On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
[...]
From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
From: Coiby Xu coxu@redhat.com Date: Thu, 14 Jul 2022 21:40:26 +0800 Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel image signature
Currently, when loading a kernel image via the kexec_file_load() system call, arm64 can only use the .builtin_trusted_keys keyring to verify a signature whereas x86 can use three more keyrings i.e. .secondary_trusted_keys, .machine and .platform keyrings. For example, one resulting problem is kexec'ing a kernel image would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7".
This patch set enables arm64 to make use of the same keyrings as x86 to verify the signature kexec'ed kernel image.
Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
This is not a valid commit id in Linus's tree.
Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
This is not a valid commit id in Linus's tree
Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
And this too is not a valid commit in Linus's tree.
Sorry for the confusion. The correct commit ids are as follows,
0738eceb6201 ("kexec: drop weak attribute from functions")
Sorry, the first one should be 65d9a9a60fd7 ("kexec_file: drop weak attribute from functions").
689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig") c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
What order do they need to be applied in?
They should be applied from top-down, i.e.
1. 65d9a9a60fd7 ("kexec_file: drop weak attribute from functions") 2. 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig") 3. c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
But I notice stable/linux-5.19.y has already the first two prerequisites backported. So only the 3rd prerequisite is needed.
thanks,
greg k-h