5.19.1-xanmod1

0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch

@@ -0,0 +1,28 @@
+diff --git a/kernel/module/signing.c b/kernel/module/signing.c
+From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Mon, 10 Aug 2020 10:38:20 +0300
+Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically
+Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1
+It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed
+without recompiling the kernel (it may be impossible, e.g. in certified systems).
+GRUB or another bootloader is password-protected when needed,
+so I am not afraid much that someone will be able to turn it off when not needed.
+ROSA-specific patch.
+This violates requirements of "secure boot", but currently we do not have secure boot in ROSA.
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+
+index a2ff424..e045f46 100644
+--- a/kernel/module/signing.c
++++ b/kernel/module/signing.c
+@@ -20,8 +20,7 @@
+ #define MODULE_PARAM_PREFIX "module."
+ 
+ static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE);
+-module_param(sig_enforce, bool_enable_only, 0644);
+-
++module_param(sig_enforce, bool, 0644);
+ /*
+  * Export sig_enforce kernel cmdline parameter to allow other subsystems rely
+  * on that instead of directly to CONFIG_MODULE_SIG_FORCE config.

0001-crypto-support-loading-GOST-signed-kernel-modules.patch

@@ -0,0 +1,39 @@
+diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
+From 59bf6ed4709ea82d63be300814af2c4c94503e14 Mon Sep 17 00:00:00 2001
+From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+Date: Thu, 6 Aug 2020 14:17:31 +0300
+Subject: [PATCH] crypto: support loading GOST-signed kernel modules
+Support loading kernel modules signed with:
+* 1.2.643.7.1.1.1.1 id-tc26-gost3410-12-256
+* 1.2.643.7.1.1.1.2 id-tc26-gost3410-12-512
+Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
+---
+
+index 6592279..1316157 100644
+--- a/crypto/asymmetric_keys/pkcs7_parser.c
++++ b/crypto/asymmetric_keys/pkcs7_parser.c
+@@ -248,6 +248,12 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
+ 	case OID_sha224:
+ 		ctx->sinfo->sig->hash_algo = "sha224";
+ 		break;
++	case OID_gost2012Digest256:
++		ctx->sinfo->sig->hash_algo = "streebog256";
++		break;
++	case OID_gost2012Digest512:
++		ctx->sinfo->sig->hash_algo = "streebog512";
++		break;
+ 	default:
+ 		printk("Unsupported digest algo: %u\n", ctx->last_oid);
+ 		return -ENOPKG;
+@@ -269,6 +275,11 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
+ 		ctx->sinfo->sig->pkey_algo = "rsa";
+ 		ctx->sinfo->sig->encoding = "pkcs1";
+ 		break;
++	case OID_gost2012PKey256:
++	case OID_gost2012PKey512:
++		ctx->sinfo->sig->pkey_algo = "ecrdsa";
++		ctx->sinfo->sig->encoding = "raw";
++		break;
+ 	case OID_id_ecdsa_with_sha1:
+ 	case OID_id_ecdsa_with_sha224:
+ 	case OID_id_ecdsa_with_sha256:

kernel-xanmod.spec

@@ -288,6 +288,11 @@ Patch111:	0001-Remove-RPM-illegal-chars-from-module-version.patch
 # sent to upstream, https://patchwork.kernel.org/patch/11446123/
 Patch302:	0001-sign-file-full-functionality-with-modern-LibreSSL.patch
 
+# Support loading GOST-signed modules
+Patch305:	0001-crypto-support-loading-GOST-signed-kernel-modules.patch
+# Allow to off modules signature check dynamically
+Patch306:	0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch
+
 # Disable AutoReq
 AutoReq: 	0
 # but keep autoprov for kmod(xxx)