From: Jessica Yu <jeyu@kernel.org>
To: Ke Wu <mikewu@google.com>
Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] modsign: use all trusted keys to verify module signature
Date: Wed, 7 Nov 2018 15:37:51 +0100 [thread overview]
Message-ID: <20181107143750.GA26862@linux-8ccs> (raw)
In-Reply-To: <CANRnR9QkiiNNxSBzLUeFHw--xPGVEd5E0RfqNTgj4ji8LmVz7g@mail.gmail.com>
+++ Ke Wu [06/11/18 15:23 -0800]:
>Thanks for the comment! I switched to use
>VERIFY_USE_SECONDARY_KEYRING, please take a look.
Patch has been queued on modules-next. Thanks!
Jessica
>On Tue, Nov 6, 2018 at 3:21 PM Ke Wu <mikewu@google.com> wrote:
>>
>> Make mod_verify_sig to use all trusted keys. This allows keys in
>> secondary_trusted_keys to be used to verify PKCS#7 signature on a
>> kernel module.
>>
>> Signed-off-by: Ke Wu <mikewu@google.com>
>> ---
>> Changelog since v1:
>> - Use VERIFY_USE_SECONDARY_KEYRING rather than (void *)1UL
>>
>> kernel/module_signing.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
>> index f2075ce8e4b3..6b9a926fd86b 100644
>> --- a/kernel/module_signing.c
>> +++ b/kernel/module_signing.c
>> @@ -83,6 +83,7 @@ int mod_verify_sig(const void *mod, struct load_info *info)
>> }
>>
>> return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
>> - NULL, VERIFYING_MODULE_SIGNATURE,
>> + VERIFY_USE_SECONDARY_KEYRING,
>> + VERIFYING_MODULE_SIGNATURE,
>> NULL, NULL);
>> }
>> --
>> 2.19.1.930.g4563a0d9d0-goog
>>
>
>
>--
>Ke Wu | Software Engineer | mikewu@google.com | Google Inc.
prev parent reply other threads:[~2018-11-07 14:37 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-22 22:26 [PATCH] modsign: use all trusted keys to verify module signature Ke Wu
2018-10-30 19:11 ` Ke Wu
2018-10-31 9:36 ` Jessica Yu
2018-11-05 19:13 ` Ke Wu
2018-11-06 12:35 ` Jessica Yu
2018-11-06 23:21 ` [PATCH v2] " Ke Wu
2018-11-06 23:23 ` Ke Wu
2018-11-07 14:37 ` Jessica Yu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181107143750.GA26862@linux-8ccs \
--to=jeyu@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mikewu@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox