All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/2] use more system keyrings to verify kdump kernel image signature
@ 2021-09-27  0:50 ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec; +Cc: linux-arm-kernel

This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.


Coiby Xu (2):
  kexec, KEYS: make the code in bzImage64_verify_sig public
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  3 +++
 kernel/kexec_file.c               | 15 +++++++++++++++
 4 files changed, 20 insertions(+), 15 deletions(-)

-- 
2.33.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 0/2] use more system keyrings to verify kdump kernel image signature
@ 2021-09-27  0:50 ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec; +Cc: linux-arm-kernel

This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.


Coiby Xu (2):
  kexec, KEYS: make the code in bzImage64_verify_sig public
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  3 +++
 kernel/kexec_file.c               | 15 +++++++++++++++
 4 files changed, 20 insertions(+), 15 deletions(-)

-- 
2.33.0


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
  2021-09-27  0:50 ` Coiby Xu
  (?)
@ 2021-09-27  0:50   ` Coiby Xu
  -1 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec
  Cc: linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

From: Coiby Xu <coxu@redhat.com>

The code in bzImage64_verify_sig could make use of system keyrings including
.buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
signed kernel image as PE file. Move it to a public function.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  3 +++
 kernel/kexec_file.c               | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..4136dd3be5a9 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..d45f32336dbe 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
 #ifdef CONFIG_KEXEC_SIG
 int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 				 unsigned long buf_len);
+int arch_kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
 #endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 33400ff051a8..85ed6984ad8f 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 {
 	return kexec_image_verify_sig_default(image, buf, buf_len);
 }
+
+int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
 #endif
 
 /*
-- 
2.33.0


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-27  0:50   ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec
  Cc: linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

From: Coiby Xu <coxu@redhat.com>

The code in bzImage64_verify_sig could make use of system keyrings including
.buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
signed kernel image as PE file. Move it to a public function.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  3 +++
 kernel/kexec_file.c               | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..4136dd3be5a9 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..d45f32336dbe 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
 #ifdef CONFIG_KEXEC_SIG
 int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 				 unsigned long buf_len);
+int arch_kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
 #endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 33400ff051a8..85ed6984ad8f 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 {
 	return kexec_image_verify_sig_default(image, buf, buf_len);
 }
+
+int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
 #endif
 
 /*
-- 
2.33.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-27  0:50   ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec
  Cc: linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE 32-BIT AND 64-BIT,
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE 32-BIT AND 64-BIT

From: Coiby Xu <coxu@redhat.com>

The code in bzImage64_verify_sig could make use of system keyrings including
.buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
signed kernel image as PE file. Move it to a public function.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  3 +++
 kernel/kexec_file.c               | 15 +++++++++++++++
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..4136dd3be5a9 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..d45f32336dbe 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
 #ifdef CONFIG_KEXEC_SIG
 int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 				 unsigned long buf_len);
+int arch_kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
 #endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 33400ff051a8..85ed6984ad8f 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
 {
 	return kexec_image_verify_sig_default(image, buf, buf_len);
 }
+
+int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
 #endif
 
 /*
-- 
2.33.0


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
  2021-09-27  0:50 ` Coiby Xu
  (?)
@ 2021-09-27  0:50   ` Coiby Xu
  -1 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec; +Cc: linux-arm-kernel, Coiby Xu, Catalin Marinas, Will Deacon, open list

From: Coiby Xu <coxu@redhat.com>

This allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..2357ee2f229a 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.33.0


^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
@ 2021-09-27  0:50   ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec; +Cc: linux-arm-kernel, Coiby Xu, Catalin Marinas, Will Deacon, open list

From: Coiby Xu <coxu@redhat.com>

This allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..2357ee2f229a 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.33.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
@ 2021-09-27  0:50   ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-09-27  0:50 UTC (permalink / raw)
  To: kexec; +Cc: linux-arm-kernel, Coiby Xu, Catalin Marinas, Will Deacon, open list

From: Coiby Xu <coxu@redhat.com>

This allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..2357ee2f229a 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.33.0


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
  2021-09-27  0:50   ` Coiby Xu
  (?)
@ 2021-09-29 16:24     ` Will Deacon
  -1 siblings, 0 replies; 20+ messages in thread
From: Will Deacon @ 2021-09-29 16:24 UTC (permalink / raw)
  To: Coiby Xu; +Cc: kexec, linux-arm-kernel, Coiby Xu, Catalin Marinas, open list

On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);

I'm fine with this in principle, but it looks like the first patch is the
important one.

