Commit 977080e5 authored Nov 18, 2022 by Michal Suchanek Committed by Zheng Zengkai Nov 18, 2022

kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification

stable inclusion
from stable-v5.10.137
commit 539c20ad260ef0f8cd3188e1950b018fff9a631b
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I60PLB

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=539c20ad260ef0f8cd3188e1950b018fff9a631b



--------------------------------

[ Upstream commit 0828c4a3 ]

commit e23a8020 ("s390/kexec_file: Signature verification prototype")
adds support for KEXEC_SIG verification with keys from platform keyring
but the built-in keys and secondary keyring are not used.

Add support for the built-in keys and secondary keyring as x86 does.

Fixes: e23a8020 ("s390/kexec_file: Signature verification prototype")
Cc: stable@vger.kernel.org
Cc: Philipp Rudo <prudo@linux.ibm.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: "Lee, Chun-Yi" <jlee@suse.com>
Acked-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
Reviewed-by: Wei Li <liwei391@huawei.com>

parent 0b9df3f7

arch/s390/kernel/machine_kexec_file.c

+13 −5

Original line number	Diff line number	Diff line
		@@ -29,6 +29,7 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
		const unsigned long marker_len = sizeof(MODULE_SIG_STRING) - 1;
		struct module_signature *ms;
		unsigned long sig_len;
		int ret;

		/* Skip signature verification when not secure IPLed. */
		if (!ipl_secure_flag)
		@@ -63,11 +64,18 @@ int s390_verify_sig(const char *kernel, unsigned long kernel_len)
		return -EBADMSG;
		}

		return verify_pkcs7_signature(kernel, kernel_len,
		ret = verify_pkcs7_signature(kernel, kernel_len,
		kernel + kernel_len, sig_len,
		VERIFY_USE_SECONDARY_KEYRING,
		VERIFYING_MODULE_SIGNATURE,
		NULL, NULL);
		if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING))
		ret = verify_pkcs7_signature(kernel, kernel_len,
		kernel + kernel_len, sig_len,
		VERIFY_USE_PLATFORM_KEYRING,
		VERIFYING_MODULE_SIGNATURE,
		NULL, NULL);
		return ret;
		}
		#endif /* CONFIG_KEXEC_SIG */