From: Robert Holmes <robeholmes@gmail.com>
Date: Tue, 23 Apr 2019 07:39:29 +0000 (+0000)
Subject: [PATCH] KEYS: Make use of platform keyring for module signature verify
X-Git-Tag: archive/raspbian/6.17.13-1+rpi1~2^2~16
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=2d81d0cd518f440d81f6eea9fc1e7e1a7e535cb7;p=linux.git

[PATCH] KEYS: Make use of platform keyring for module signature verify

Bug-Debian: https://bugs.debian.org/935945
Bug-Debian: https://bugs.debian.org/1030200
Origin: https://src.fedoraproject.org/rpms/kernel/raw/master/f/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
Forwarded: https://lore.kernel.org/linux-modules/qvgp2il2co4iyxkzxvcs4p2bpyilqsbfgcprtpfrsajwae2etc@3z2s2o52i3xg/t/#u

This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.

Signed-off-by: Robert Holmes <robeholmes@gmail.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
[bwh: Forward-ported to 5.19: adjust filename]
[наб: reinstate for 6.1, re-write description]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name KEYS-Make-use-of-platform-keyring-for-module-signature.patch
---

diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e62..35a66790702 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 	modlen -= sig_len + sizeof(ms);
 	info->len = modlen;
 
-	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 				      VERIFY_USE_SECONDARY_KEYRING,
 				      VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_MODULE_SIGNATURE,
+					      NULL, NULL);
+	}
+        return ret;
 }
 
 int module_sig_check(struct load_info *info, int flags)