FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree
The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001
From: Yannik Sembritzki yannik@sembritzki.me Date: Thu, 16 Aug 2018 14:05:23 +0100 Subject: [PATCH] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot
The split of .system_keyring into .builtin_trusted_keys and .secondary_trusted_keys broke kexec, thereby preventing kernels signed by keys which are now in the secondary keyring from being kexec'd.
Fix this by passing VERIFY_USE_SECONDARY_KEYRING to verify_pefile_signature().
Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Yannik Sembritzki yannik@sembritzki.me Signed-off-by: David Howells dhowells@redhat.com Cc: kexec@lists.infradead.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: stable@kernel.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 7326078eaa7a..278cd07228dd 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data) static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { return verify_pefile_signature(kernel, kernel_len, - NULL, + VERIFY_USE_SECONDARY_KEYRING, VERIFYING_KEXEC_PE_SIGNATURE); } #endif
This patch applies cleanly for me on the linux-4.9.y branch. Could you tell me what the problem is here?
Yannik
On 07.09.2018 11:14, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001 From: Yannik Sembritzki yannik@sembritzki.me Date: Thu, 16 Aug 2018 14:05:23 +0100 Subject: [PATCH] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot
The split of .system_keyring into .builtin_trusted_keys and .secondary_trusted_keys broke kexec, thereby preventing kernels signed by keys which are now in the secondary keyring from being kexec'd.
Fix this by passing VERIFY_USE_SECONDARY_KEYRING to verify_pefile_signature().
Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Yannik Sembritzki yannik@sembritzki.me Signed-off-by: David Howells dhowells@redhat.com Cc: kexec@lists.infradead.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Cc: stable@kernel.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 7326078eaa7a..278cd07228dd 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data) static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { return verify_pefile_signature(kernel, kernel_len,
NULL,
VERIFY_USE_SECONDARY_KEYRING, VERIFYING_KEXEC_PE_SIGNATURE);} #endif
On Fri, Sep 07, 2018 at 12:34:08PM +0200, Yannik Sembritzki wrote:
This patch applies cleanly for me on the linux-4.9.y branch. Could you tell me what the problem is here?
The dependant patch fails to apply, so this one fails to build, sorry for not being more obviuos about this.
So a backport of both is needed here.
thanks,
greg k-h
Thanks, Greg.
I've backported the other (dependant) patch to 4.9; do I need to do anything more to also get this one applied to 4.9?
Yannik On 07.09.2018 12:53, Greg KH wrote:
On Fri, Sep 07, 2018 at 12:34:08PM +0200, Yannik Sembritzki wrote:
This patch applies cleanly for me on the linux-4.9.y branch. Could you tell me what the problem is here?
The dependant patch fails to apply, so this one fails to build, sorry for not being more obviuos about this.
So a backport of both is needed here.
thanks,
greg k-h
On Fri, Sep 07, 2018 at 12:56:40PM +0200, Yannik Sembritzki wrote:
Thanks, Greg.
I've backported the other (dependant) patch to 4.9; do I need to do anything more to also get this one applied to 4.9?
Yes, that one did not work :(
Can you resend the patch series, backported to 4.9, with the git ids of the original patches in them somewhere so I know what to do?
thanks,
greg k-h
Backport of 817aef260037f33ee0f44c17fe341323d3aebd6d
Signed-off-by: Yannik Sembritzki yannik@sembritzki.me --- certs/system_keyring.c | 3 ++- crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- include/linux/verification.h | 6 ++++++ 3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 50979d6d..24766505 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -14,6 +14,7 @@ #include <linux/sched.h> #include <linux/cred.h> #include <linux/err.h> +#include <linux/verification.h> #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> #include <crypto/pkcs7.h> @@ -207,7 +208,7 @@ int verify_pkcs7_signature(const void *data, size_t len,
if (!trusted_keys) { trusted_keys = builtin_trusted_keys; - } else if (trusted_keys == (void *)1UL) { + } else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) { #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING trusted_keys = secondary_trusted_keys; #else diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c index 1063b644..b2aa925a 100644 --- a/crypto/asymmetric_keys/pkcs7_key_type.c +++ b/crypto/asymmetric_keys/pkcs7_key_type.c @@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
return verify_pkcs7_signature(NULL, 0, prep->data, prep->datalen, - (void *)1UL, usage, + VERIFY_USE_SECONDARY_KEYRING, usage, pkcs7_view_content, prep); }
diff --git a/include/linux/verification.h b/include/linux/verification.h index a10549a6..cfa4730d 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -12,6 +12,12 @@ #ifndef _LINUX_VERIFICATION_H #define _LINUX_VERIFICATION_H
+/* + * Indicate that both builtin trusted keys and secondary trusted keys + * should be used. + */ +#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL) + /* * The use to which an asymmetric key is being put. */
Fix this by passing VERIFY_USE_SECONDARY_KEYRING to verify_pefile_signature().
Backport of ea93102f32244e3f45c8b26260be77ed0cc1d16c
Signed-off-by: Yannik Sembritzki yannik@sembritzki.me --- arch/x86/kernel/kexec-bzimage64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 3407b148..490f9be3 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -529,7 +529,7 @@ static int bzImage64_cleanup(void *loader_data) static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { return verify_pefile_signature(kernel, kernel_len, - NULL, + VERIFY_USE_SECONDARY_KEYRING, VERIFYING_KEXEC_PE_SIGNATURE); } #endif
linux-stable-mirror@lists.linaro.org
-
Greg KH -
gregkh@linuxfoundation.org
-
Yannik Sembritzki