Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp586324pxb; Tue, 15 Feb 2022 22:58:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJwwKTI10pO5LFUtO90YeO/JmVZ9/ainjNPM55X2IqMY6ETKyhOByK3KYK6rFkl84SLNmWkw X-Received: by 2002:a17:902:a406:b0:14d:61ba:8bcc with SMTP id p6-20020a170902a40600b0014d61ba8bccmr1302857plq.36.1644994712235; Tue, 15 Feb 2022 22:58:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644994712; cv=none; d=google.com; s=arc-20160816; b=UZDgY/L3tXrKslI+qelbBLfXKzJz1uJ8o6ZyRp2RZIBge9Bby+HqCP1OHOXdKm6tyQ UgaDsC1nWp7SyONamz1C44B9g2MptKoIaUdEKQIDd1s5yHCs1alNOf3PW+fSl8zMr80Y nxIOI5zGoxz5ahJOZqU9VDOQxfKcWi9uo1O9DGs8CzAe6eSqd/glQEE03tn6rpFt35la IX92RwD7rrY0mL+V7KTAmX3NqWrDbVNRs+rtfPKZvJ5LC9vvAvK437eArwNyOFvcVbS9 bti9DijpfiQvGZxG2gaxMPq+w8ET50OGVYBd+HRXFQC6FXqvxzN11BcndNO/f5Rx26tK iLtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:from :dkim-signature:dkim-signature; bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=; b=HeP5OB4Jpc9i6S1cVsiX0Z9r8FkZicDrcAkxLD29DxVMU/CpfUfKuHQST7/c0/nuvU zr9e740mIGbV4U0q45mITzGDW3+qpkK0pzqxl3+uZDzFqnbOl8s/gw2188njsGB1vR04 gH9LkNTKeqSU4MPlcESmQIJPU8gzWSqCA++BNpz4hva/YIwzxoTloE2LUCRRhivVSm+3 J2a+WE6Ia3PidkLpxCjXJskDNxyRggTgDRzJQ0MT6sNPA0JrtrdH+hg0u5T1EcbgKQbA gz/PMRKbib6i9NHxgV9cOBGtl42Eio/YIIUdlGE9ND3RicTdBCso4qtGIgeYZFoP1wsS MH7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@suse.de header.s=susede2_rsa header.b=aKlJB4z2; dkim=neutral (no key) header.i=@suse.de; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id h16si2608281pfh.345.2022.02.15.22.58.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Feb 2022 22:58:32 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=fail header.i=@suse.de header.s=susede2_rsa header.b=aKlJB4z2; dkim=neutral (no key) header.i=@suse.de; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CD2F0237403; Tue, 15 Feb 2022 22:40:36 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243819AbiBOTkt (ORCPT + 99 others); Tue, 15 Feb 2022 14:40:49 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:45060 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243788AbiBOTkh (ORCPT ); Tue, 15 Feb 2022 14:40:37 -0500 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 926A2DEC8; Tue, 15 Feb 2022 11:40:21 -0800 (PST) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 2966E212BF; Tue, 15 Feb 2022 19:40:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1644954020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=; b=aKlJB4z2LkeDmU9Wa0mMaGs6IIOIRehwJLlbsagMlfiCcxE4Vmg8XMaKdc69NsJMOTP0kQ 6m3gUONyR41Y1JsLuaRlHdm5T0T5CgDHBD4NKdU5H0EGbKgFCfdFIyPtAQQ9PdZVpMEtkw yrYtZluMYfIUqDwYid34Yoy17UJjae0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1644954020; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=68fQOLkRItMmWbD/0T7ms41beY9KItQEQd86yglltcA=; b=zA2og9PY6JLNwNbmuaeKtddqBDmkioJbLp4aWfNO14CRENxwEHInpG/XdjAayhh6IrPC7d aDUWFnUPxNtd9/AA== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) by relay2.suse.de (Postfix) with ESMTP id E3D36A3B88; Tue, 15 Feb 2022 19:40:19 +0000 (UTC) From: Michal Suchanek Cc: Michal Suchanek , Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, linux-modules@vger.kernel.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, stable@kernel.org Subject: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification Date: Tue, 15 Feb 2022 20:39:41 +0100 Message-Id: <840433bc93a58d6dfc4d96c34c0c3b158a0e669d.1644953683.git.msuchanek@suse.de> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") adds support for use of platform keyring in kexec verification but support for modules is missing. Add support for verification of modules with keys from platform keyring as well. Fixes: 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring") Cc: linux-modules@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: stable@kernel.org Signed-off-by: Michal Suchanek --- kernel/module_signing.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 8723ae70ea1f..5e1624294874 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -38,8 +38,14 @@ int mod_verify_sig(const void *mod, struct load_info *info) modlen -= sig_len + sizeof(ms); info->len = modlen; - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } -- 2.31.1