From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC05DC433EF for ; Thu, 12 May 2022 07:02:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350644AbiELHCY (ORCPT ); Thu, 12 May 2022 03:02:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37324 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350679AbiELHCN (ORCPT ); Thu, 12 May 2022 03:02:13 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 67DA44E3BD for ; Thu, 12 May 2022 00:01:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652338908; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Sd8cjBSOdeaVjyH4f3lxl+0xYw15nzSjwpJw6bzSgLk=; b=hRiAgjNsvhySuD23xs/oN22uPE09kLCYRTXlaABAeGtSkz5ft9Kp8u6eWrt6nWwGCKYClf qU3YV/saK9ADcAULX7JHmkAkBOiDfqhf0fTY3NaacbosyjZXpaoRscrFnm3UPaOVR8DCxA xYq2KVd7yFuuGzIRljwFxTwx8i7ncCM= Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-79-xJsOGs0aMDKZuQidT60HFw-1; Thu, 12 May 2022 03:01:39 -0400 X-MC-Unique: xJsOGs0aMDKZuQidT60HFw-1 Received: by mail-pj1-f69.google.com with SMTP id gg5-20020a17090b0a0500b001d9852bd129so1988947pjb.9 for ; Thu, 12 May 2022 00:01:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Sd8cjBSOdeaVjyH4f3lxl+0xYw15nzSjwpJw6bzSgLk=; b=fiUyDyZS0FJbSJvjc8iQcvzWl+akG8gIRfs+mn4tIsLjbGuz5vuunsFqWMRX/uPLTh gkIIyaE14/zz3N9YTPYAPrlhvvx1i9LL0wfEe1QbrKf8HlMPi9CFdsZ2RHaIWum308AU iXoLM/oxKsgrk1kqFZZsPqLNSYmvASrlwz/jGfguo+lkipqBYlV/9Kn4IOLjL2nP1MqZ TWuZleJWvBHB+vs5wTrX8R+6PDzyO8wkvE9E0Isu1YFCp71fSGnXAw9OF9R1Y0oXHKUZ W9dxslQcD4Vvmi/qVKWnOyNspUC1683FLky9cWjqSqnKEwhlsxBmJt413JnW5KQncsZM Horg== X-Gm-Message-State: AOAM533FtSGqQYPtSz+mB+DPvOIr1saDuxJw5wD/5hYiO1k40HB5qR60 w/BW7lOPGT/xuM2PoJuMzoG3PxWEWc983Q4JMaKoPrvfQ2s1uG/pTFv3XMz+WNpPSaunYzCxDdZ vDrILdQrOlI+ggK1DbZc= X-Received: by 2002:a63:db17:0:b0:3c1:dc15:7a6e with SMTP id e23-20020a63db17000000b003c1dc157a6emr24702556pgg.107.1652338898845; Thu, 12 May 2022 00:01:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5+8KvrmgP6uU2JLw0pBjP/QRQb39IFWj7HXL3olAtsPY86WH+mgk5ysySAIY64jPtk9fAOQ== X-Received: by 2002:a63:db17:0:b0:3c1:dc15:7a6e with SMTP id e23-20020a63db17000000b003c1dc157a6emr24702527pgg.107.1652338898566; Thu, 12 May 2022 00:01:38 -0700 (PDT) Received: from localhost ([240e:3a1:2e9:efa0:e73c:e550:ac9e:58fd]) by smtp.gmail.com with ESMTPSA id q9-20020a170902a3c900b0015e8d4eb22fsm3060866plb.121.2022.05.12.00.01.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 May 2022 00:01:38 -0700 (PDT) From: Coiby Xu To: kexec@lists.infradead.org Cc: linux-arm-kernel@lists.infradead.org, Michal Suchanek , Baoquan He , Dave Young , Will Deacon , "Eric W . Biederman" , Mimi Zohar , Chun-Yi Lee , stable@vger.kernel.org, Philipp Rudo , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Martin Schwidefsky , linux-s390@vger.kernel.org (open list:S390), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Date: Thu, 12 May 2022 15:01:23 +0800 Message-Id: <20220512070123.29486-5-coxu@redhat.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512070123.29486-1-coxu@redhat.com> References: <20220512070123.29486-1-coxu@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org From: Michal Suchanek commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") adds support for KEXEC_SIG verification with keys from platform keyring but the built-in keys and secondary keyring are not used. Add support for the built-in keys and secondary keyring as x86 does. Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") Cc: stable@vger.kernel.org Cc: Philipp Rudo Cc: kexec@lists.infradead.