[SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Thadeu Lima de Souza Cascardo-3
From: Yannik Sembritzki <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1798441

The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: Yannik Sembritzki <[hidden email]>
Signed-off-by: David Howells <[hidden email]>
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Signed-off-by: Linus Torvalds <[hidden email]>
(backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
---
 arch/x86/kernel/kexec-bzimage64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 7722b08db6a4..57abde6e3475 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loader_data)
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
  return verify_pefile_signature(kernel, kernel_len,
-       NULL,
+       ((struct key *)1UL),
        VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Seth Forshee
On Wed, Oct 17, 2018 at 09:03:05PM -0300, Thadeu Lima de Souza Cascardo wrote:

> From: Yannik Sembritzki <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1798441
>
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
>
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
>
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <[hidden email]>
> Signed-off-by: David Howells <[hidden email]>
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Signed-off-by: Linus Torvalds <[hidden email]>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>

Acked-by: Seth Forshee <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Stefan Bader-2
In reply to this post by Thadeu Lima de Souza Cascardo-3
On 18.10.18 02:03, Thadeu Lima de Souza Cascardo wrote:

> From: Yannik Sembritzki <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1798441
>
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
>
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
>
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <[hidden email]>
> Signed-off-by: David Howells <[hidden email]>
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Signed-off-by: Linus Torvalds <[hidden email]>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>
> ---

Verified that the used pointer is indeed the definition of
VERIFY_USE_SECONDARY_KEYRING in Cosmic (changed state of the bug report to fix
released for devel as this had been applied to Cosmic before release) and also
verified that the verification counter-part has a check for (void *)1UL to match.

-Stefan

>  arch/x86/kernel/kexec-bzimage64.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7722b08db6a4..57abde6e3475 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loader_data)
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
>   return verify_pefile_signature(kernel, kernel_len,
> -       NULL,
> +       ((struct key *)1UL),
>         VERIFYING_KEXEC_PE_SIGNATURE);
>  }
>  #endif
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Stefan Bader-2
In reply to this post by Thadeu Lima de Souza Cascardo-3
On 18.10.18 02:03, Thadeu Lima de Souza Cascardo wrote:

> From: Yannik Sembritzki <[hidden email]>
>
> BugLink: https://bugs.launchpad.net/bugs/1798441
>
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
>
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
>
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <[hidden email]>
> Signed-off-by: David Howells <[hidden email]>
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Cc: [hidden email]
> Signed-off-by: Linus Torvalds <[hidden email]>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <[hidden email]>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7722b08db6a4..57abde6e3475 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loader_data)
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
>   return verify_pefile_signature(kernel, kernel_len,
> -       NULL,
> +       ((struct key *)1UL),
>         VERIFYING_KEXEC_PE_SIGNATURE);
>  }
>  #endif
>
Applied to bionic/master-next. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment