From 12806a0fe148b7d7446fed283aa1efae9607a0e9 Mon Sep 17 00:00:00 2001 From: Robert Holmes Date: Tue, 23 Apr 2019 07:39:29 +0000 Subject: [PATCH] [PATCH] KEYS: Make use of platform keyring for module signature verify Bug-Debian: https://bugs.debian.org/935945 Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch This patch completes commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") which, while adding the platform keyring for bzImage verification, neglected to also add this keyring for module verification. As such, kernel modules signed with keys from the MokList variable were not successfully verified. Signed-off-by: Robert Holmes Signed-off-by: Jeremy Cline [bwh: Forward-ported to 5.19: adjust filename] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name KEYS-Make-use-of-platform-keyring-for-module-signature.patch --- kernel/module/signing.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/module/signing.c b/kernel/module/signing.c index 494aa421916..d178b9fe31e 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -116,6 +116,13 @@ int mod_verify_sig(const void *mod, struct load_info *info) VERIFYING_MODULE_SIGNATURE, NULL, NULL); pr_devel("verify_pkcs7_signature() = %d\n", ret); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + pr_devel("verify_pkcs7_signature() = %d\n", ret); + } /* checking hash of module is in blacklist */ if (!ret) -- 2.30.2