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" Acked-by: Baoquan He Signed-off-by: Coiby Xu --- arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 8f43575a4dd3..fc6d5f58debe 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; struct module_signature *ms; unsigned long sig_len; + int ret; /* Skip signature verification when not secure IPLed. */ if (!ipl_secure_flag) @@ -65,11 +66,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) return -EBADMSG; } - return verify_pkcs7_signature(kernel, kernel_len, - kernel + kernel_len, sig_len, - VERIFY_USE_PLATFORM_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } #endif /* CONFIG_KEXEC_SIG */ -- 2.35.3 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EBAF7C433F5 for ; Thu, 12 May 2022 07:03:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=PV68GvftgQ+ubKITGLzMLax2UQUuXNM/Zznn41D0Ymo=; b=tKtcFis8Ny8ZGi vyidqCoYv45C6TfAvRtzz1HZSsJ2JsrDeZPYkZwHzoH+un5i05Fjlt1L32KGUVR91afJ7tt97UOup vsrLc5u30brhdLBVNWK/4C1wgyaiRKQqkIdsF3syuT2n6bzEmJuop68gxfvMEIKw4Eaf9CcglrS2G UtA2i/LQeH6ZKwzhZcYv/Vb7H8SGYib0paoCFJ5pQOdAFaZ+zfAbQr87JNNmCKaNytVoXjGyl8OSJ OpeUo0pniY6N2xQAVb+YhCUItwXnJH7+LhttWWkNOcUbdjzkmlr4saKmBLEptLiW9nBh7qVBb8GAG vvWi02YnSQ3MnUhOvstw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1np2qM-00Acbt-H1; Thu, 12 May 2022 07:02:38 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1np2pR-00AcCS-NM for linux-arm-kernel@lists.infradead.org; Thu, 12 May 2022 07:01:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652338900; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Sd8cjBSOdeaVjyH4f3lxl+0xYw15nzSjwpJw6bzSgLk=; b=Uw2Xs56/rbVkF3hfep0lSCL3uoMFwBWmgN6uKmEYjQVyURjCAzcG2JKnlrgtYt/H+Mpjvu gbROAJq+mIEuW5fDX102XO34cE2nAMp7qDDjBD3I00c2bW4z4IWEl6/QBoMvCdH9x+Yalu BkzM3wjNH1Hj9hfOs50GCbVrT5AikKo= Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-79-PYZbuFtVMwSh5j0wIsZiIw-1; Thu, 12 May 2022 03:01:39 -0400 X-MC-Unique: PYZbuFtVMwSh5j0wIsZiIw-1 Received: by mail-pj1-f69.google.com with SMTP id t15-20020a17090ae50f00b001d925488489so2002627pjy.3 for ; Thu, 12 May 2022 00:01:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Sd8cjBSOdeaVjyH4f3lxl+0xYw15nzSjwpJw6bzSgLk=; b=g7RINwe9QyRiU5puKsC5kGS0DOy+/xBY+dNX/9TyOoh2KVR9uCdAU0mGGdA864QB+A oxhTmYqXhqZdcT4HyG+S3mh2F635mULdUlHQSR5Le5Wd9xEm3OPBCAPo8PhjV1jEGiyt hnlmBCEAqh+LjzAcbyeVm7CQq+D8w+KkJFGxpjW667ZMn3EzjKq0OEEQsA51CCZ3xDLb yWOE//PjEWCwtfRDk10YhYpuWOJc+z5hZ1EjVZeSGy/H2KSkCwUoRVnaoBdi3MT0KXbA wR5PeqJiOvpkrY3ucKW/rju1VSLNFON6wiG7lRMCQkYzDe6tzTDwV/7vHv9shHCgMH25 ApjQ== X-Gm-Message-State: AOAM5309zriYU5RreLZJV9WYjdJi0q6A21PWgRpPKYsTY+Nf6CQoI1OL L7Fr+Pvbpx+ErtktLg+oPkLUyNIGh9ElZt1LpkgbPgn1JKyt7p2x0izO/ruQFbbhbptDjk6lXIL 3ogW9oqSdynJP81qjtHVbRFi0uukB045oKbE= X-Received: by 2002:a63:db17:0:b0:3c1:dc15:7a6e with SMTP id e23-20020a63db17000000b003c1dc157a6emr24702571pgg.107.1652338898852; Thu, 12 May 2022 00:01:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5+8KvrmgP6uU2JLw0pBjP/QRQb39IFWj7HXL3olAtsPY86WH+mgk5ysySAIY64jPtk9fAOQ== X-Received: by 2002:a63:db17:0:b0:3c1:dc15:7a6e with SMTP id e23-20020a63db17000000b003c1dc157a6emr24702527pgg.107.1652338898566; Thu, 12 May 2022 00:01:38 -0700 (PDT) Received: from localhost ([240e:3a1:2e9:efa0:e73c:e550:ac9e:58fd]) by smtp.gmail.com with ESMTPSA id q9-20020a170902a3c900b0015e8d4eb22fsm3060866plb.121.2022.05.12.00.01.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 May 2022 00:01:38 -0700 (PDT) From: Coiby Xu To: kexec@lists.infradead.org Cc: linux-arm-kernel@lists.infradead.org, Michal Suchanek , Baoquan He , Dave Young , Will Deacon , "Eric W . Biederman" , Mimi Zohar , Chun-Yi Lee , stable@vger.kernel.org, Philipp Rudo , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Martin Schwidefsky , linux-s390@vger.kernel.org (open list:S390), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Date: Thu, 12 May 2022 15:01:23 +0800 Message-Id: <20220512070123.29486-5-coxu@redhat.