On Fri, Sep 23, 2022 at 09:16:50PM +0200, Michal Suchánek wrote:
Hello,
On Fri, Sep 23, 2022 at 03:03:36PM -0400, Mimi Zohar wrote:
On Fri, 2022-09-23 at 19:10 +0200, Michal Suchanek wrote:
Hello,
this is backport of commit 0d519cadf751 ("arm64: kexec_file: use more system keyrings to verify kernel image signature") to table 5.15 tree including the preparatory patches.
Some patches needed minor adjustment for context.
In general when backporting this patch set, there should be a dependency on backporting these commits as well. In this instance for linux-5.15.y, they've already been backported.
543ce63b664e ("lockdown: Fix kexec lockdown bypass with ima policy")
AFAICT this is everywhere relevant, likely because it's considered a CVE fix.
af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured")
This is missing in 5.4, and 5.4 is missing this prerequisite: fd7af71be542 ("kexec: do not verify the signature without the lockdown or mandatory signature")
Thanks for bringing these up. It might be in general useful to backport these fixes as well.
However, this patchset does one very specific thing: it lifts the x86 kexec_file signature verification to arch-independent and uses it on arm64 to unify all features (and any existing warts) between EFI architectures.
So unless I am missing something the fixes you pointed out are completely independent of this.
Thanks
Michal