[PATCH v4 5/6] module: Use key_being_used_for for log messages in verify_appended_signature

Mon, 10 Jan 2022 05:53:35 -0800 

Add value for kexec appended signature and pass in key_being_used_for
enum rather than a string to verify_appended_signature to produce log
messages about the signature.

Signed-off-by: Michal Suchanek <msucha...@suse.de>
---
 arch/powerpc/kexec/elf_64.c              |  2 +-
 arch/s390/kernel/machine_kexec_file.c    |  2 +-
 crypto/asymmetric_keys/asymmetric_type.c |  1 +
 include/linux/verification.h             |  4 +++-
 kernel/module.c                          |  3 ++-
 kernel/module_signing.c                  | 11 ++++++-----
 6 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/arch/powerpc/kexec/elf_64.c b/arch/powerpc/kexec/elf_64.c
index 6dec8151ef73..c50869195d51 100644
--- a/arch/powerpc/kexec/elf_64.c
+++ b/arch/powerpc/kexec/elf_64.c
@@ -156,7 +156,7 @@ static void *elf64_load(struct kimage *image, char 
*kernel_buf,
 int elf64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
        return verify_appended_signature(kernel, &kernel_len, 
VERIFY_USE_PLATFORM_KEYRING,
-                                        "kexec_file");
+                                        VERIFYING_KEXEC_APPENDED_SIGNATURE);
 }
 #endif /* CONFIG_KEXEC_SIG */
 
diff --git a/arch/s390/kernel/machine_kexec_file.c 
b/arch/s390/kernel/machine_kexec_file.c
index c3deccf1da83..63eec38e3137 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -32,7 +32,7 @@ int s390_verify_sig(const char *kernel, unsigned long 
kernel_len)
                return 0;
 
        return verify_appended_signature(kernel, &kernel_len, 
VERIFY_USE_PLATFORM_KEYRING,
-                                       "kexec_file");
+                                       VERIFYING_KEXEC_APPENDED_SIGNATURE);
 }
 #endif /* CONFIG_KEXEC_SIG */
 
diff --git a/crypto/asymmetric_keys/asymmetric_type.c 
b/crypto/asymmetric_keys/asymmetric_type.c
index ad8af3d70ac0..6fd20eec3882 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -25,6 +25,7 @@ const char *const key_being_used_for[NR__KEY_BEING_USED_FOR] 
= {
        [VERIFYING_KEXEC_PE_SIGNATURE]          = "kexec PE sig",
        [VERIFYING_KEY_SIGNATURE]               = "key sig",
        [VERIFYING_KEY_SELF_SIGNATURE]          = "key self sig",
+       [VERIFYING_KEXEC_APPENDED_SIGNATURE]    = "kexec appended sig",
        [VERIFYING_UNSPECIFIED_SIGNATURE]       = "unspec sig",
 };
 EXPORT_SYMBOL_GPL(key_being_used_for);
diff --git a/include/linux/verification.h b/include/linux/verification.h
index 32db9287a7b0..f92c49443b4f 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -26,6 +26,7 @@ enum key_being_used_for {
        VERIFYING_KEXEC_PE_SIGNATURE,
        VERIFYING_KEY_SIGNATURE,
        VERIFYING_KEY_SELF_SIGNATURE,
+       VERIFYING_KEXEC_APPENDED_SIGNATURE,
        VERIFYING_UNSPECIFIED_SIGNATURE,
        NR__KEY_BEING_USED_FOR
 };
@@ -61,7 +62,8 @@ extern int verify_pefile_signature(const void *pebuf, 
unsigned pelen,
 #endif
 
 int verify_appended_signature(const void *data, unsigned long *len,
-                             struct key *trusted_keys, const char *what);
+                             struct key *trusted_keys,
+                             enum key_being_used_for purpose);
 
 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
 #endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/kernel/module.c b/kernel/module.c
index d91ca0f93a40..0a359dc6b690 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2891,7 +2891,8 @@ static int module_sig_check(struct load_info *info, int 
flags)
         */
        if (flags == 0) {
                err = verify_appended_signature(mod, &info->len,
-                                               VERIFY_USE_SECONDARY_KEYRING, 
"module");
+                                               VERIFY_USE_SECONDARY_KEYRING,
+                                               VERIFYING_MODULE_SIGNATURE);
                if (!err) {
                        info->sig_ok = true;
                        return 0;
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 39a6dd7c6dd2..20857d2a15ca 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -19,17 +19,18 @@
  * @data: The data to be verified
  * @len: Size of @data.
  * @trusted_keys: Keyring to use for verification
- * @what: Informational string for log messages
+ * @purpose: The use to which the key is being put
  */
 int verify_appended_signature(const void *data, unsigned long *len,
-                             struct key *trusted_keys, const char *what)
+                             struct key *trusted_keys,
+                             enum key_being_used_for purpose)
 {
        const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
        struct module_signature *ms;
        unsigned long sig_len, modlen = *len;
        int ret;
 
-       pr_devel("==>%s(,%lu)\n", __func__, modlen);
+       pr_devel("==>%s %s(,%lu)\n", __func__, key_being_used_for[purpose], 
modlen);
 
        if (markerlen > modlen)
                return -ENODATA;
@@ -44,7 +45,7 @@ int verify_appended_signature(const void *data, unsigned long 
*len,
 
        ms = data + modlen - sizeof(*ms);
 
-       ret = mod_check_sig(ms, modlen, what);
+       ret = mod_check_sig(ms, modlen, key_being_used_for[purpose]);
        if (ret)
                return ret;
 
@@ -54,6 +55,6 @@ int verify_appended_signature(const void *data, unsigned long 
*len,
 
        return verify_pkcs7_signature(data, modlen, data + modlen, sig_len,
                                      trusted_keys,
-                                     VERIFYING_MODULE_SIGNATURE,
+                                     purpose,
                                      NULL, NULL);
 }
-- 
2.31.1

Reply via email to