[PATCH 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module signing

Seth Forshee seth.forshee at canonical.com
Fri Oct 26 17:55:15 UTC 2018


BugLink: https://bugs.launchpad.net/bugs/1798863

For signing dkms modules we use a machine owner key whose public
half is enrolled into shim. This gets imported into the kernel's
secondary keyring, thus keys in this keyring need to be trusted
for module signing.

Unfortunately the revision of the "secure boot lockdown" patches
imported into cosmic had a bug whereby keys in the secondary
keyring are not trusted for module signing. Another bug resulted
in the modules still being loaded under lockdown, so before
fixing that bug we need to fix the bug with trusting the MOK for
module signing so that dkms modules sigend with the MOK will
continue to load.

CVE-2018-18653

Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
---
 kernel/module_signing.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 937c844bee4a..d3d6f95a96b4 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
 	}
 
 	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      NULL, VERIFYING_MODULE_SIGNATURE,
+				      (void *)1UL, VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
 }
-- 
2.19.1





More information about the kernel-team mailing list