Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1183341pxb; Wed, 6 Apr 2022 10:42:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCBnP/5SC1Ff6Lk2yP8rxIeXdJ8lijzfPYjS7LIeFm469ai4pfufk/3oOu678aGXHs+V0S X-Received: by 2002:a17:902:b948:b0:153:9994:b587 with SMTP id h8-20020a170902b94800b001539994b587mr9812921pls.68.1649266945252; Wed, 06 Apr 2022 10:42:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1649266945; cv=pass; d=google.com; s=arc-20160816; b=Qst3ZV91dBlkGWT53xO2OhQgzHh1hrmqkPIE1mpXxKYJS8iCqDVB84t9e4jvhkVYLy AKLU3e2KpD2stwGtcta+ihNLHAK/oASWcbdXaHklEdOUMYkHT+ztTio2G01vj/H0A3V/ IAaCxRdOgPsM7e2SKZe+fTTEq+XIQEl+NjDkJRUmTSIoy3kb5HhYozT7bcfdWXA/mS5G YkJ6/ufv2Zhtzep1LrnwylNB4D/2PBSW7JW5xl7VkmEO69jVj51BdaG/WApczY/DEPrc V3wQ93jc7oyLRCmeBoze52Zvqc51ryQYT2d+1pf8Zt56+BPRDZ4QgNvJBGdiDJxwrCMv /t0Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:in-reply-to :content-disposition:references:message-id:subject:cc:to:from:date :dkim-signature; bh=Kc8CRbZjWWFNq3yUrHt8iTG6oax4BgdV/OMmdCABUtw=; b=Dyfga0cKw7H2f5e+wJhA20wfC7NEmccgQ3IvzGyS6QqsoDthTWo5m2YZQaYmVSHU+J ygDZMwWRD0PBcF8L6JKiMpfwwWtr35y0LDh27N0J/HFyyJWdSh9mfYh8pTungAQ9obX1 0CWQxmOctMhSAUmSOZzlf4Yss4pljJ3FBE7wkAX00MNcNgfeoTYE00Fd7lC6qB6VSNis CHJoBSjBd0PaxaQe8GahK4myvHjS/IkC/bTndkwLJqSq54QOLPpCoIgvzUzVNUHbzMNF 4dEFZ+KI1ujs0Cwuggfip8ARpZx2I5bTjRdqXlew8ZW3gYcbNdSNlbjQTb3sEF1kG9nd +eVQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=N3ZryaTr; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id i9-20020a170902cf0900b00153b2d165d3si15411202plg.475.2022.04.06.10.42.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 10:42:25 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=N3ZryaTr; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1CF69196D51; Wed, 6 Apr 2022 10:37:11 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239194AbiDFRiw (ORCPT + 99 others); Wed, 6 Apr 2022 13:38:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240155AbiDFRiU (ORCPT ); Wed, 6 Apr 2022 13:38:20 -0400 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.109.102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BBF334B90C for ; Wed, 6 Apr 2022 08:47:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1649260020; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Kc8CRbZjWWFNq3yUrHt8iTG6oax4BgdV/OMmdCABUtw=; b=N3ZryaTrnrrHGUWxB9rouoHHdYDFAfEIzQTPE+SUI81mUMl07rVjPSW4BkRv7b62zheMl/ 5ewvzaeP2XwEccHmhMUpUNr0slVWi7tbIfGPljE1KuhKAQBeIUsezQPOV58SL1EQtUBDDN lU+NtxzdWCIlVOQxiyW1PO6yenorQ8w= Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02lp2052.outbound.protection.outlook.com [104.47.5.52]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id de-mta-31-dD9XrEghMiKpNWbNYZ2PLA-1; Wed, 