Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp274400imu;
        Tue, 22 Jan 2019 18:38:12 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4ceI5EyuEI610g6q0VjT9yIjjpr1SeKA2/iNJIfDdJkg32UzP8e/0we+a9SDX+GLYoVDcU
X-Received: by 2002:a17:902:f20b:: with SMTP id gn11mr442273plb.274.1548211092817;
        Tue, 22 Jan 2019 18:38:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548211092; cv=none;
        d=google.com; s=arc-20160816;
        b=dtLrspK5sqK7DW8hK+psMISoBoAaz6SKMn4MEtVLNzW66RTRuZ2XTSK0cfvDY9f8TY
         pTohQ7EVN7FKbSWJX4KwtI7c4M1d0Z1JfkoO3cbeqz2j5WbQe4VyoPtllAZ7SnspGjrh
         m9ztI7bWZtBOTbvPJ0jd2EMe06H9w/LZXc/iGG2KkuCBsySH6Ga5OFX8JNvRhiBaoseA
         xTXpQpXk4ov8kMqer7NPgEPfOfth1SuhA0HJJqgK98JwSneZZNBbpDbIBb+Ohulp35O8
         dRaYTuF4IWQjwMB6t/czhzi5ojDEpigoGV6FC+8XDEco6mEW5k527q8wWVkWistncpvT
         0gtQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=6AuBYP3gzT3hXKkVpqqADBmcII4pxVcCGMOb/r0wwo8=;
        b=r3QgeXmqWoyJcYduUxa8aZl5s127GBFhGZdz05jT9f4IRZhPX01joqJr0Ftk+eDAew
         ctjUY1Bfk1CT2fbvIQy7Ykn7vnYzyY1cttKcs7xxTjy7t1/kVqNntoJDUPWv64Gsw34s
         5G44jM6lI/R3LVTOvvVEJylhHlfMKoJi5+F1OoXRabs9oBWuIiBffoRzs/QmzguTa5sB
         MYd1au5Zfl/ZeaNmre/c1pcD6y7qssA/Li5hmPj96cp0FmjIj58FCHMYLN4AqUCQFTjF
         urfJoiImcueSPFFsTltPuu97dQkbqQdx38y5oW/B16IFbBTehzSpevmk9VWtbu4WNQhQ
         hHwg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v25si16782531pfg.135.2019.01.22.18.37.43;
        Tue, 22 Jan 2019 18:38:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726972AbfAWCft (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Tue, 22 Jan 2019 21:35:49 -0500
Received: from mx1.redhat.com ([209.132.183.28]:57822 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726931AbfAWCfs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Jan 2019 21:35:48 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id CBA0B83F40;
        Wed, 23 Jan 2019 02:35:47 +0000 (UTC)
Received: from dhcp-128-65.nay.redhat.com (ovpn-12-52.pek2.redhat.com [10.72.12.52])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id 026E15D6A6;
        Wed, 23 Jan 2019 02:35:41 +0000 (UTC)
Date:   Wed, 23 Jan 2019 10:35:37 +0800
From:   Dave Young <dyoung@redhat.com>
To:     Kairui Song <kasong@redhat.com>
Cc:     linux-kernel@vger.kernel.org, dhowells@redhat.com,
        dwmw2@infradead.org, jwboyer@fedoraproject.org,
        keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com,
        zohar@linux.ibm.com, bauerman@linux.ibm.com, ebiggers@google.com,
        nayna@linux.ibm.com, linux-integrity@vger.kernel.org,
        kexec@lists.infradead.org
Subject: Re: [PATCH v5 2/2] kexec, KEYS: Make use of platform keyring for
 signature verify
Message-ID: <20190123023537.GA5591@dhcp-128-65.nay.redhat.com>
References: <20190121095929.26915-1-kasong@redhat.com>
 <20190121095929.26915-3-kasong@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190121095929.26915-3-kasong@redhat.com>
User-Agent: Mutt/1.9.5 (2018-04-13)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Wed, 23 Jan 2019 02:35:48 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 01/21/19 at 05:59pm, Kairui Song wrote:
> This patch let kexec_file_load makes use of .platform keyring as fall
> back if it failed to verify a PE signed image against secondary or
> builtin key ring, make it possible to verify kernel image signed with
> preboot keys as well.
> 
> This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
> VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
> should verify the signature using platform keyring. Also, decrease
> the error message log level when verification failed with -ENOKEY,
> so that if called tried multiple time with different keyring it
> won't generate extra noises.
> 
> Signed-off-by: Kairui Song <kasong@redhat.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 ++++++++++---
>  certs/system_keyring.c            | 13 ++++++++++++-
>  include/linux/verification.h      |  1 +
>  3 files changed, 23 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7d97e432cbbc..2c007abd3d40 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -534,9 +534,16 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len,
> -				       VERIFY_USE_SECONDARY_KEYRING,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	int ret;
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
>  }
>  #endif
>  
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 4690ef9cda8a..7085c286f4bd 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
>  #else
>  		trusted_keys = builtin_trusted_keys;
>  #endif
> +	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> +		trusted_keys = platform_trusted_keys;
> +#else
> +		trusted_keys = NULL;
> +#endif
> +		if (!trusted_keys) {
> +			ret = -ENOKEY;
> +			pr_devel("PKCS#7 platform keyring is not available\n");
> +			goto error;
> +		}
>  	}
>  	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
>  	if (ret < 0) {
>  		if (ret == -ENOKEY)
> -			pr_err("PKCS#7 signature not signed with a trusted key\n");
> +			pr_devel("PKCS#7 signature not signed with a trusted key\n");
>  		goto error;
>  	}
>  
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index cfa4730d607a..018fb5f13d44 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -17,6 +17,7 @@
>   * should be used.
>   */
>  #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
> +#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
>  
>  /*
>   * The use to which an asymmetric key is being put.
> -- 
> 2.20.1
> 

For kexec_file part

Acked-by: Dave Young <dyoung@redhat.com>

Thanks
Dave