On Tue, 23 Apr 2019, Robert Holmes wrote:
> This patch completes commit 278311e417be ("kexec, KEYS: Make use of
> platform keyring for signature verify") which, while adding the
> platform keyring for bzImage verification, neglected to also add
> this keyring for module verification.
>
You should most likely add the keyrings list to the cc: for these kinds of
patches.
> As such, kernel modules signed with keys from the MokList variable
> were not successfully verified.
>
> Signed-off-by: Robert Holmes <[email protected]>
> ---
> kernel/module_signing.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> index 6b9a926fd86b..cf94220e9154 100644
> --- a/kernel/module_signing.c
> +++ b/kernel/module_signing.c
> @@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
> {
> struct module_signature ms;
> size_t sig_len, modlen = info->len;
> + int ret;
>
> pr_devel("==>%s(,%zu)\n", __func__, modlen);
>
> @@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
> return -EBADMSG;
> }
>
> - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> - VERIFY_USE_SECONDARY_KEYRING,
> - VERIFYING_MODULE_SIGNATURE,
> - NULL, NULL);
> + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> + VERIFY_USE_SECONDARY_KEYRING,
> + VERIFYING_MODULE_SIGNATURE,
> + NULL, NULL);
> + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> + ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_MODULE_SIGNATURE,
> + NULL, NULL);
> + }
> + return ret;
> }
>
--
James Morris
<[email protected]>
