git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 0828c4a39be57768b8788e8cbd0d84683ea757e5 Mon Sep 17 00:00:00 2001
   2 From: Michal Suchanek <msuchanek@suse.de>
   3 Date: Thu, 14 Jul 2022 21:40:27 +0800
   4 Subject: kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
   5
   6 From: Michal Suchanek <msuchanek@suse.de>
   7
   8 commit 0828c4a39be57768b8788e8cbd0d84683ea757e5 upstream.
   9
  10 commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
  11 adds support for KEXEC_SIG verification with keys from platform keyring
  12 but the built-in keys and secondary keyring are not used.
  13
  14 Add support for the built-in keys and secondary keyring as x86 does.
  15
  16 Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
  17 Cc: stable@vger.kernel.org
  18 Cc: Philipp Rudo <prudo@linux.ibm.com>
  19 Cc: kexec@lists.infradead.org
  20 Cc: keyrings@vger.kernel.org
  21 Cc: linux-security-module@vger.kernel.org
  22 Signed-off-by: Michal Suchanek <msuchanek@suse.de>
  23 Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
  24 Acked-by: Baoquan He <bhe@redhat.com>
  25 Signed-off-by: Coiby Xu <coxu@redhat.com>
  26 Acked-by: Heiko Carstens <hca@linux.ibm.com>
  27 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
  28 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29 ---
  30  arch/s390/kernel/machine_kexec_file.c |   18 +++++++++++++-----
  31  1 file changed, 13 insertions(+), 5 deletions(-)
  32
  33 --- a/arch/s390/kernel/machine_kexec_file.c
  34 +++ b/arch/s390/kernel/machine_kexec_file.c
  35 @@ -29,6 +29,7 @@ int s390_verify_sig(const char *kernel,
  36         const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
  37         struct module_signature *ms;
  38         unsigned long sig_len;
  39 +       int ret;
  40
  41         /* Skip signature verification when not secure IPLed. */
  42         if (!ipl_secure_flag)
  43 @@ -63,11 +64,18 @@ int s390_verify_sig(const char *kernel,
  44                 return -EBADMSG;
  45         }
  46
  47 -       return verify_pkcs7_signature(kernel, kernel_len,
  48 -                                     kernel + kernel_len, sig_len,
  49 -                                     VERIFY_USE_PLATFORM_KEYRING,
  50 -                                     VERIFYING_MODULE_SIGNATURE,
  51 -                                     NULL, NULL);
  52 +       ret = verify_pkcs7_signature(kernel, kernel_len,
  53 +                                    kernel + kernel_len, sig_len,
  54 +                                    VERIFY_USE_SECONDARY_KEYRING,
  55 +                                    VERIFYING_MODULE_SIGNATURE,
  56 +                                    NULL, NULL);
  57 +       if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
  58 +               ret = verify_pkcs7_signature(kernel, kernel_len,
  59 +                                            kernel + kernel_len, sig_len,
  60 +                                            VERIFY_USE_PLATFORM_KEYRING,
  61 +                                            VERIFYING_MODULE_SIGNATURE,
  62 +                                            NULL, NULL);
  63 +       return ret;
  64  }
  65  #endif /* CONFIG_KEXEC_SIG */
  66