diff --git a/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch new file mode 100644 index 0000000..0a23b81 --- /dev/null +++ b/0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch @@ -0,0 +1,28 @@ +diff --git a/kernel/module/signing.c b/kernel/module/signing.c +From 36dc5cf3039c0751fe95370a247ca1c23c06571c Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Mon, 10 Aug 2020 10:38:20 +0300 +Subject: [PATCH] ROSA: ima: allow to off modules signature check dynamically +Allow module.sig_enforce=0 kernel cmdline, not only module.sig_enforce=1 +It allows to keep CONFIG_MODULE_SIG_FORCE=y, but disable it when really needed +without recompiling the kernel (it may be impossible, e.g. in certified systems). +GRUB or another bootloader is password-protected when needed, +so I am not afraid much that someone will be able to turn it off when not needed. +ROSA-specific patch. +This violates requirements of "secure boot", but currently we do not have secure boot in ROSA. +Signed-off-by: Mikhail Novosyolov +--- + +index a2ff424..e045f46 100644 +--- a/kernel/module/signing.c ++++ b/kernel/module/signing.c +@@ -20,8 +20,7 @@ + #define MODULE_PARAM_PREFIX "module." + + static bool sig_enforce = IS_ENABLED(CONFIG_MODULE_SIG_FORCE); +-module_param(sig_enforce, bool_enable_only, 0644); +- ++module_param(sig_enforce, bool, 0644); + /* + * Export sig_enforce kernel cmdline parameter to allow other subsystems rely + * on that instead of directly to CONFIG_MODULE_SIG_FORCE config. diff --git a/0001-crypto-support-loading-GOST-signed-kernel-modules.patch b/0001-crypto-support-loading-GOST-signed-kernel-modules.patch new file mode 100644 index 0000000..0e1a063 --- /dev/null +++ b/0001-crypto-support-loading-GOST-signed-kernel-modules.patch @@ -0,0 +1,39 @@ +diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c +From 59bf6ed4709ea82d63be300814af2c4c94503e14 Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Thu, 6 Aug 2020 14:17:31 +0300 +Subject: [PATCH] crypto: support loading GOST-signed kernel modules +Support loading kernel modules signed with: +* 1.2.643.7.1.1.1.1 id-tc26-gost3410-12-256 +* 1.2.643.7.1.1.1.2 id-tc26-gost3410-12-512 +Signed-off-by: Mikhail Novosyolov +--- + +index 6592279..1316157 100644 +--- a/crypto/asymmetric_keys/pkcs7_parser.c ++++ b/crypto/asymmetric_keys/pkcs7_parser.c +@@ -248,6 +248,12 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen, + case OID_sha224: + ctx->sinfo->sig->hash_algo = "sha224"; + break; ++ case OID_gost2012Digest256: ++ ctx->sinfo->sig->hash_algo = "streebog256"; ++ break; ++ case OID_gost2012Digest512: ++ ctx->sinfo->sig->hash_algo = "streebog512"; ++ break; + default: + printk("Unsupported digest algo: %u\n", ctx->last_oid); + return -ENOPKG; +@@ -269,6 +275,11 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, + ctx->sinfo->sig->pkey_algo = "rsa"; + ctx->sinfo->sig->encoding = "pkcs1"; + break; ++ case OID_gost2012PKey256: ++ case OID_gost2012PKey512: ++ ctx->sinfo->sig->pkey_algo = "ecrdsa"; ++ ctx->sinfo->sig->encoding = "raw"; ++ break; + case OID_id_ecdsa_with_sha1: + case OID_id_ecdsa_with_sha224: + case OID_id_ecdsa_with_sha256: diff --git a/kernel-xanmod.spec b/kernel-xanmod.spec index 3a0b994..2924a20 100644 --- a/kernel-xanmod.spec +++ b/kernel-xanmod.spec @@ -288,6 +288,11 @@ Patch111: 0001-Remove-RPM-illegal-chars-from-module-version.patch # sent to upstream, https://patchwork.kernel.org/patch/11446123/ Patch302: 0001-sign-file-full-functionality-with-modern-LibreSSL.patch +# Support loading GOST-signed modules +Patch305: 0001-crypto-support-loading-GOST-signed-kernel-modules.patch +# Allow to off modules signature check dynamically +Patch306: 0001-ROSA-ima-allow-to-off-modules-signature-check-dynami.patch + # Disable AutoReq AutoReq: 0 # but keep autoprov for kmod(xxx)