[PATCH] KEYS: Make use of platform keyring for module signature verification
From: Ahelenia Ziemiańska
Date: Fri Mar 31 2023 - 10:31:59 EST
This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.
This key policy matches what's used for kexec.
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@xxxxxxxxxxxxxxxxxx>
---
Notes:
Debian has carried an equivalent patch since 5.3.9-1:
https://bugs.debian.org/935945
https://bugs.debian.org/1030200
in
https://salsa.debian.org/kernel-team/linux/-/commit/0e65c8f3e316d6f0fc30f091dd47dba2ac616529
and it appears the true origin is some version of
https://gitlab.com/cki-project/kernel-ark/-/commit/b697ff5e26974fee8fcd31a1e221e9dd41515efc
kernel/module/signing.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..71d6248cf9ec 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,16 @@ int mod_verify_sig(const void *mod, struct load_info *info)
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ return ret;
}
int module_sig_check(struct load_info *info, int flags)
--
2.30.2
Attachment:
signature.asc
Description: PGP signature