From nobody Wed Feb 11 08:12:13 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 792BF22171E for ; Mon, 2 Jun 2025 13:26:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748870764; cv=none; b=fo+MPQ5UMD9Un5uLxIHF2XtntT4qhSsbfbSd3QAzI3KVgNFiZduJkaaMJ8Dqy2wN71o1oF0Z7jq4pVNIPs23ILa4eKon4b7m8ieW8J9z2Tj1mmk/gPxbk1BKIjy2HP3bSSBRZPwKHxBW/goi/bidZnZBY3A0QXDMfhUMl4Wu6Iw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1748870764; c=relaxed/simple; bh=Mz2VSrEiZ5oX5C4O51bSvAOqVSLa2TxMZyfLzwwUvoc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=YLrcZfHnbnzSDlarMuiIgtvoQK8G9E0lcg7hISpFoZ+lL2oN4mwxapXOQuq8PobYL6h9yCg//SddRerovhxnoRsN3Qv23Ot2Xkilh2LLmaj+2zTi6JuoOrbB3/y073gj/l+Xltv70p7sJWTFWmH/Htbrz0VTZFqXhj/6H0yTyKU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=Qb9clEsm; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="Qb9clEsm" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1748870761; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UGJhWJHjw7Hp8c1hgWnOUEnNwrG2wjjIX1QvpNBnjsw=; b=Qb9clEsmGCXehXgxYCnfXvvitOOf0eVNuAJbgqldee/nzY6sUkTBw8wY9hiWo5l579328P ZWCN60fophZw10cclkatHfqnl7nz2q/hDbO4KZA6hFr+H3GAw6nXz3P/6c2YvuVl+BUaCR riTv0Qkt/S8JUAjN+qBRVAPPs52E3PY= Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-669-Y6nYanefN1aR8MDWv4PZRw-1; Mon, 02 Jun 2025 09:25:57 -0400 X-MC-Unique: Y6nYanefN1aR8MDWv4PZRw-1 X-Mimecast-MFC-AGG-ID: Y6nYanefN1aR8MDWv4PZRw_1748870755 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 6A9E9195608A; Mon, 2 Jun 2025 13:25:54 +0000 (UTC) Received: from fedora.redhat.com (unknown [10.44.34.87]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 44E9E18001DA; Mon, 2 Jun 2025 13:25:46 +0000 (UTC) From: Vitaly Kuznetsov To: linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-modules@vger.kernel.org Cc: linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, keyrings@vger.kernel.org, David Howells , David Woodhouse , Jonathan Corbet , Luis Chamberlain , Petr Pavlu , Sami Tolvanen , Daniel Gomez , Mimi Zohar , Roberto Sassu , Dmitry Kasatkin , Eric Snowberg , Paul Moore , James Morris , "Serge E. Hallyn" , Peter Jones , Robert Holmes , Jeremy Cline , Coiby Xu , James Bottomley , Gerd Hoffmann Subject: [PATCH RFC 1/1] module: Make use of platform keyring for module signature verify Date: Mon, 2 Jun 2025 15:25:35 +0200 Message-ID: <20250602132535.897944-2-vkuznets@redhat.com> In-Reply-To: <20250602132535.897944-1-vkuznets@redhat.com> References: <20250602132535.897944-1-vkuznets@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Content-Type: text/plain; charset="utf-8" This patch complements commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") and commit 6fce1f40e951 ("dm verity: add support for signature verification with platform keyring") and allows for signing modules using keys from SecureBoot 'db'. This may come handy when the user has control over it, e.g. in a virtualized or a cloud environment. Suggested-by: Robert Holmes Signed-off-by: Vitaly Kuznetsov --- Documentation/admin-guide/module-signing.rst | 6 ++++++ kernel/module/Kconfig | 11 +++++++++++ kernel/module/signing.c | 9 ++++++++- security/integrity/Kconfig | 2 +- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/a= dmin-guide/module-signing.rst index a8667a777490..44ed93e586b9 100644 --- a/Documentation/admin-guide/module-signing.rst +++ b/Documentation/admin-guide/module-signing.rst @@ -118,6 +118,12 @@ This has a number of options available: additional certificates which will be included in the system keyring = by default. =20 + (5) :menuselection:`Use .platform keyring for verifying kernel modules si= gnatures` + (``CONFIG_MODULE_SIG_PLATFORM``) + + This option additionally allows modules to be signed with a key prese= nt + in ``.platform`` keyring, e.g. a SecureBoot 'db' key. + Note that enabling module signing adds a dependency on the OpenSSL devel packages to the kernel build processes for the tool that does the signing. =20 diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig index 39278737bb68..f1b85c14548a 100644 --- a/kernel/module/Kconfig +++ b/kernel/module/Kconfig @@ -340,6 +340,17 @@ config MODULE_SIG_HASH default "sha3-384" if MODULE_SIG_SHA3_384 default "sha3-512" if MODULE_SIG_SHA3_512 =20 +config MODULE_SIG_PLATFORM + bool "Use .platform keyring for verifying kernel modules signatures" + depends on INTEGRITY_PLATFORM_KEYRING + depends on MODULE_SIG + help + When selected, keys from .platform keyring can be used for verifying + modules signatures. In particular, this allows to use UEFI SecureBoot + 'db' for verification. + + If unsure, say N. + config MODULE_COMPRESS bool "Module compression" help diff --git a/kernel/module/signing.c b/kernel/module/signing.c index a2ff4242e623..3327e7243211 100644 --- a/kernel/module/signing.c +++ b/kernel/module/signing.c @@ -61,10 +61,17 @@ int mod_verify_sig(const void *mod, struct load_info *i= nfo) modlen -=3D sig_len + sizeof(ms); info->len =3D modlen; =20 - return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + ret =3D verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, VERIFY_USE_SECONDARY_KEYRING, VERIFYING_MODULE_SIGNATURE, NULL, NULL); + if (ret =3D=3D -ENOKEY && IS_ENABLED(CONFIG_MODULE_SIG_PLATFORM)) { + ret =3D verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_MODULE_SIGNATURE, + NULL, NULL); + } + return ret; } =20 int module_sig_check(struct load_info *info, int flags) diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 3c45f4f3455f..b7fa83d37a01 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -60,7 +60,7 @@ config INTEGRITY_PLATFORM_KEYRING Provide a separate, distinct keyring for platform trusted keys, which the kernel automatically populates during initialization from values provided by the platform for verifying the kexec'ed kerned image - and, possibly, the initramfs signature. + and, possibly, the initramfs signature and kernel modules signatures. =20 config INTEGRITY_MACHINE_KEYRING bool "Provide a keyring to which Machine Owner Keys may be added" --=20 2.49.0