This is a note to let you know that I've just added the patch titled
security/integrity: fix pointer to ESL data and its size on pseries
to the 6.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
security-integrity-fix-pointer-to-esl-data-and-its-size-on-pseries.patch
and it can be found in the queue-6.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From e66effaf61ffb1dc6088492ca3a0e98dcbf1c10d Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@xxxxxxxxxxxxx>
Date: Thu, 8 Jun 2023 08:04:44 -0400
Subject: security/integrity: fix pointer to ESL data and its size on pseries
From: Nayna Jain <nayna@xxxxxxxxxxxxx>
commit e66effaf61ffb1dc6088492ca3a0e98dcbf1c10d upstream.
On PowerVM guest, variable data is prefixed with 8 bytes of timestamp.
Extract ESL by stripping off the timestamp before passing to ESL parser.
Fixes: 4b3e71e9a34c ("integrity/powerpc: Support loading keys from PLPKS")
Cc: stable@xxxxxxxxxxxxxxxx # v6.3
Signed-off-by: Nayna Jain <nayna@xxxxxxxxxxxxx>
Tested-by: Nageswara R Sastry <rnsastry@xxxxxxxxxxxxx>
Acked-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
Signed-off-by: Michael Ellerman <mpe@xxxxxxxxxxxxxx>
Link: https://msgid.link/20230608120444.382527-1-nayna@xxxxxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
.../integrity/platform_certs/load_powerpc.c | 40 ++++++++++++-------
1 file changed, 26 insertions(+), 14 deletions(-)
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
index b9de70b90826..170789dc63d2 100644
--- a/security/integrity/platform_certs/load_powerpc.c
+++ b/security/integrity/platform_certs/load_powerpc.c
@@ -15,6 +15,9 @@
#include "keyring_handler.h"
#include "../integrity.h"
+#define extract_esl(db, data, size, offset) \
+ do { db = data + offset; size = size - offset; } while (0)
+
/*
* Get a certificate list blob from the named secure variable.
*
@@ -55,8 +58,9 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
*/
static int __init load_powerpc_certs(void)
{
- void *db = NULL, *dbx = NULL;
- u64 dbsize = 0, dbxsize = 0;
+ void *db = NULL, *dbx = NULL, *data = NULL;
+ u64 dsize = 0;
+ u64 offset = 0;
int rc = 0;
ssize_t len;
char buf[32];
@@ -74,38 +78,46 @@ static int __init load_powerpc_certs(void)
return -ENODEV;
}
+ if (strcmp("ibm,plpks-sb-v1", buf) == 0)
+ /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */
+ offset = 8;
+
/*
* Get db, and dbx. They might not exist, so it isn't an error if we
* can't get them.
*/
- db = get_cert_list("db", 3, &dbsize);
- if (!db) {
+ data = get_cert_list("db", 3, &dsize);
+ if (!data) {
pr_info("Couldn't get db list from firmware\n");
- } else if (IS_ERR(db)) {
- rc = PTR_ERR(db);
+ } else if (IS_ERR(data)) {
+ rc = PTR_ERR(data);
pr_err("Error reading db from firmware: %d\n", rc);
return rc;
} else {
- rc = parse_efi_signature_list("powerpc:db", db, dbsize,
+ extract_esl(db, data, dsize, offset);
+
+ rc = parse_efi_signature_list("powerpc:db", db, dsize,
get_handler_for_db);
if (rc)
pr_err("Couldn't parse db signatures: %d\n", rc);
- kfree(db);
+ kfree(data);
}
- dbx = get_cert_list("dbx", 4, &dbxsize);
- if (!dbx) {
+ data = get_cert_list("dbx", 4, &dsize);
+ if (!data) {
pr_info("Couldn't get dbx list from firmware\n");
- } else if (IS_ERR(dbx)) {
- rc = PTR_ERR(dbx);
+ } else if (IS_ERR(data)) {
+ rc = PTR_ERR(data);
pr_err("Error reading dbx from firmware: %d\n", rc);
return rc;
} else {
- rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
+ extract_esl(dbx, data, dsize, offset);
+
+ rc = parse_efi_signature_list("powerpc:dbx", dbx, dsize,
get_handler_for_dbx);
if (rc)
pr_err("Couldn't parse dbx signatures: %d\n", rc);
- kfree(dbx);
+ kfree(data);
}
return rc;
--
2.41.0
Patches currently in stable-queue which might be from nayna@xxxxxxxxxxxxx are
queue-6.4/security-integrity-fix-pointer-to-esl-data-and-its-size-on-pseries.patch
