On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
Hi Greg,
Good to see you here:)
On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
> From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001 From: Coiby Xu coxu@redhat.com Date: Thu, 14 Jul 2022 21:40:26 +0800 Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel image signature
Currently, when loading a kernel image via the kexec_file_load() system call, arm64 can only use the .builtin_trusted_keys keyring to verify a signature whereas x86 can use three more keyrings i.e. .secondary_trusted_keys, .machine and .platform keyrings. For example, one resulting problem is kexec'ing a kernel image would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7".
This patch set enables arm64 to make use of the same keyrings as x86 to verify the signature kexec'ed kernel image.
Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
This is not a valid commit id in Linus's tree.
Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
This is not a valid commit id in Linus's tree
Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
And this too is not a valid commit in Linus's tree.
Sorry for the confusion. The correct commit ids are as follows,
0738eceb6201 ("kexec: drop weak attribute from functions") 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig") c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
What order do they need to be applied in?
This is the whole series as seen in Linus tree from oldest to newest:
65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature
Great!
(with the exception of the s390 patch which stands on its own)
What s390 patch?
Now you confused me again...
greg k-h