kexec, KEYS: Make use of platform keyring for signature verify

This patch allows the kexec_file_load syscall to verify the PE signed
kernel image signature based on the preboot keys stored in the .platform
keyring, as fall back, if the signature verification failed due to not
finding the public key in the secondary or builtin keyrings.

This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
should verify the signature using platform keyring.  Also, decrease
the error message log level when verification failed with -ENOKEY,
so that if called tried multiple time with different keyring it
won't generate extra noises.

Signed-off-by: Kairui Song <kasong@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part)
[zohar@linux.ibm.com: tweaked the first paragraph of the patch description,
 and fixed checkpatch warning.]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 278cd07228dd886778cabf708dd2b1237a318d72..e1215a600064b3b5416b87fd03e86df246c2b742 100644 (file)
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -531,9 +531,17 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-       return verify_pefile_signature(kernel, kernel_len,
-                                      VERIFY_USE_SECONDARY_KEYRING,
-                                      VERIFYING_KEXEC_PE_SIGNATURE);
+       int ret;
+
+       ret = verify_pefile_signature(kernel, kernel_len,
+                                     VERIFY_USE_SECONDARY_KEYRING,
+                                     VERIFYING_KEXEC_PE_SIGNATURE);
+       if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+               ret = verify_pefile_signature(kernel, kernel_len,
+                                             VERIFY_USE_PLATFORM_KEYRING,
+                                             VERIFYING_KEXEC_PE_SIGNATURE);
+       }
+       return ret;
 }
 #endif
 

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index da055e901df49e42681af09e6732b59953944cda..c05c29ae4d5da62dd0f0e102b7dae22df722cf37 100644 (file)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -240,11 +240,22 @@ int verify_pkcs7_signature(const void *data, size_t len,
 #else
                trusted_keys = builtin_trusted_keys;
 #endif
+       } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
+#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+               trusted_keys = platform_trusted_keys;
+#else
+               trusted_keys = NULL;
+#endif
+               if (!trusted_keys) {
+                       ret = -ENOKEY;
+                       pr_devel("PKCS#7 platform keyring is not available\n");
+                       goto error;
+               }
        }
        ret = pkcs7_validate_trust(pkcs7, trusted_keys);
        if (ret < 0) {
                if (ret == -ENOKEY)
-                       pr_err("PKCS#7 signature not signed with a trusted key\n");
+                       pr_devel("PKCS#7 signature not signed with a trusted key\n");
                goto error;
        }
 

diff --git a/include/linux/verification.h b/include/linux/verification.h
index cfa4730d607aa2edc95364f2e09dca1f0e442407..018fb5f13d446f1c380e15de755eccf664d3ff65 100644 (file)
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -17,6 +17,7 @@
  * should be used.
  */
 #define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+#define VERIFY_USE_PLATFORM_KEYRING  ((struct key *)2UL)
 
 /*
  * The use to which an asymmetric key is being put.