Check module signatures with the platform keyring (if enabled)

Upstream has made a keyring to the platform keys. The "KEYS: Allow
unrestricted boot-time addition of keys to secondary keyring" is
available upstream for the platform keyring.

The only issue is that module signatures aren't checked with the
platform keyring, so this introduces a patch to add that which has been
sent upstream. At least our carried-patch count hasn't gone up.
This commit is contained in:
Jeremy Cline 2019-04-23 14:21:09 +00:00
parent 8f968e6f02
commit 3313b2c332
3 changed files with 61 additions and 98 deletions

View File

@ -1,96 +0,0 @@
From 7ec379c439ea60507804f96910d25196ab838ec4 Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Fri, 5 May 2017 08:21:56 +0100
Subject: [PATCH] KEYS: Allow unrestricted boot-time addition of keys to
secondary keyring
Allow keys to be added to the system secondary certificates keyring during
kernel initialisation in an unrestricted fashion. Such keys are implicitly
trusted and don't have their trust chains checked on link.
This allows keys in the UEFI database to be added in secure boot mode for
the purposes of module signing.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
---
certs/internal.h | 18 ++++++++++++++++++
certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 certs/internal.h
diff --git a/certs/internal.h b/certs/internal.h
new file mode 100644
index 000000000000..5dcbefb0c23a
--- /dev/null
+++ b/certs/internal.h
@@ -0,0 +1,18 @@
+/* Internal definitions
+ *
+ * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+/*
+ * system_keyring.c
+ */
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+extern void __init add_trusted_secondary_key(const char *source,
+ const void *data, size_t len);
+#endif
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index c05c29ae4d5d..183e73cc81f7 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -19,6 +19,7 @@
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
#include <crypto/pkcs7.h>
+#include "internal.h"
static struct key *builtin_trusted_keys;
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
@@ -287,3 +288,35 @@ void __init set_platform_trusted_keys(struct key *keyring)
platform_trusted_keys = keyring;
}
#endif
+
+#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+/**
+ * add_trusted_secondary_key - Add to secondary keyring with no validation
+ * @source: Source of key
+ * @data: The blob holding the key
+ * @len: The length of the data blob
+ *
+ * Add a key to the secondary keyring without checking its trust chain. This
+ * is available only during kernel initialisation.
+ */
+void __init add_trusted_secondary_key(const char *source,
+ const void *data, size_t len)
+{
+ key_ref_t key;
+
+ key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1),
+ "asymmetric",
+ NULL, data, len,
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
+ KEY_USR_VIEW,
+ KEY_ALLOC_NOT_IN_QUOTA |
+ KEY_ALLOC_BYPASS_RESTRICTION);
+
+ if (IS_ERR(key))
+ pr_err("Problem loading %s X.509 certificate (%ld)\n",
+ source, PTR_ERR(key));
+ else
+ pr_notice("Loaded %s cert '%s' linked to secondary sys keyring\n",
+ source, key_ref_to_ptr(key)->description);
+}
+#endif /* CONFIG_SECONDARY_TRUSTED_KEYRING */
--
2.20.1

View File

@ -0,0 +1,54 @@
From 70cecc97a4fc1667472224558a50dd7b6c42c789 Mon Sep 17 00:00:00 2001
From: Robert Holmes <robeholmes@gmail.com>
Date: Tue, 23 Apr 2019 07:39:29 +0000
Subject: [PATCH] KEYS: Make use of platform keyring for module signature
verify
This patch completes commit 278311e417be ("kexec, KEYS: Make use of
platform keyring for signature verify") which, while adding the
platform keyring for bzImage verification, neglected to also add
this keyring for module verification.
As such, kernel modules signed with keys from the MokList variable
were not successfully verified.
Signed-off-by: Robert Holmes <robeholmes@gmail.com>
---
kernel/module_signing.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 6b9a926fd86b..cf94220e9154 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -49,6 +49,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
{
struct module_signature ms;
size_t sig_len, modlen = info->len;
+ int ret;
pr_devel("==>%s(,%zu)\n", __func__, modlen);
@@ -82,8 +83,15 @@ int mod_verify_sig(const void *mod, struct load_info *info)
return -EBADMSG;
}
- return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
- VERIFY_USE_SECONDARY_KEYRING,
- VERIFYING_MODULE_SIGNATURE,
- NULL, NULL);
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_SECONDARY_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+ ret = verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
+ VERIFY_USE_PLATFORM_KEYRING,
+ VERIFYING_MODULE_SIGNATURE,
+ NULL, NULL);
+ }
+ return ret;
}
--
2.21.0

View File

@ -532,8 +532,6 @@ Patch122: Input-synaptics-pin-3-touches-when-the-firmware-repo.patch
Patch201: efi-lockdown.patch Patch201: efi-lockdown.patch
Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
# bz 1497559 - Make kernel MODSIGN code not error on missing variables # bz 1497559 - Make kernel MODSIGN code not error on missing variables
Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
@ -585,6 +583,10 @@ Patch501: input-rmi4-remove-the-need-for-artifical-IRQ.patch
Patch506: 0001-s390-jump_label-Correct-asm-contraint.patch Patch506: 0001-s390-jump_label-Correct-asm-contraint.patch
Patch507: 0001-Drop-that-for-now.patch Patch507: 0001-Drop-that-for-now.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1701096
# Submitted upstream at https://lkml.org/lkml/2019/4/23/89
Patch508: KEYS-Make-use-of-platform-keyring-for-module-signature.patch
# END OF PATCH DEFINITIONS # END OF PATCH DEFINITIONS
%endif %endif
@ -1858,6 +1860,9 @@ fi
# #
# #
%changelog %changelog
* Tue Apr 23 2019 Jeremy Cline <jcline@redhat.com>
- Allow modules signed by keys in the platform keyring (rbhz 1701096)
* Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git0.1 * Mon Apr 22 2019 Jeremy Cline <jcline@redhat.com> - 5.1.0-0.rc6.git0.1
- Linux v5.1-rc6 - Linux v5.1-rc6