| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190425182134.GA7823@laptop.jcline.org>
Date: Thu, 25 Apr 2019 14:21:34 -0400
From: Jeremy Cline <jcline@...hat.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Robert Holmes <robeholmes@...il.com>, jeyu@...nel.org,
linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
keyrings@...r.kernel.org, stable@...r.kernel.org,
Matthew Garrett <mjg59@...gle.com>
Subject: Re: [PATCH v2] KEYS: Make use of platform keyring for module
signature verify
Hi,
On Thu, Apr 25, 2019 at 07:55:50AM -0400, Mimi Zohar wrote:
> On Wed, 2019-04-24 at 14:33 +0000, Robert Holmes wrote:
> > This patch completes commit 278311e417be ("kexec, KEYS: Make use of
> > platform keyring for signature verify") which, while adding the
> > platform keyring for bzImage verification, neglected to also add
> > this keyring for module verification.
> >
> > As such, kernel modules signed with keys from the MokList variable
> > were not successfully verified.
>
> Using the platform keyring keys for verifying kernel modules was not
> neglected, but rather intentional. This patch description should
> clearly explain the reason for needing to verify kernel module
> signatures based on the pre-boot keys. (Hint: verifying kernel
> modules based on the pre-boot keys was previously rejected.)
So the background for this patch is that Fedora, which carries the
lockdown patch set, recently regressed[0] with respect to user-signed
modules. Previously, we carried a patch that added all the pre-boot keys
to the secondary keyring. That way users could add a machine owner key
and use secure boot and lockdown with their self-signed 3rd party modules.
Since the pre-boot keys are now loaded into the platform keyring, I
suggested that Robert submit the patch upstream, but since the lockdown
patches aren't upstream perhaps it doesn't make much sense to pick this
up and Fedora should continue carrying it.
[0] https://bugzilla.redhat.com/show_bug.cgi?id=1701096
Regards,
Jeremy
> >
> > Signed-off-by: Robert Holmes <robeholmes@...il.com>
> > Cc: linux-integrity@...r.kernel.org
> > Cc: keyrings@...r.kernel.org
> > Cc: stable@...r.kernel.org
> > ---
> > kernel/module_signing.c | 16 ++++++++++++----
> > 1 file changed, 12 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> > index 6b9a926fd86b..cf94220e9154 100644
> > --- a/kernel/module_signing.c
> > +++ b/kernel/module_signing.c
> > @@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
> > {
> > struct module_signature ms;
> > size_t sig_len, modlen = info->len;
> > + int ret;
> >
> > pr_devel("==>%s(,%zu)\n", __func__, modlen);
> >
> > @@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
> > return -EBADMSG;
> > }
> >
> > - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> > - VERIFY_USE_SECONDARY_KEYRING,
> > - VERIFYING_MODULE_SIGNATURE,
> > - NULL, NULL);
> > + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> > + VERIFY_USE_SECONDARY_KEYRING,
> > + VERIFYING_MODULE_SIGNATURE,
> > + NULL, NULL);
> > + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> > + VERIFY_USE_PLATFORM_KEYRING,
> > + VERIFYING_MODULE_SIGNATURE,
> > + NULL, NULL);
> > + }
> > + return ret;
> > }
>
Powered by blists - more mailing lists