > NULL, NULL); > } > -- > 2.19.1.930.g4563a0d9d0-goog > -- Ke Wu | Software Engineer | mikewu@google.com | Google Inc.