[PATCH 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module signing
Tyler Hicks
tyhicks at canonical.com
Fri Oct 26 21:37:54 UTC 2018
On 2018-10-26 11:55:15, Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1798863
>
> For signing dkms modules we use a machine owner key whose public
> half is enrolled into shim. This gets imported into the kernel's
> secondary keyring, thus keys in this keyring need to be trusted
> for module signing.
>
> Unfortunately the revision of the "secure boot lockdown" patches
> imported into cosmic had a bug whereby keys in the secondary
> keyring are not trusted for module signing. Another bug resulted
> in the modules still being loaded under lockdown, so before
> fixing that bug we need to fix the bug with trusting the MOK for
> module signing so that dkms modules sigend with the MOK will
> continue to load.
>
> CVE-2018-18653
>
> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
After dropping the CVE ID from the commit message and switching over to
VERIFY_USE_SECONDARY_KEYRING (because it is part of the kernel internal
API and could change on us at some point in the future)...
Acked-by: Tyler Hicks <tyhicks at canonical.com>
Tyler
> ---
> kernel/module_signing.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/module_signing.c b/kernel/module_signing.c
> index 937c844bee4a..d3d6f95a96b4 100644
> --- a/kernel/module_signing.c
> +++ b/kernel/module_signing.c
> @@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
> }
>
> return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
> - NULL, VERIFYING_MODULE_SIGNATURE,
> + (void *)1UL, VERIFYING_MODULE_SIGNATURE,
> NULL, NULL);
> }
> --
> 2.19.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20181026/4b1baa23/attachment.sig>
More information about the kernel-team
mailing list