FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

[gregkh]

The patch below does not apply to the 4.9-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

>From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001
From: Yannik Sembritzki <yannik@sembritzki.me>
Date: Thu, 16 Aug 2018 14:05:23 +0100
Subject: [PATCH] Fix kexec forbidding kernels signed with keys in the
 secondary keyring to boot

The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 7326078eaa7a..278cd07228dd 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
 	return verify_pefile_signature(kernel, kernel_len,
-				       NULL,
+				       VERIFY_USE_SECONDARY_KEYRING,
 				       VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif

Re: FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

[Yannik Sembritzki]

This patch applies cleanly for me on the linux-4.9.y branch. Could you
tell me what the problem is here?

Yannik

On 07.09.2018 11:14, gregkh@linuxfoundation.org wrote:
> The patch below does not apply to the 4.9-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001
> From: Yannik Sembritzki <yannik@sembritzki.me>
> Date: Thu, 16 Aug 2018 14:05:23 +0100
> Subject: [PATCH] Fix kexec forbidding kernels signed with keys in the
>  secondary keyring to boot
>
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
>
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
>
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Cc: kexec@lists.infradead.org
> Cc: keyrings@vger.kernel.org
> Cc: linux-security-module@vger.kernel.org
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7326078eaa7a..278cd07228dd 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
>  	return verify_pefile_signature(kernel, kernel_len,
> -				       NULL,
> +				       VERIFY_USE_SECONDARY_KEYRING,
>  				       VERIFYING_KEXEC_PE_SIGNATURE);
>  }
>  #endif
>

Re: FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

[Greg KH]

On Fri, Sep 07, 2018 at 12:34:08PM +0200, Yannik Sembritzki wrote:
> This patch applies cleanly for me on the linux-4.9.y branch. Could you
> tell me what the problem is here?

The dependant patch fails to apply, so this one fails to build, sorry
for not being more obviuos about this.

So a backport of both is needed here.

thanks,

greg k-h

Re: FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

[Yannik Sembritzki]

Thanks, Greg.

I've backported the other (dependant) patch to 4.9; do I need to do
anything more to also get this one applied to 4.9?

Yannik
On 07.09.2018 12:53, Greg KH wrote:
> On Fri, Sep 07, 2018 at 12:34:08PM +0200, Yannik Sembritzki wrote:
>> This patch applies cleanly for me on the linux-4.9.y branch. Could you
>> tell me what the problem is here?
> The dependant patch fails to apply, so this one fails to build, sorry
> for not being more obviuos about this.
>
> So a backport of both is needed here.
>
> thanks,
>
> greg k-h

Re: FAILED: patch "[PATCH] Fix kexec forbidding kernels signed with keys in the" failed to apply to 4.9-stable tree

[Greg KH]

On Fri, Sep 07, 2018 at 12:56:40PM +0200, Yannik Sembritzki wrote:
> Thanks, Greg.
> 
> I've backported the other (dependant) patch to 4.9; do I need to do
> anything more to also get this one applied to 4.9?

Yes, that one did not work :(

Can you resend the patch series, backported to 4.9, with the git ids of
the original patches in them somewhere so I know what to do?

thanks,

greg k-h

[PATCH 1/2] Replace the use of a magic number that indicates that verify_*_signature() should use the secondary keyring with a symbol.

[Yannik Sembritzki]

Backport of 817aef260037f33ee0f44c17fe341323d3aebd6d

Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
---
 certs/system_keyring.c                  | 3 ++-
 crypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
 include/linux/verification.h            | 6 ++++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 50979d6d..24766505 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -14,6 +14,7 @@
 #include <linux/sched.h>
 #include <linux/cred.h>
 #include <linux/err.h>
+#include <linux/verification.h>
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
 #include <crypto/pkcs7.h>
@@ -207,7 +208,7 @@ int verify_pkcs7_signature(const void *data, size_t len,
 
 	if (!trusted_keys) {
 		trusted_keys = builtin_trusted_keys;
-	} else if (trusted_keys == (void *)1UL) {
+	} else if (trusted_keys == VERIFY_USE_SECONDARY_KEYRING) {
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 		trusted_keys = secondary_trusted_keys;
 #else
diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c
index 1063b644..b2aa925a 100644
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
 
 	return verify_pkcs7_signature(NULL, 0,
 				      prep->data, prep->datalen,
-				      (void *)1UL, usage,
+				      VERIFY_USE_SECONDARY_KEYRING, usage,
 				      pkcs7_view_content, prep);
 }
 
diff --git a/include/linux/verification.h b/include/linux/verification.h
index a10549a6..cfa4730d 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -12,6 +12,12 @@
 #ifndef _LINUX_VERIFICATION_H
 #define _LINUX_VERIFICATION_H
 
+/*
+ * Indicate that both builtin trusted keys and secondary trusted keys
+ * should be used.
+ */
+#define VERIFY_USE_SECONDARY_KEYRING ((struct key *)1UL)
+
 /*
  * The use to which an asymmetric key is being put.
  */
-- 
2.17.1

[PATCH 2/2] The split of .system_keyring into .builtin_trusted_keys and .secondary_trusted_keys broke kexec, thereby preventing kernels signed by keys which are now in the secondary keyring from being kexec'd.

[Yannik Sembritzki]

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Backport of ea93102f32244e3f45c8b26260be77ed0cc1d16c

Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
---
 arch/x86/kernel/kexec-bzimage64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 3407b148..490f9be3 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -529,7 +529,7 @@ static int bzImage64_cleanup(void *loader_data)
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
 	return verify_pefile_signature(kernel, kernel_len,
-				       NULL,
+				       VERIFY_USE_SECONDARY_KEYRING,
 				       VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif
-- 
2.17.1