From patchwork Fri Oct 26 17:55:15 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 989707
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42hWqq2V8Zz9sMp;
	Sat, 27 Oct 2018 04:55:35 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gG6KU-0006SW-Ht; Fri, 26 Oct 2018 17:55:26 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <seth.forshee@canonical.com>)
	id 1gG6KR-0006Rf-Hu
	for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:23 +0000
Received: from mail-pf1-f199.google.com ([209.85.210.199])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <seth.forshee@canonical.com>)
	id 1gG6KR-0000bJ-65
	for kernel-team@lists.ubuntu.com; Fri, 26 Oct 2018 17:55:23 +0000
Received: by mail-pf1-f199.google.com with SMTP id v88-v6so1270837pfk.19
	for <kernel-team@lists.ubuntu.com>;
	Fri, 26 Oct 2018 10:55:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=GDptrDJiCHAP0ynlsCknmwk5n4KE5oOEWyJUx300tGk=;
	b=tOuT7vK1LS1l8Ek/ixYwJxPp4gnRhcswYjhlw0Iv8oUYCoJDae4bekTFwpfRXw9EVm
	ogM6xoFlK+kqtdZIgBcxIGyTmJ1NdqbKOwiW7cQ2Zl9wQQX5vGtaT2sr+sha1AwSXcI4
	r++SprYtBSLLzC3EBmk1DmU4r6sNa4yavnI2DJHsf0AqMG4iRorf27Oz8GCLWOeWUtE4
	Oi2CNb7RgAdDLolPk9zBgNkK5wNJFWM80CZvIGJ4u9MgTMc9ttAN4NxXvqgA/wXJK738
	Q7Pl7yfODBNEATFukL0/hbkWyhsg3NPPbNygpGW4mc4eEbQcEw/DEfIxU28olP4B8SdQ
	MC1A==
X-Gm-Message-State: AGRZ1gKm9m0D/yWPhi0XVrD2/AUgD3n8AWLodh9y2cmti8Ona/gA2ga2
	iFRzZz2RiXRn07JHNc/kUOtSH9B/sQmrpLgeqcWeXv+DNg4bMQQQAxU5dLfPo+uA6+OVHqkd0W9
	o5QscUlH2i31VcZQgXdib3ae6nHbL8mCi/iMLOVI0Lg==
X-Received: by 2002:a62:8dcd:: with SMTP id
	p74-v6mr4842582pfk.217.1540576521474;
	Fri, 26 Oct 2018 10:55:21 -0700 (PDT)
X-Google-Smtp-Source: 
 AJdET5e6BT7OH1uV9TKA1Gitt0WAur45cNbPogE76/lLpDJ3NCklMD8/r/g7qv70R2L3T4eykpXVXA==
X-Received: by 2002:a62:8dcd:: with SMTP id
	p74-v6mr4842552pfk.217.1540576521043;
	Fri, 26 Oct 2018 10:55:21 -0700 (PDT)
Received: from localhost (h59.232.132.40.static.ip.windstream.net.
	[40.132.232.59]) by smtp.gmail.com with ESMTPSA id
	h87-v6sm18948051pfj.78.2018.10.26.10.55.19
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 26 Oct 2018 10:55:20 -0700 (PDT)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys
	from secondary keyring for module signing
Date: Fri, 26 Oct 2018 11:55:15 -0600
Message-Id: <20181026175516.21251-2-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181026175516.21251-1-seth.forshee@canonical.com>
References: <20181026175516.21251-1-seth.forshee@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1798863

For signing dkms modules we use a machine owner key whose public
half is enrolled into shim. This gets imported into the kernel's
secondary keyring, thus keys in this keyring need to be trusted
for module signing.

Unfortunately the revision of the "secure boot lockdown" patches
imported into cosmic had a bug whereby keys in the secondary
keyring are not trusted for module signing. Another bug resulted
in the modules still being loaded under lockdown, so before
fixing that bug we need to fix the bug with trusting the MOK for
module signing so that dkms modules sigend with the MOK will
continue to load.

CVE-2018-18653

Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
---
 kernel/module_signing.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 937c844bee4a..d3d6f95a96b4 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
 	}
 
 	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
-				      NULL, VERIFYING_MODULE_SIGNATURE,
+				      (void *)1UL, VERIFYING_MODULE_SIGNATURE,
 				      NULL, NULL);
 }