Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4017827yba;
        Tue, 23 Apr 2019 13:36:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwaax73Mw50Kwx4uZVuS8YInXb2eiQCOYAsxagpurqv+YuZbq8bP1pXz9c0uPD6cNLpCRTG
X-Received: by 2002:a62:b40b:: with SMTP id h11mr28112546pfn.133.1556051774780;
        Tue, 23 Apr 2019 13:36:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556051774; cv=none;
        d=google.com; s=arc-20160816;
        b=c33EAD7qYo+F/2886CDLNRPMyXBCzGRdE95MIeVp1GEvQeHSWt5P/iNfbXSBAYslHN
         8X5HX6EiolZSUwxjxv/WzipUqLYFQPXaIYzBHqeS0V00le0rO7UQXxgPkeItKp+Ss4yx
         mrOjRYcgQ54Q6MRLgok/06oC/mEvw47u/MjZ2bhxK6SCHFkQbbORa9PpS+4MGzNjd6p1
         l5qD4zE6TG8vRoL/j5eff2H7FnbStKYk2xNf4pyLOREiOlkfuYSGciVkIRgLxVvSTvLY
         NWcfK9Renb/bBxRJvRnaqJ0qW95MtdI25nburff5xP+RfIS1R4NAIc4jpWEWJodsPsG3
         20WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=SSXbNoXGqWoJXmVkjY4J8BdqcDyiYoaYgibAdwlaYHk=;
        b=Gyx7UdZT1CQDxJp7+r8nsz2fKbhLQ9NUswzHT81HySpfzypyGx8NuHALliif8DoQs2
         IT+T27EAJSSfEvGTjJ3lyrjhndgwQJbTt03SBm0FWMSswkJVkQ7YYfqF/a2nM0oMZcX8
         CwrnDMF2YtNgmJQcb2LzspeWiLkwazmHov9n6vt/sc2//tib84dAaPeDVa7Wl9g4s8rM
         gOQoQImJlhqIMS19EQ2bAutxQk+t2uX7zUF1zUkQmIRFn4VJdJfycsyEVrdHJafW3GaL
         QEH1qQMuJ/IG1r7VJVRmeQ/AJzHe+CvdEuuEPIaalsLV1ucdnAvYrszbUwFmze/XfphA
         iWng==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f9si15126395pgv.475.2019.04.23.13.35.59;
        Tue, 23 Apr 2019 13:36:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727229AbfDWUfI (ORCPT <rfc822;rmelvin.vger@gmail.com>
        + 99 others); Tue, 23 Apr 2019 16:35:08 -0400
Received: from namei.org ([65.99.196.166]:35440 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726029AbfDWUfH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Apr 2019 16:35:07 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x3NKZ2o0016312;
        Tue, 23 Apr 2019 20:35:02 GMT
Date:   Wed, 24 Apr 2019 06:35:02 +1000 (AEST)
From:   James Morris <jmorris@namei.org>
To:     Robert Holmes <robeholmes@gmail.com>
cc:     jeyu@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] KEYS: Make use of platform keyring for module signature
 verify
In-Reply-To: <1556005169-4139-1-git-send-email-robeholmes@gmail.com>
Message-ID: <alpine.LRH.2.21.1904240626430.9705@namei.org>
References: <1556005169-4139-1-git-send-email-robeholmes@gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 23 Apr 2019, Robert Holmes wrote:

> This patch completes commit 278311e417be ("kexec, KEYS: Make use of
> platform keyring for signature verify") which, while adding the
> platform keyring for bzImage verification, neglected to also add
> this keyring for module verification.
> 

You should most likely add the keyrings list to the cc: for these kinds of 
patches.

> As such, kernel modules signed with keys from the MokList variable
> were not successfully verified.
> 
> Signed-off-by: Robert Holmes <robeholmes@gmail.com>
> ---
>  kernel/module_signing.c | 16 ++++++++++++----
>  1 file changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> index 6b9a926fd86b..cf94220e9154 100644
> --- a/kernel/module_signing.c
> +++ b/kernel/module_signing.c
> @@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
>  {
>  	struct module_signature ms;
>  	size_t sig_len, modlen = info->len;
> +	int ret;
>  
>  	pr_devel("==>%s(,%zu)\n", __func__, modlen);
>  
> @@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
>  		return -EBADMSG;
>  	}
>  
> -	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_MODULE_SIGNATURE,
> -				      NULL, NULL);
> +	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> +				     VERIFY_USE_SECONDARY_KEYRING,
> +				     VERIFYING_MODULE_SIGNATURE,
> +				     NULL, NULL);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> +					     VERIFY_USE_PLATFORM_KEYRING,
> +					     VERIFYING_MODULE_SIGNATURE,
> +					     NULL, NULL);
> +	}
> +	return ret;
>  }
> 

-- 
James Morris
<jmorris@namei.org>