So for the arm64 bit:

Acked-by: Will Deacon <will@kernel.org>

Will

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
@ 2021-09-29 16:24     ` Will Deacon
  0 siblings, 0 replies; 20+ messages in thread
From: Will Deacon @ 2021-09-29 16:24 UTC (permalink / raw)
  To: Coiby Xu; +Cc: kexec, linux-arm-kernel, Coiby Xu, Catalin Marinas, open list

On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);

I'm fine with this in principle, but it looks like the first patch is the
important one.

So for the arm64 bit:

Acked-by: Will Deacon <will@kernel.org>

Will

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
@ 2021-09-29 16:24     ` Will Deacon
  0 siblings, 0 replies; 20+ messages in thread
From: Will Deacon @ 2021-09-29 16:24 UTC (permalink / raw)
  To: Coiby Xu; +Cc: kexec, linux-arm-kernel, Coiby Xu, Catalin Marinas, open list

On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/arm64/kernel/kexec_image.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
> 
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
>  #include <linux/kexec.h>
>  #include <linux/pe.h>
>  #include <linux/string.h>
> -#include <linux/verification.h>
>  #include <asm/byteorder.h>
>  #include <asm/cpufeature.h>
>  #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
>  #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>  static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	return verify_pefile_signature(kernel, kernel_len, NULL,
> -				       VERIFYING_KEXEC_PE_SIGNATURE);
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);

I'm fine with this in principle, but it looks like the first patch is the
important one.

So for the arm64 bit:

Acked-by: Will Deacon <will@kernel.org>

Will

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
  2021-09-27  0:50   ` Coiby Xu
  (?)
@ 2021-09-30 12:49     ` Dave Young
  -1 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:49 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Coiby,
On 09/27/21 at 08:50am, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> The code in bzImage64_verify_sig could make use of system keyrings including
> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> signed kernel image as PE file. Move it to a public function.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  3 +++
>  kernel/kexec_file.c               | 15 +++++++++++++++
>  3 files changed, 19 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..4136dd3be5a9 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..d45f32336dbe 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>  #ifdef CONFIG_KEXEC_SIG
>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  				 unsigned long buf_len);
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
>  #endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 33400ff051a8..85ed6984ad8f 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  {
>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>  }
> +
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}

Since the function is moved as generic code, the kconfig option
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
not need to be compiled for only platform which support UEFI pefile
signature verification.  And the related arch kexec_file kconfig can
just select it.

Coiby, can you try above?

>  #endif
>  
>  /*
> -- 
> 2.33.0
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
> 
> 

Thanks
Dave


^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-30 12:49     ` Dave Young
  0 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:49 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Coiby,
On 09/27/21 at 08:50am, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> The code in bzImage64_verify_sig could make use of system keyrings including
> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> signed kernel image as PE file. Move it to a public function.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  3 +++
>  kernel/kexec_file.c               | 15 +++++++++++++++
>  3 files changed, 19 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..4136dd3be5a9 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..d45f32336dbe 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>  #ifdef CONFIG_KEXEC_SIG
>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  				 unsigned long buf_len);
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
>  #endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 33400ff051a8..85ed6984ad8f 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  {
>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>  }
> +
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}

Since the function is moved as generic code, the kconfig option
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
not need to be compiled for only platform which support UEFI pefile
signature verification.  And the related arch kexec_file kconfig can
just select it.

Coiby, can you try above?

>  #endif
>  
>  /*
> -- 
> 2.33.0
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
> 
> 

Thanks
Dave


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-30 12:49     ` Dave Young
  0 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:49 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Coiby,
On 09/27/21 at 08:50am, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> The code in bzImage64_verify_sig could make use of system keyrings including
> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> signed kernel image as PE file. Move it to a public function.
> 
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>  include/linux/kexec.h             |  3 +++
>  kernel/kexec_file.c               | 15 +++++++++++++++
>  3 files changed, 19 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 170d0fd68b1f..4136dd3be5a9 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -17,7 +17,6 @@
>  #include <linux/kernel.h>
>  #include <linux/mm.h>
>  #include <linux/efi.h>
> -#include <linux/verification.h>
>  
>  #include <asm/bootparam.h>
>  #include <asm/setup.h>
> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
> -	int ret;
> -
> -	ret = verify_pefile_signature(kernel, kernel_len,
> -				      VERIFY_USE_SECONDARY_KEYRING,
> -				      VERIFYING_KEXEC_PE_SIGNATURE);
> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> -		ret = verify_pefile_signature(kernel, kernel_len,
> -					      VERIFY_USE_PLATFORM_KEYRING,
> -					      VERIFYING_KEXEC_PE_SIGNATURE);
> -	}
> -	return ret;
> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>  }
>  #endif
>  
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..d45f32336dbe 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -19,6 +19,7 @@
>  #include <asm/io.h>
>  
>  #include <uapi/linux/kexec.h>
> +#include <linux/verification.h>
>  
>  #ifdef CONFIG_KEXEC_CORE
>  #include <linux/list.h>
> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>  #ifdef CONFIG_KEXEC_SIG
>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  				 unsigned long buf_len);
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> +				    unsigned long kernel_len);
>  #endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 33400ff051a8..85ed6984ad8f 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>  {
>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>  }
> +
> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> +{
> +	int ret;
> +
> +	ret = verify_pefile_signature(kernel, kernel_len,
> +				      VERIFY_USE_SECONDARY_KEYRING,
> +				      VERIFYING_KEXEC_PE_SIGNATURE);
> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> +		ret = verify_pefile_signature(kernel, kernel_len,
> +					      VERIFY_USE_PLATFORM_KEYRING,
> +					      VERIFYING_KEXEC_PE_SIGNATURE);
> +	}
> +	return ret;
> +}

