This patch complements commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") and commit 6fce1f40e951
("dm verity: add support for signature verification with platform keyring")
and allows for signing modules using keys from SecureBoot 'db'. This may
come handy when the user has control over it, e.g. in a virtualized or a
cloud environment.
Suggested-by: Robert Holmes <robehol...@gmail.com>
Signed-off-by: Vitaly Kuznetsov <vkuzn...@redhat.com>
---
Documentation/admin-guide/module-signing.rst | 6 ++++++
kernel/module/Kconfig | 11 +++++++++++
kernel/module/signing.c | 9 ++++++++-
security/integrity/Kconfig | 2 +-
4 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/module-signing.rst
b/Documentation/admin-guide/module-signing.rst
index a8667a777490..44ed93e586b9 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -118,6 +118,12 @@ This has a number of options available:
additional certificates which will be included in the system keyring by
default.
+ (5) :menuselection:`Use .platform keyring for verifying kernel modules
signatures`
+ (``CONFIG_MODULE_SIG_PLATFORM``)
+
+ This option additionally allows modules to be signed with a key present
+ in ``.platform`` keyring, e.g. a SecureBoot 'db' key.
+
Note that enabling module signing adds a dependency on the OpenSSL devel
packages to the kernel build processes for the tool that does the signing.
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 39278737bb68..f1b85c14548a 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -340,6 +340,17 @@ config MODULE_SIG_HASH
default "sha3-384" if MODULE_SIG_SHA3_384
default "sha3-512" if MODULE_SIG_SHA3_512
+config MODULE_SIG_PLATFORM
+ bool "Use .platform keyring for verifying kernel modules signatures"
+ depends on INTEGRITY_PLATFORM_KEYRING
+ depends on MODULE_SIG
+ help
+ When selected, keys from .platform keyring can be used for verifying
+ modules signatures. In particular, this allows to use UEFI SecureBoot
+ 'db' for verification.
+
+ If unsure, say N.
+
config MODULE_COMPRESS
bool "Module compression"
help
diff --git a/kernel/module/signing.c b/kernel/module/signing.c
index a2ff4242e623..3327e7243211 100644
--- a/kernel/module/signing.c
+++ b/kernel/module/signing.c
@@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, struct load_info *info)
modlen -= sig_len + sizeof(ms);
info->len = modlen;
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFY_USE_SECONDARY_KEYRING,
VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_MODULE_SIG_PLATFORM)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ }
+ return ret;
}
int module_sig_check(struct load_info *info, int flags)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 3c45f4f3455f..b7fa83d37a01 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -60,7 +60,7 @@ config INTEGRITY_PLATFORM_KEYRING
Provide a separate, distinct keyring for platform trusted keys, which
the kernel automatically populates during initialization from values
provided by the platform for verifying the kexec'ed kerned image
- and, possibly, the initramfs signature.
+ and, possibly, the initramfs signature and kernel modules signatures.
config INTEGRITY_MACHINE_KEYRING
bool "Provide a keyring to which Machine Owner Keys may be added"
--
2.49.0
