5.4-stable patches

added patches:
	kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch

diff --git a/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch b/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch
new file mode 100644 (file)
index 0000000..04c5cd7
--- /dev/null
+++ b/queue-5.4/kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch
@@ -0,0 +1,66 @@
+From 0828c4a39be57768b8788e8cbd0d84683ea757e5 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Thu, 14 Jul 2022 21:40:27 +0800
+Subject: kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+commit 0828c4a39be57768b8788e8cbd0d84683ea757e5 upstream.
+
+commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
+adds support for KEXEC_SIG verification with keys from platform keyring
+but the built-in keys and secondary keyring are not used.
+
+Add support for the built-in keys and secondary keyring as x86 does.
+
+Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
+Cc: stable@vger.kernel.org
+Cc: Philipp Rudo <prudo@linux.ibm.com>
+Cc: kexec@lists.infradead.org
+Cc: keyrings@vger.kernel.org
+Cc: linux-security-module@vger.kernel.org
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Signed-off-by: Coiby Xu <coxu@redhat.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/machine_kexec_file.c |   18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/arch/s390/kernel/machine_kexec_file.c
++++ b/arch/s390/kernel/machine_kexec_file.c
+@@ -29,6 +29,7 @@ int s390_verify_sig(const char *kernel,
+       const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
+       struct module_signature *ms;
+       unsigned long sig_len;
++      int ret;
+ 
+       /* Skip signature verification when not secure IPLed. */
+       if (!ipl_secure_flag)
+@@ -63,11 +64,18 @@ int s390_verify_sig(const char *kernel,
+               return -EBADMSG;
+       }
+ 
+-      return verify_pkcs7_signature(kernel, kernel_len,
+-                                    kernel + kernel_len, sig_len,
+-                                    VERIFY_USE_PLATFORM_KEYRING,
+-                                    VERIFYING_MODULE_SIGNATURE,
+-                                    NULL, NULL);
++      ret = verify_pkcs7_signature(kernel, kernel_len,
++                                   kernel + kernel_len, sig_len,
++                                   VERIFY_USE_SECONDARY_KEYRING,
++                                   VERIFYING_MODULE_SIGNATURE,
++                                   NULL, NULL);
++      if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
++              ret = verify_pkcs7_signature(kernel, kernel_len,
++                                           kernel + kernel_len, sig_len,
++                                           VERIFY_USE_PLATFORM_KEYRING,
++                                           VERIFYING_MODULE_SIGNATURE,
++                                           NULL, NULL);
++      return ret;
+ }
+ #endif /* CONFIG_KEXEC_SIG */
+ 

diff --git a/queue-5.4/series b/queue-5.4/series
index 961f468cbd1161b8b8ec57747faacffa512dc484..3a0cd3719fe16f29ebaa8e11ac2b352098d5cdb2 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -255,3 +255,4 @@ scsi-qla2xxx-turn-off-multi-queue-for-8g-adapters.patch
 scsi-qla2xxx-fix-erroneous-mailbox-timeout-after-pci-error-injection.patch
 x86-olpc-fix-logical-not-is-only-applied-to-the-left-hand-side.patch
 spmi-trace-fix-stack-out-of-bound-access-in-spmi-tracing-functions.patch
+kexec-keys-s390-make-use-of-built-in-and-secondary-keyring-for-signature-verification.patch