| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <qvgp2il2co4iyxkzxvcs4p2bpyilqsbfgcprtpfrsajwae2etc@3z2s2o52i3xg>
Date: Fri, 31 Mar 2023 16:30:21 +0200
From: Ahelenia Ziemiańska
<nabijaczleweli@...ijaczleweli.xyz>
To: unlisted-recipients:; (no To-header on input)
Cc: Luis Chamberlain <mcgrof@...nel.org>,
"open list:MODULE SUPPORT" <linux-modules@...r.kernel.org>,
"open list:MODULE SUPPORT" <linux-kernel@...r.kernel.org>
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
verification
This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.
This key policy matches what's used for kexec.
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@...ijaczleweli.xyz>
---
Notes:
Debian has carried an equivalent patch since 5.3.9-1:
https://bugs.debian.org/935945
https://bugs.debian.org/1030200
in
https://salsa.debian.org/kernel-team/linux/-/commit/0e65c8f3e316d6f0fc30f091dd47dba2ac616529
and it appears the true origin is some version of
https://gitlab.com/cki-project/kernel-ark/-/commit/b697ff5e26974fee8fcd31a1e221e9dd41515efc
kernel/module/signing.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..71d6248cf9ec 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,16 @@ int mod_verify_sig(const void *mod, struct load_info *info)
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ return ret;
}
int module_sig_check(struct load_info *info, int flags)
--
2.30.2
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists