Check module signatures with the platform keyring (if enabled)

Upstream has made a keyring to the platform keys. The "KEYS: Allow unrestricted boot-time addition of keys to secondary keyring" is available upstream for the platform keyring. The only issue is that module signatures aren't checked with the platform keyring, so this introduces a patch to add that which has been sent upstream. At least our carried-patch count hasn't gone up.
2019-04-23 14:21:09 +00:00 · 2019-04-23 14:21:09 +00:00 · 3313b2c332
commit 3313b2c332
parent 8f968e6f02
3 changed files with 61 additions and 98 deletions
--- a/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
+++ b/KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
@ -1,96 +0,0 @@
 From 7ec379c439ea60507804f96910d25196ab838ec4 Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Fri, 5 May 2017 08:21:56 +0100
 Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to
 secondary keyring
 Allow keys to be added to the system secondary certificates keyring during
 kernel initialisation in an unrestricted fashion.  Such keys are implicitly
 trusted and don't have their trust chains checked on link.
 This allows keys in the UEFI database to be added in secure boot mode for
 the purposes of module signing.
 Signed-off-by: David Howells <dhowells@redhat.com>
 Signed-off-by: Jeremy Cline <jcline@redhat.com>
 ---
 certs/internal.h       | 18 ++++++++++++++++++
 certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 certs/internal.h
 diff --git a/certs/internal.h b/certs/internal.h
 new file mode 100644
 index 000000000000..5dcbefb0c23a
 --- /dev/null
 +++ b/certs/internal.h
@@ -0,0 +1,18 @@
 +/* Internal definitions
 + *
 + * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
 + * Written by David Howells (dhowells@redhat.com)
 + *
 + * This program is free software; you can redistribute it and/or
 + * modify it under the terms of the GNU General Public Licence
 + * as published by the Free Software Foundation; either version
 + * 2 of the Licence, or (at your option) any later version.
 + */
 +
 +/*
 + * system_keyring.c
 + */
 +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 +extern void __init add_trusted_secondary_key(const char *source,
 +					     const void *data, size_t len);
 +#endif
 diff --git a/certs/system_keyring.c b/certs/system_keyring.c
 index c05c29ae4d5d..183e73cc81f7 100644
 --- a/certs/system_keyring.c
 +++ b/certs/system_keyring.c
@@ -19,6 +19,7 @@
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
 #include <crypto/pkcs7.h>
 +#include "internal.h"
 static struct key *builtin_trusted_keys;
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
@@ -287,3 +288,35 @@ void __init set_platform_trusted_keys(struct key *keyring)
 	platform_trusted_keys = keyring;
 }
 #endif
 +
 +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 +/**
 + * add_trusted_secondary_key - Add to secondary keyring with no validation
 + * @source: Source of key
 + * @data: The blob holding the key
 + * @len: The length of the data blob
 + *
 + * Add a key to the secondary keyring without checking its trust chain.  This
 + * is available only during kernel initialisation.
 + */
 +void __init add_trusted_secondary_key(const char *source,
 +				      const void *data, size_t len)
 +{
 +	key_ref_t key;
 +
 +	key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
 +				   "asymmetric",
 +				   NULL, data, len,
 +				   (KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				   KEY_USR_VIEW,
 +				   KEY_ALLOC_NOT_IN_QUOTA |
 +				   KEY_ALLOC_BYPASS_RESTRICTION);
 +
 +	if (IS_ERR(key))
 +		pr_err("Problem loading %s X.509 certificate (%ld)\n",
 +		       source, PTR_ERR(key));
 +	else
 +		pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n",
 +			  source, key_ref_to_ptr(key)->description);
 +}
 +#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */
 -- 
 2.20.1
--- a/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
+++ b/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
@ -0,0 +1,54 @@
 From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
 From: Robert Holmes <robeholmes@gmail.com>
 Date: Tue, 23 Apr 2019 07:39:29 +0000
 Subject: [PATCH] KEYS: Make use of platform keyring for module signature
 verify
 This patch completes commit 278311e417be ("kexec, KEYS: Make use of
 platform keyring for signature verify") which, while adding the
 platform keyring for bzImage verification, neglected to also add
 this keyring for module verification.
 As such, kernel modules signed with keys from the MokList variable
 were not successfully verified.
 Signed-off-by: Robert Holmes <robeholmes@gmail.com>
 ---
 kernel/module_signing.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/kernel/module_signing.c b/kernel/module_signing.c
 index 6b9a926fd86b..cf94220e9154 100644
 --- a/kernel/module_signing.c
 +++ b/kernel/module_signing.c
@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 {
 	struct module_signature ms;
 	size_t sig_len, modlen = info->len;
 +	int ret;
 	pr_devel("==>%s(,%zu)\n", __func__, modlen);
@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
 		return -EBADMSG;
 	}
 -	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 -				      VERIFY_USE_SECONDARY_KEYRING,
 -				      VERIFYING_MODULE_SIGNATURE,
 -				      NULL, NULL);
 +	ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 +				     VERIFY_USE_SECONDARY_KEYRING,
 +				     VERIFYING_MODULE_SIGNATURE,
 +				     NULL, NULL);
 +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
 +		ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 +					     VERIFY_USE_PLATFORM_KEYRING,
 +					     VERIFYING_MODULE_SIGNATURE,
 +					     NULL, NULL);
 +	}
 +	return ret;
 }
 -- 
 2.21.0
--- a/kernel.spec
+++ b/kernel.spec
@ -532,8 +532,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
 Patch201: efi-lockdown.patch
 Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
 # bz 1497559 - Make kernel MODSIGN code not error on missing variables
 Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
 Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@ -585,6 +583,10 @@ Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
 Patch506: 0001-s390-jump_label-Correct-asm-contraint.patch
 Patch507: 0001-Drop-that-for-now.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1701096
 # Submitted upstream at https://lkml.org/lkml/2019/4/23/89
 Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
 # END OF PATCH DEFINITIONS
 %endif
@ -1858,6 +1860,9 @@ fi
 #
 #
 %changelog
 * Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
 - Allow modules signed by keys in the platform keyring (rbhz 1701096)
 * Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git0.1
 - Linux v5.1-rc6