Since the function is moved as generic code, the kconfig option
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
not need to be compiled for only platform which support UEFI pefile
signature verification.  And the related arch kexec_file kconfig can
just select it.

Coiby, can you try above?

>  #endif
>  
>  /*
> -- 
> 2.33.0
> 
> 
> _______________________________________________
> kexec mailing list
> kexec@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
> 
> 

Thanks
Dave


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
  2021-09-30 12:49     ` Dave Young
  (?)
@ 2021-09-30 12:52       ` Dave Young
  -1 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:52 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

On 09/30/21 at 08:49pm, Dave Young wrote:
> Hi Coiby,
> On 09/27/21 at 08:50am, Coiby Xu wrote:
> > From: Coiby Xu <coxu@redhat.com>
> > 
> > The code in bzImage64_verify_sig could make use of system keyrings including
> > .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> > signed kernel image as PE file. Move it to a public function.
> > 
> > Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> > ---
> >  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
> >  include/linux/kexec.h             |  3 +++
> >  kernel/kexec_file.c               | 15 +++++++++++++++
> >  3 files changed, 19 insertions(+), 12 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 170d0fd68b1f..4136dd3be5a9 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -17,7 +17,6 @@
> >  #include <linux/kernel.h>
> >  #include <linux/mm.h>
> >  #include <linux/efi.h>
> > -#include <linux/verification.h>
> >  
> >  #include <asm/bootparam.h>
> >  #include <asm/setup.h>
> > @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
> >  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> >  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> >  {
> > -	int ret;
> > -
> > -	ret = verify_pefile_signature(kernel, kernel_len,
> > -				      VERIFY_USE_SECONDARY_KEYRING,
> > -				      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > -		ret = verify_pefile_signature(kernel, kernel_len,
> > -					      VERIFY_USE_PLATFORM_KEYRING,
> > -					      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	}
> > -	return ret;
> > +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
> >  }
> >  #endif
> >  
> > diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> > index 0c994ae37729..d45f32336dbe 100644
> > --- a/include/linux/kexec.h
> > +++ b/include/linux/kexec.h
> > @@ -19,6 +19,7 @@
> >  #include <asm/io.h>
> >  
> >  #include <uapi/linux/kexec.h>
> > +#include <linux/verification.h>
> >  
> >  #ifdef CONFIG_KEXEC_CORE
> >  #include <linux/list.h>
> > @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
> >  #ifdef CONFIG_KEXEC_SIG
> >  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  				 unsigned long buf_len);
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> > +				    unsigned long kernel_len);
> >  #endif
> >  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
> >  
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 33400ff051a8..85ed6984ad8f 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  {
> >  	return kexec_image_verify_sig_default(image, buf, buf_len);
> >  }
> > +
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> > +{
> > +	int ret;
> > +
> > +	ret = verify_pefile_signature(kernel, kernel_len,
> > +				      VERIFY_USE_SECONDARY_KEYRING,
> > +				      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > +		ret = verify_pefile_signature(kernel, kernel_len,
> > +					      VERIFY_USE_PLATFORM_KEYRING,
> > +					      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	}
> > +	return ret;
> > +}
> 
> Since the function is moved as generic code, the kconfig option
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.
> 
> Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
> not need to be compiled for only platform which support UEFI pefile

Fix the sick sentence: I means only to compile for x86_64 and arm64..

