Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3195804imu; Wed, 7 Nov 2018 06:39:18 -0800 (PST) X-Google-Smtp-Source: AJdET5f3juzEWw2Tn4RaNAIe7WMnEdrpHAH7Xayq8enj3WP+IZFIQHRcjZbxsbYNi1/QKMXMr9wm X-Received: by 2002:a17:902:9346:: with SMTP id g6-v6mr478585plp.148.1541601558368; Wed, 07 Nov 2018 06:39:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541601558; cv=none; d=google.com; s=arc-20160816; b=IMWCzVD8fXldYpiIFbQ2iNBQ4bcX+qYl0TgBiIlU7CZa6Dl/ncmdxUr5S3cW7bnn+3 VsduyUwvFMMRXrCn13Cl7UohMKvn3mZXkP6cn+E4pLWRtBXKS3Hwq/zC87Yp7/rrqJEG Zf1wS28g7RGVoYuUE/T8YoRoKzio4GfevgCeSuDAPYQkG6MCzxhNwyjxA/6vFWwO17sc E/Q4W5CnlAAoAJNKePrC0th7DR8Otcj7XJcPn5wHgtc4sgycqvvbjvOZwhHHLvwPjKFw 6rULh5C1qJ0I0P4bOu3yN9tWHgAb7hBo8+Cb/HZtn1MWlhBpWeb5i9aUUOVEzWZ+Qks7 6OEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=5EMoNRbZS8byhlrVIzHaCrrEp8U6CBXdopWKhlpWhlg=; b=H4eWT6+0lEg+D1Rje7puK430LM+I1P9w/pdx+lHTDD5c6QBN/rYNSZg3Dk4BPMfrMq bkojmVfLFekXIz6evADdnsfzTy+IhqLCzlUZtpBWZEIpDV+Agbbmes7tZk8ogMbayxL8 O9JsB71FCAlNm1NYH96kF/fj3+Qbjde9qvAKNNZmfGl3QWp2Mc/AKGNAsis3JojDWxZg vWT3C/2oi9/RveOh4oOsW9aCaYMzaY5iGD7fyWqY6ZZx6vKb9VmB/i+YInKo7X0Gk8Nx FryLH6kWdl0+PwUcKE6pQbbgHiz0+VHWA7zojAXZIXVQ1/Wozh9r334+gU7TPwjsG6Fr oIKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Oz38I4dX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h37-v6si689511pgh.537.2018.11.07.06.39.02; Wed, 07 Nov 2018 06:39:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Oz38I4dX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730888AbeKHAId (ORCPT + 99 others); Wed, 7 Nov 2018 19:08:33 -0500 Received: from mail.kernel.org ([198.145.29.99]:36108 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726752AbeKHAIc (ORCPT ); Wed, 7 Nov 2018 19:08:32 -0500 Received: from linux-8ccs (charybdis-ext.suse.de [195.135.221.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 27C902081D; Wed, 7 Nov 2018 14:37:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541601475; bh=Uhhz85+fb48saS+inscMZIOvBce3D0inWWQwMnEk9Uw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Oz38I4dXDsZp9Rd+qW0pxoSTyPG21fVOoti71yRJpne68Y2JV6eBxPsl2aAbB5tgE Xkj8LUbvYV9H3fDnQxNvh1STUrLxdvnXzSTXXBu3oBhOFKCwRyoW8lgsu9i+2cKiVy GQihRh1Px5gQrp9hkc38YLOhYHom2FaskMyS7CgU= Date: Wed, 7 Nov 2018 15:37:51 +0100 From: Jessica Yu To: Ke Wu Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] modsign: use all trusted keys to verify module signature Message-ID: <20181107143750.GA26862@linux-8ccs> References: <20181022222614.41016-1-mikewu@google.com> <20181106232130.33932-1-mikewu@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-OS: Linux linux-8ccs 4.12.14-lp150.12.22-default x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Ke Wu [06/11/18 15:23 -0800]: >Thanks for the comment! I switched to use >VERIFY_USE_SECONDARY_KEYRING, please take a look. Patch has been queued on modules-next. Thanks! Jessica >On Tue, Nov 6, 2018 at 3:21 PM Ke Wu wrote: >> >> Make mod_verify_sig to use all trusted keys. This allows keys in >> secondary_trusted_keys to be used to verify PKCS#7 signature on a >> kernel module. >> >> Signed-off-by: Ke Wu >> --- >> Changelog since v1: >> - Use VERIFY_USE_SECONDARY_KEYRING rather than (void *)1UL >> >> kernel/module_signing.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/kernel/module_signing.c b/kernel/module_signing.c >> index f2075ce8e4b3..6b9a926fd86b 100644 >> --- a/kernel/module_signing.c >> +++ b/kernel/module_signing.c >> @@ -83,6 +83,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) >> } >> >> return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, >> - NULL, VERIFYING_MODULE_SIGNATURE, >> + VERIFY_USE_SECONDARY_KEYRING, >> + VERIFYING_MODULE_SIGNATURE, >> NULL, NULL); >> } >> -- >> 2.19.1.930.g4563a0d9d0-goog >> > > >-- >Ke Wu | Software Engineer | mikewu@google.com | Google Inc.