From 232d817c5b271f3f213ea31497e5d068bb73d40c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 15 Aug 2022 13:00:22 +0200 Subject: [PATCH] 5.4-stable patches added patches: kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch --- ...y-keyring-for-signature-verification.patch | 66 +++++++++++++++++++ queue-5.4/series | 1 + 2 files changed, 67 insertions(+) create mode 100644 queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch diff --git a/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch b/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch new file mode 100644 index 00000000000..04c5cd7bf59 --- /dev/null +++ b/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch @@ -0,0 +1,66 @@ +From 0828c4a39be57768b8788e8cbd0d84683ea757e5 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Thu, 14 Jul 2022 21:40:27 +0800 +Subject: kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification + +From: Michal Suchanek + +commit 0828c4a39be57768b8788e8cbd0d84683ea757e5 upstream. + +commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") +adds support for KEXEC_SIG verification with keys from platform keyring +but the built-in keys and secondary keyring are not used. + +Add support for the built-in keys and secondary keyring as x86 does. + +Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") +Cc: stable@vger.kernel.org +Cc: Philipp Rudo +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Signed-off-by: Michal Suchanek +Reviewed-by: "Lee, Chun-Yi" +Acked-by: Baoquan He +Signed-off-by: Coiby Xu +Acked-by: Heiko Carstens +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/arch/s390/kernel/machine_kexec_file.c ++++ b/arch/s390/kernel/machine_kexec_file.c +@@ -29,6 +29,7 @@ int s390_verify_sig(const char *kernel, + const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; + struct module_signature *ms; + unsigned long sig_len; ++ int ret; + + /* Skip signature verification when not secure IPLed. */ + if (!ipl_secure_flag) +@@ -63,11 +64,18 @@ int s390_verify_sig(const char *kernel, + return -EBADMSG; + } + +- return verify_pkcs7_signature(kernel, kernel_len, +- kernel + kernel_len, sig_len, +- VERIFY_USE_PLATFORM_KEYRING, +- VERIFYING_MODULE_SIGNATURE, +- NULL, NULL); ++ ret = verify_pkcs7_signature(kernel, kernel_len, ++ kernel + kernel_len, sig_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) ++ ret = verify_pkcs7_signature(kernel, kernel_len, ++ kernel + kernel_len, sig_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_MODULE_SIGNATURE, ++ NULL, NULL); ++ return ret; + } + #endif /* CONFIG_KEXEC_SIG */ + diff --git a/queue-5.4/series b/queue-5.4/series index 961f468cbd1..3a0cd3719fe 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -255,3 +255,4 @@ scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci-error-injection.patch x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch spmi-trace-fix-stack-out-of-bound-access-in-spmi-tracing-functions.patch +kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch -- 2.47.3