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20220512070123.29486-1-coxu@redhat.com> References: <20220512070123.29486-1-coxu@redhat.com> MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=coxu@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220512_000141_882662_436AA2DA X-CRM114-Status: GOOD ( 13.68 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org From: Michal Suchanek commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") adds support for KEXEC_SIG verification with keys from platform keyring but the built-in keys and secondary keyring are not used. Add support for the built-in keys and secondary keyring as x86 does. Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") Cc: stable@vger.kernel.org Cc: Philipp Rudo Cc: kexec@lists.infradead.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" Acked-by: Baoquan He Signed-off-by: Coiby Xu --- arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 8f43575a4dd3..fc6d5f58debe 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; struct module_signature *ms; unsigned long sig_len; + int ret; /* Skip signature verification when not secure IPLed. */ if (!ipl_secure_flag) @@ -65,11 +66,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) return -EBADMSG; } - return verify_pkcs7_signature(kernel, kernel_len, - kernel + kernel_len, sig_len, - VERIFY_USE_PLATFORM_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } #endif /* CONFIG_KEXEC_SIG */ -- 2.35.3 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 From: Coiby Xu Date: Thu, 12 May 2022 15:01:23 +0800 Subject: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification In-Reply-To: <20220512070123.29486-1-coxu@redhat.com> References: <20220512070123.29486-1-coxu@redhat.com> Message-ID: <20220512070123.29486-5-coxu@redhat.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: kexec@lists.infradead.org From: Michal Suchanek commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype") adds support for KEXEC_SIG verification with keys from platform keyring but the built-in keys and secondary keyring are not used. Add support for the built-in keys and secondary keyring as x86 does. Fixes: e23a8020ce4e ("s390/kexec_file: Signature verification prototype") Cc: stable at vger.kernel.org Cc: Philipp Rudo Cc: kexec at lists.infradead.org Cc: keyrings at vger.kernel.org Cc: linux-security-module at vger.kernel.org Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" Acked-by: Baoquan He Signed-off-by: Coiby Xu --- arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c index 8f43575a4dd3..fc6d5f58debe 100644 --- a/arch/s390/kernel/machine_kexec_file.c +++ b/arch/s390/kernel/machine_kexec_file.c @@ -31,6 +31,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1; struct module_signature *ms; unsigned long sig_len; + int ret; /* Skip signature verification when not secure IPLed. */ if (!ipl_secure_flag) @@ -65,11 +66,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len) return -EBADMSG; } - return verify_pkcs7_signature(kernel, kernel_len, - kernel + kernel_len, sig_len, - VERIFY_USE_PLATFORM_KEYRING, - VERIFYING_MODULE_SIGNATURE, - NULL, NULL); + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) + ret = verify_pkcs7_signature(kernel, kernel_len, + kernel + kernel_len, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + return ret; } #endif /* CONFIG_KEXEC_SIG */ -- 2.35.3