> signature verification.  And the related arch kexec_file kconfig can
> just select it.
> 
> Coiby, can you try above?
> 
> >  #endif
> >  
> >  /*
> > -- 
> > 2.33.0
> > 
> > 
> > _______________________________________________
> > kexec mailing list
> > kexec@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > 
> 
> Thanks
> Dave
> 


^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-30 12:52       ` Dave Young
  0 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:52 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

On 09/30/21 at 08:49pm, Dave Young wrote:
> Hi Coiby,
> On 09/27/21 at 08:50am, Coiby Xu wrote:
> > From: Coiby Xu <coxu@redhat.com>
> > 
> > The code in bzImage64_verify_sig could make use of system keyrings including
> > .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> > signed kernel image as PE file. Move it to a public function.
> > 
> > Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> > ---
> >  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
> >  include/linux/kexec.h             |  3 +++
> >  kernel/kexec_file.c               | 15 +++++++++++++++
> >  3 files changed, 19 insertions(+), 12 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 170d0fd68b1f..4136dd3be5a9 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -17,7 +17,6 @@
> >  #include <linux/kernel.h>
> >  #include <linux/mm.h>
> >  #include <linux/efi.h>
> > -#include <linux/verification.h>
> >  
> >  #include <asm/bootparam.h>
> >  #include <asm/setup.h>
> > @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
> >  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> >  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> >  {
> > -	int ret;
> > -
> > -	ret = verify_pefile_signature(kernel, kernel_len,
> > -				      VERIFY_USE_SECONDARY_KEYRING,
> > -				      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > -		ret = verify_pefile_signature(kernel, kernel_len,
> > -					      VERIFY_USE_PLATFORM_KEYRING,
> > -					      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	}
> > -	return ret;
> > +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
> >  }
> >  #endif
> >  
> > diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> > index 0c994ae37729..d45f32336dbe 100644
> > --- a/include/linux/kexec.h
> > +++ b/include/linux/kexec.h
> > @@ -19,6 +19,7 @@
> >  #include <asm/io.h>
> >  
> >  #include <uapi/linux/kexec.h>
> > +#include <linux/verification.h>
> >  
> >  #ifdef CONFIG_KEXEC_CORE
> >  #include <linux/list.h>
> > @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
> >  #ifdef CONFIG_KEXEC_SIG
> >  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  				 unsigned long buf_len);
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> > +				    unsigned long kernel_len);
> >  #endif
> >  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
> >  
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 33400ff051a8..85ed6984ad8f 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  {
> >  	return kexec_image_verify_sig_default(image, buf, buf_len);
> >  }
> > +
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> > +{
> > +	int ret;
> > +
> > +	ret = verify_pefile_signature(kernel, kernel_len,
> > +				      VERIFY_USE_SECONDARY_KEYRING,
> > +				      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > +		ret = verify_pefile_signature(kernel, kernel_len,
> > +					      VERIFY_USE_PLATFORM_KEYRING,
> > +					      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	}
> > +	return ret;
> > +}
> 
> Since the function is moved as generic code, the kconfig option
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.
> 
> Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
> not need to be compiled for only platform which support UEFI pefile

Fix the sick sentence: I means only to compile for x86_64 and arm64..

> signature verification.  And the related arch kexec_file kconfig can
> just select it.
> 
> Coiby, can you try above?
> 
> >  #endif
> >  
> >  /*
> > -- 
> > 2.33.0
> > 
> > 
> > _______________________________________________
> > kexec mailing list
> > kexec@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > 
> 
> Thanks
> Dave
> 


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-09-30 12:52       ` Dave Young
  0 siblings, 0 replies; 20+ messages in thread
From: Dave Young @ 2021-09-30 12:52 UTC (permalink / raw)
  To: Coiby Xu
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

