From: Jessica Yu <jeyu@kernel.org>
To: Ke Wu <mikewu@google.com>
Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] modsign: use all trusted keys to verify module signature
Date: Wed, 7 Nov 2018 15:37:51 +0100 [thread overview]
Message-ID: <20181107143750.GA26862@linux-8ccs> (raw)
In-Reply-To: <CANRnR9QkiiNNxSBzLUeFHw--xPGVEd5E0RfqNTgj4ji8LmVz7g@mail.gmail.com>
+++ Ke Wu [06/11/18 15:23 -0800]:
>Thanks for the comment! I switched to use
>VERIFY_USE_SECONDARY_KEYRING, please take a look.
Patch has been queued on modules-next. Thanks!
Jessica
>On Tue, Nov 6, 2018 at 3:21 PM Ke Wu <mikewu@google.com> wrote:
>>
>> Make mod_verify_sig to use all trusted keys. This allows keys in
>> secondary_trusted_keys to be used to verify PKCS#7 signature on a
>> kernel module.
>>
>> Signed-off-by: Ke Wu <mikewu@google.com>
>> ---
>> Changelog since v1:
>> - Use VERIFY_USE_SECONDARY_KEYRING rather than (void *)1UL
>>
>> kernel/module_signing.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
>> index f2075ce8e4b3..6b9a926fd86b 100644
>> --- a/kernel/module_signing.c
>> +++ b/kernel/module_signing.c
>> @@ -83,6 +83,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
>> }
>>
>> return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
>> - NULL, VERIFYING_MODULE_SIGNATURE,
>> + VERIFY_USE_SECONDARY_KEYRING,
>> + VERIFYING_MODULE_SIGNATURE,
>> NULL, NULL);
>> }
>> --
>> 2.19.1.930.g4563a0d9d0-goog
>>
>
>
>--
>Ke Wu | Software Engineer | mikewu@google.com | Google Inc.
prev parent reply other threads:[~2018-11-07 14:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-22 22:26 [PATCH] modsign: use all trusted keys to verify module signature Ke Wu
2018-10-30 19:11 ` Ke Wu
2018-10-31 9:36 ` Jessica Yu
2018-11-05 19:13 ` Ke Wu
2018-11-06 12:35 ` Jessica Yu
2018-11-06 23:21 ` [PATCH v2] " Ke Wu
2018-11-06 23:23 ` Ke Wu
2018-11-07 14:37 ` Jessica Yu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181107143750.GA26862@linux-8ccs \
--to=jeyu@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mikewu@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.