lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250602132535.897944-2-vkuznets@redhat.com>
Date: Mon,  2 Jun 2025 15:25:35 +0200
From: Vitaly Kuznetsov <vkuznets@...hat.com>
To: linux-security-module@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	linux-modules@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
	linux-doc@...r.kernel.org,
	keyrings@...r.kernel.org,
	David Howells <dhowells@...hat.com>,
	David Woodhouse <dwmw2@...radead.org>,
	Jonathan Corbet <corbet@....net>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Petr Pavlu <petr.pavlu@...e.com>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	Daniel Gomez <da.gomez@...sung.com>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	Roberto Sassu <roberto.sassu@...wei.com>,
	Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
	Eric Snowberg <eric.snowberg@...cle.com>,
	Paul Moore <paul@...l-moore.com>,
	James Morris <jmorris@...ei.org>,
	"Serge E. Hallyn" <serge@...lyn.com>,
	Peter Jones <pjones@...hat.com>,
	Robert Holmes <robeholmes@...il.com>,
	Jeremy Cline <jcline@...hat.com>,
	Coiby Xu <coxu@...hat.com>,
	James Bottomley <James.Bottomley@...senPartnership.com>,
	Gerd Hoffmann <kraxel@...hat.com>
Subject: [PATCH RFC 1/1] module: Make use of platform keyring for module signature verify

This patch complements commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") and commit 6fce1f40e951
("dm verity: add support for signature verification with platform keyring")
and allows for signing modules using keys from SecureBoot 'db'. This may
come handy when the user has control over it, e.g. in a virtualized or a
cloud environment.

Suggested-by: Robert Holmes <robeholmes@...il.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@...hat.com>
---
 Documentation/admin-guide/module-signing.rst |  6 ++++++
 kernel/module/Kconfig                        | 11 +++++++++++
 kernel/module/signing.c                      |  9 ++++++++-
 security/integrity/Kconfig                   |  2 +-
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index a8667a777490..44ed93e586b9 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -118,6 +118,12 @@ This has a number of options available:
      additional certificates which will be included in the system keyring by
      default.
 
+ (5) :menuselection:`Use .platform keyring for verifying kernel modules signatures`
+     (``CONFIG_MODULE_SIG_PLATFORM``)
+
+     This option additionally allows modules to be signed with a key present
+     in ``.platform`` keyring, e.g. a SecureBoot 'db' key.
+
 Note that enabling module signing adds a dependency on the OpenSSL devel
 packages to the kernel build processes for the tool that does the signing.
 
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 39278737bb68..f1b85c14548a 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -340,6 +340,17 @@ config MODULE_SIG_HASH
 	default "sha3-384" if MODULE_SIG_SHA3_384
 	default "sha3-512" if MODULE_SIG_SHA3_512
 
+config MODULE_SIG_PLATFORM
+	bool "Use .platform keyring for verifying kernel modules signatures"
+	depends on INTEGRITY_PLATFORM_KEYRING
+	depends on MODULE_SIG
+	help
+	  When selected, keys from .platform keyring can be used for verifying
+	  modules signatures. In particular, this allows to use UEFI SecureBoot
+	  'db' for verification.
+
+	  If unsure, say N.
+
 config MODULE_COMPRESS
 	bool "Module compression"
 	help
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..3327e7243211 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 				      VERIFY_USE_SECONDARY_KEYRING,
 				      VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_MODULE_SIG_PLATFORM)) {
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+				VERIFY_USE_PLATFORM_KEYRING,
+				VERIFYING_MODULE_SIGNATURE,
+				NULL, NULL);
+	}
+	return ret;
 }
 
 int module_sig_check(struct load_info *info, int flags)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 3c45f4f3455f..b7fa83d37a01 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -60,7 +60,7 @@ config INTEGRITY_PLATFORM_KEYRING
 	  Provide a separate, distinct keyring for platform trusted keys, which
 	  the kernel automatically populates during initialization from values
 	  provided by the platform for verifying the kexec'ed kerned image
-	  and, possibly, the initramfs signature.
+	  and, possibly, the initramfs signature and kernel modules signatures.
 
 config INTEGRITY_MACHINE_KEYRING
 	bool "Provide a keyring to which Machine Owner Keys may be added"
-- 
2.49.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