On Wed, Aug 17, 2022 at 02:16:41PM +0200, Greg KH wrote:
On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
Hi Greg,
Good to see you here:)
On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote: > > The patch below does not apply to the 5.19-stable tree. > If someone wants it applied there, or to any other stable or longterm > tree, then please email the backport, including the original git commit > id to stable@vger.kernel.org. > > thanks, > > greg k-h > > ------------------ original commit in Linus's tree ------------------ > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001 > From: Coiby Xu coxu@redhat.com > Date: Thu, 14 Jul 2022 21:40:26 +0800 > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel > image signature > > Currently, when loading a kernel image via the kexec_file_load() system > call, arm64 can only use the .builtin_trusted_keys keyring to verify > a signature whereas x86 can use three more keyrings i.e. > .secondary_trusted_keys, .machine and .platform keyrings. For example, > one resulting problem is kexec'ing a kernel image would be rejected > with the error "Lockdown: kexec: kexec of unsigned images is restricted; > see man kernel_lockdown.7". > > This patch set enables arm64 to make use of the same keyrings as x86 to > verify the signature kexec'ed kernel image. > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
This is not a valid commit id in Linus's tree.
> Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
This is not a valid commit id in Linus's tree
> Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
And this too is not a valid commit in Linus's tree.
Sorry for the confusion. The correct commit ids are as follows,
0738eceb6201 ("kexec: drop weak attribute from functions") 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig") c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
What order do they need to be applied in?
This is the whole series as seen in Linus tree from oldest to newest:
65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature
Great!
(with the exception of the s390 patch which stands on its own)
What s390 patch?
0828c4a39be57768b8788e8cbd0d84683ea757e5 kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
Now you confused me again...
greg k-h