[PATCH 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module signing

Tyler Hicks tyhicks at canonical.com
Fri Oct 26 21:37:54 UTC 2018


On 2018-10-26 11:55:15, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1798863
> 
> For signing dkms modules we use a machine owner key whose public
> half is enrolled into shim. This gets imported into the kernel's
> secondary keyring, thus keys in this keyring need to be trusted
> for module signing.
> 
> Unfortunately the revision of the "secure boot lockdown" patches
> imported into cosmic had a bug whereby keys in the secondary
> keyring are not trusted for module signing. Another bug resulted
> in the modules still being loaded under lockdown, so before
> fixing that bug we need to fix the bug with trusting the MOK for
> module signing so that dkms modules sigend with the MOK will
> continue to load.
> 
> CVE-2018-18653
> 
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>

After dropping the CVE ID from the commit message and switching over to
VERIFY_USE_SECONDARY_KEYRING (because it is part of the kernel internal
API and could change on us at some point in the future)...

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Tyler

> ---
>  kernel/module_signing.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> index 937c844bee4a..d3d6f95a96b4 100644
> --- a/kernel/module_signing.c
> +++ b/kernel/module_signing.c
> @@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
>  	}
>  
>  	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> -				      NULL, VERIFYING_MODULE_SIGNATURE,
> +				      (void *)1UL, VERIFYING_MODULE_SIGNATURE,
>  				      NULL, NULL);
>  }
> -- 
> 2.19.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20181026/4b1baa23/attachment.sig>


More information about the kernel-team mailing list