06 Apr 2022 17:46:57 +0200 X-MC-Unique: dD9XrEghMiKpNWbNYZ2PLA-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QPh55zBV0oFyL5pfau4fhHAcnoVi4lqmUDVSWUVnrqQaWFKWISYOXpSHUXBzB4jOFIeLCcjy1bc/rVIbb13XXdxDv2HhqRBDTMdMy6GZjBX5BxJj4qsYnyfUuPjvhCtUm5v37D791dVyDcBtXZElNrdSsUiDR2/YjJV9iajb3Ot5kvZIIiwT9paaApkhluIhIYqXMmdMqR7Dyd0bPdtbDrcFMZyn7Tk6BYtFN6sRvCmoCrIG5Isjxq26kXfe6tLUkJgjfpQKMIF5K71bRcmZfIJ0urFb/VDxYISFAx/sbfkyoAF7GrSokJziaxRFnLR1PZ9Fkuui70rOxTK9pMb82Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kc8CRbZjWWFNq3yUrHt8iTG6oax4BgdV/OMmdCABUtw=; b=A2l7Gy5I8uioAE9wPCxs8axaNmmHTcSPxM+PTQFudvG7QzpanP1zN94WTPAE/raM7BXQJt2f5o8a6iJr8kev6Czg0uUnZGshJsHRIGROVLoZEEBGlz/C0GXo73LjbMC50jPYa5bn2TrfwXbp2bzn7feTAe1zlJyg25X5+5ewfljRwE4uxnMx1Mrhloulj2s4petSsQ6KP1c4DRmT77KvJiiQHmDRHEKfV6Od5L01TR4UTi8F+X1WfWM+Bk0oPk2wKnm2KeXNlr3YLcZi0XN02BYgWwYhzR+Q47reB8KynsRlEBnqomuwvPpLojVBZ08v/yhGZaH0XULdhq3IXMKGPg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from DB8PR04MB7097.eurprd04.prod.outlook.com (2603:10a6:10:12a::11) by AM6PR04MB4070.eurprd04.prod.outlook.com (2603:10a6:209:44::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 15:46:55 +0000 Received: from DB8PR04MB7097.eurprd04.prod.outlook.com ([fe80::8d7a:5d52:e592:9227]) by DB8PR04MB7097.eurprd04.prod.outlook.com ([fe80::8d7a:5d52:e592:9227%9]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 15:46:54 +0000 Date: Wed, 6 Apr 2022 23:46:38 +0800 From: joeyli To: Michal Suchanek Cc: Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, Philipp Rudo , kexec@lists.infradead.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, stable@kernel.org Subject: Re: [PATCH 3/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Message-ID: <20220406154623.GN11641@linux-l9pv.suse> References: <9f8b71f368843568d7dd6764f8c8a68b1f3a9bbc.1644953683.git.msuchanek@suse.de> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9f8b71f368843568d7dd6764f8c8a68b1f3a9bbc.1644953683.git.msuchanek@suse.de> User-Agent: Mutt/1.11.4 (2019-03-13) X-ClientProxiedBy: HK2PR0302CA0021.apcprd03.prod.outlook.com (2603:1096:202::31) To DB8PR04MB7097.eurprd04.prod.outlook.com (2603:10a6:10:12a::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d418655b-d94b-40da-3613-08da17e4acd6 X-MS-TrafficTypeDiagnostic: AM6PR04MB4070:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3oE5NtWLJA5d7LHL69odBtux0PpOeNK7KBNPmFqDLYk8U8vg57/CPANNDcc0KaOhi1dWPyqb1ZFpfp5E0VVYVs2joZlMSv/RPpnf3EVeNhD7JyXKlheQldVyBsUBOhGKuoY9Xnixbd2CYpPvfifCeq/BGPqrs1I252nvKzSkMvkky/m1Mkv52amy0lNviMrurDSEzfqym/99an2t1nJ5123uq6nyhKXUwXftriul3+wQkWmyzXiRjgvNxuAcNySm1ZI3HpZzNV+vDUnz5B4QXUitHQUwaF1Tm+BzbhaoH5Irocd4zLOl/1r/iT+K8NPsPox9aCV8dbbaSGfBAyObzSfv45tLAkkqwa9aMLMSFkMm6uzI229uSTU8yt0SErU23LO408qHhqvRHYD96lTEP+owQtWN/5KdW0e+x39htL4gNmz8K3TwDisvyod9hGTMTPLoGWe7pawyptQe5HkT8iGdKnYPH72R6DG/xf+56KjtcnLEFpR/Aod1aZiylYiw37JkGLScYVnPpuS+I4oeOWJmLmFwn2fOUP2TAf9Is5iOcdVIJgk1GILF82dZdjU5zhv5asRoKleLbPCKQ3JZ0JzaJQZtyf6y8J3plp3H5ZM/5zz8AUikteIj9lQkAq1HCXx1u2dJ6Qe4PaNOrNaPjttH9TQRsJA714rApZGSxhXbuP3FgAdvd0+oRAwWDP7m1I2EwvSU/og4NTKb59cEDg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR04MB7097.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(26005)(36756003)(83380400001)(33656002)(1076003)(2906002)(186003)(15650500001)(66476007)(7416002)(508600001)(6666004)(5660300002)(8936002)(6916009)(6486002)(6512007)(54906003)(9686003)(4326008)(316002)(86362001)(6506007)(66556008)(8676002)(38100700002)(66946007)(43062005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?molW7i6Yc2b/xuiNoCt/+4aXhvGAjEAM6PlvFs/9uIMZKoGKYRc9t2GrjY/J?= =?us-ascii?Q?Os1OvpGc3RCHyxBeGkJf0EAa8gcEhZcTUZ2x83Ao5pgFMp9pJgYAUQXGFnaj?= =?us-ascii?Q?oTXjtoUgfDISuBi3BiAAO5f1LbeZOQ+k7C8N0ln7JY2uLgK8taynFvqTqmc5?= =?us-ascii?Q?glK5fFbvu/p/XF7/0RDatNRIDrLYhzt2AucOmfH4aQdu3yE6FTZtb1uVJm41?= =?us-ascii?Q?j7jhIHiH6qIOdAi+hQ2XCDE9pKjOwuaFYfyB6mAVxuDsinXDxqMzMytsNKV2?= =?us-ascii?Q?+V/7HvrAIiOW/cDe56Mu+hxceyBXaP8a8p2hTpLD2359ekeaFoIe8jAja6iU?= =?us-ascii?Q?KrX+Jund1iTDThWt2mgV2OHa7KZvPoZJz8ulVid+vzwFgQhj65l0O1flO/jr?= =?us-ascii?Q?Iz5YSmnmhBkdfDMDNciCmChg9yMMDuKL/3u9vM6ZCxfTA7ql+5MvasvVdRhN?= =?us-ascii?Q?jgWFNCj1w5OIWfHKCAphiU3fDYgDN4/wFr15qCTCfeS8MSzDn4TXrP9zGlUH?= =?us-ascii?Q?hrgi3nyWm+4ItD6swtdHpLy1s9kFix9bCpebL6hLYqWFcaFqxh+blwom5h1G?= =?us-ascii?Q?bj3b1rf98OyzkEQmQdBEwvdYKJG/SI0F35TPsocCtIfg8TIdu8ilGmeLSCKs?= =?us-ascii?Q?x+sY35ELqZDsIdH8ewnmvsHrjeP5jVzqZjgavuvk0G/fQ8o9FJhlsOAgr5kE?= =?us-ascii?Q?B/VJphYyWDs/0dS5SWqqDpwGLSeil/FntSUacL0iUtGJ5HdnCSn8toVkOFSC?= =?us-ascii?Q?vlXjac1NTgitPy+v5NPlEgCuDWWyVjjvXiJPPDsdeVwqc5/ITlkPJDKCeXlc?= =?us-ascii?Q?TATSYfOsJP2npFWcHBwP2pSJNwEj1hXeLxYfahYps6PfGG5cB3Wkmjz3IPsE?= =?us-ascii?Q?o/3LvfIhBfXXpTNEndxWG8DqgoUTt1gBswHwWKMwn1pV65IXaYlZ6UO+YN+2?= =?us-ascii?Q?wIYnEkcTyvqrZ7QVZ7X20LsWQVZ58CPbbWQiEFi4IRxQ8MeMvgciWMEi4cDR?= =?us-ascii?Q?Bz+o2pvU9wUFROvLUM7k5M6EH4+VDyn4FO2jahNl/pGqaOOKWLaA31mLDXdJ?= =?us-ascii?Q?skRB+qH+9YQpwEt6dJbwk7IHT1mNuQf5/AD6JWYI3fJDKjOVtvQuvrjtQ5Tw?= =?us-ascii?Q?pT0+lFvoZ6CYXtwTOxSn17+zursritgq2CKkjqEBEBDsq33iwaCyhF2prf9v?= =?us-ascii?Q?FDsYHEiesEz9a1RhWXdVKn8VMR5GzHnT/4bG0AEcWkvleqrLni/JrfEHPdna?= =?us-ascii?Q?4yfyK4sGJZcI7Dudn0m1zWZ1tJAQIbpQUbI4X/vvFbx4Srr+XyrcGvS8flSO?= =?us-ascii?Q?2+E6OIHVN0maUuMpaLaOUF0K4xl54RzJqk4qb1MVyoTxRiO2RUhI1ROyzrm1?= =?us-ascii?Q?ktYZ3E6alPX0mltRetUn177UCUcDt3YvOerNKVXlH99B2W5W2FWFT2v7jzEm?= =?us-ascii?Q?t2Jd7aRaFZhmOBRfo7uggNWJHGrlY4hjpvbZT1cmIS8jzBmoX61JsIxtlain?= =?us-ascii?Q?IFZe9PyCKi7ezxuC11Oz9HEIFdassb0oOdhWQUQtVf2gz0VC7SBuxNfgO7W3?= =?us-ascii?Q?KxTWtvbHYQXt9lqIS45hgsUzX9/4ieu8MyhbQ+CYEZSghxpipFqFDEHPdPNq?= =?us-ascii?Q?220UQixBjZQ2dteaep/R537xDS+1UlMxYlpMK7GQUPHHleOjinHuF8peFLG7?= =?us-ascii?Q?ohPdnMcnfFBFOY1SbS9ZhsNmdND8O8NoSD+82uMcY8ihPxIfIc2buYF8XD56?= =?us-ascii?Q?sz+dtDCbPw=3D=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: d418655b-d94b-40da-3613-08da17e4acd6 X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7097.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 15:46:54.8548 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eJ3baT0gVQR7UQUTVkMOB4IF2SJERARr/3wgeeelnU056DyPCMAi8xaMjUhetMiw X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR04MB4070 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 08:39:40PM +0100, Michal Suchanek wrote: > commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") > adds support for KEXEC_SIG verification with keys from platform keyring > but the built-in keys and secondary keyring are not used. > > Add support for the built-in keys and secondary keyring as x86 does. > > Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") > Cc: Philipp Rudo > Cc: kexec@lists.infradead.org > Cc: keyrings@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: stable@kernel.org > Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" > --- > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > 1 file changed, 13 insertions(+), 5 deletions(-) > > diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c > index 8f43575a4dd3..fc6d5f58debe 100644 > --- a/arch/s390/kernel/machine_kexec_file.c > +++ b/arch/s390/kernel/machine_kexec_file.c > @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) > const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; > struct module_signature *ms; > unsigned long sig_len; > + int ret; > > /* Skip signature verification when not secure IPLed. */ > if (!ipl_secure_flag) > @@ -65,11 +66,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) > return -EBADMSG; > } > > - return verify_pkcs7_signature(kernel, kernel_len, > - kernel + kernel_len, sig_len, > - VERIFY_USE_PLATFORM_KEYRING, > - VERIFYING_MODULE_SIGNATURE, > - NULL, NULL); > + ret = verify_pkcs7_signature(kernel, kernel_len, > + kernel + kernel_len, sig_len, > + VERIFY_USE_SECONDARY_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > + NULL, NULL); > + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) > + ret = verify_pkcs7_signature(kernel, kernel_len, > + kernel + kernel_len, sig_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_MODULE_SIGNATURE, > + NULL, NULL); > + return ret; > } > #endif /* CONFIG_KEXEC_SIG */ > > -- > 2.31.1