On 09/30/21 at 08:49pm, Dave Young wrote:
> Hi Coiby,
> On 09/27/21 at 08:50am, Coiby Xu wrote:
> > From: Coiby Xu <coxu@redhat.com>
> > 
> > The code in bzImage64_verify_sig could make use of system keyrings including
> > .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
> > signed kernel image as PE file. Move it to a public function.
> > 
> > Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> > ---
> >  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
> >  include/linux/kexec.h             |  3 +++
> >  kernel/kexec_file.c               | 15 +++++++++++++++
> >  3 files changed, 19 insertions(+), 12 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 170d0fd68b1f..4136dd3be5a9 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -17,7 +17,6 @@
> >  #include <linux/kernel.h>
> >  #include <linux/mm.h>
> >  #include <linux/efi.h>
> > -#include <linux/verification.h>
> >  
> >  #include <asm/bootparam.h>
> >  #include <asm/setup.h>
> > @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
> >  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> >  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> >  {
> > -	int ret;
> > -
> > -	ret = verify_pefile_signature(kernel, kernel_len,
> > -				      VERIFY_USE_SECONDARY_KEYRING,
> > -				      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > -		ret = verify_pefile_signature(kernel, kernel_len,
> > -					      VERIFY_USE_PLATFORM_KEYRING,
> > -					      VERIFYING_KEXEC_PE_SIGNATURE);
> > -	}
> > -	return ret;
> > +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
> >  }
> >  #endif
> >  
> > diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> > index 0c994ae37729..d45f32336dbe 100644
> > --- a/include/linux/kexec.h
> > +++ b/include/linux/kexec.h
> > @@ -19,6 +19,7 @@
> >  #include <asm/io.h>
> >  
> >  #include <uapi/linux/kexec.h>
> > +#include <linux/verification.h>
> >  
> >  #ifdef CONFIG_KEXEC_CORE
> >  #include <linux/list.h>
> > @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
> >  #ifdef CONFIG_KEXEC_SIG
> >  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  				 unsigned long buf_len);
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
> > +				    unsigned long kernel_len);
> >  #endif
> >  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
> >  
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 33400ff051a8..85ed6984ad8f 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> >  {
> >  	return kexec_image_verify_sig_default(image, buf, buf_len);
> >  }
> > +
> > +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
> > +{
> > +	int ret;
> > +
> > +	ret = verify_pefile_signature(kernel, kernel_len,
> > +				      VERIFY_USE_SECONDARY_KEYRING,
> > +				      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
> > +		ret = verify_pefile_signature(kernel, kernel_len,
> > +					      VERIFY_USE_PLATFORM_KEYRING,
> > +					      VERIFYING_KEXEC_PE_SIGNATURE);
> > +	}
> > +	return ret;
> > +}
> 
> Since the function is moved as generic code, the kconfig option
> CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.
> 
> Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
> not need to be compiled for only platform which support UEFI pefile

Fix the sick sentence: I means only to compile for x86_64 and arm64..

> signature verification.  And the related arch kexec_file kconfig can
> just select it.
> 
> Coiby, can you try above?
> 
> >  #endif
> >  
> >  /*
> > -- 
> > 2.33.0
> > 
> > 
> > _______________________________________________
> > kexec mailing list
> > kexec@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/kexec
> > 
> > 
> 
> Thanks
> Dave
> 


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
  2021-09-30 12:49     ` Dave Young
  (?)
@ 2021-10-08  1:11       ` Coiby Xu
  -1 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-10-08  1:11 UTC (permalink / raw)
  To: Dave Young
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Dave,

On Thu, Sep 30, 2021 at 08:49:02PM +0800, Dave Young wrote:
>Hi Coiby,
>On 09/27/21 at 08:50am, Coiby Xu wrote:
>> From: Coiby Xu <coxu@redhat.com>
>>
>> The code in bzImage64_verify_sig could make use of system keyrings including
>> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
>> signed kernel image as PE file. Move it to a public function.
>>
>> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  3 +++
>>  kernel/kexec_file.c               | 15 +++++++++++++++
>>  3 files changed, 19 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..4136dd3be5a9 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 0c994ae37729..d45f32336dbe 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>>  #ifdef CONFIG_KEXEC_SIG
>>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  				 unsigned long buf_len);
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>>  #endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 33400ff051a8..85ed6984ad8f 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  {
>>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>>  }
>> +
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>
>Since the function is moved as generic code, the kconfig option
>CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

>
>Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
>not need to be compiled for only platform which support UEFI pefile
>signature verification.  And the related arch kexec_file kconfig can
>just select it.


Thanks for the suggestion! I notice KEXEC_BZIMAGE_VERIFY_SIG depends 
on SIGNED_PE_FILE_VERIFICATION and selects SYSTEM_TRUSTED_KEYRING. So 
maybe SIGNED_PE_FILE_VERIFICATION could do the job of 
CONFIG_KEXEC_PEFILE_VERIFY_SIG. And arch/arm64/Kconfig also have 
KEXEC_IMAGE_VERIFY_SIG. So maybe it's better we don't keep
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.

>
>Coiby, can you try above?
>
>>  #endif
>>
>>  /*
>> --
>> 2.33.0
>>
>>
>> _______________________________________________
>> kexec mailing list
>> kexec@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/kexec
>>
>>
>
>Thanks
>Dave
>

-- 
Best regards,
Coiby

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-10-08  1:11       ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-10-08  1:11 UTC (permalink / raw)
  To: Dave Young
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Dave,

On Thu, Sep 30, 2021 at 08:49:02PM +0800, Dave Young wrote:
>Hi Coiby,
>On 09/27/21 at 08:50am, Coiby Xu wrote:
>> From: Coiby Xu <coxu@redhat.com>
>>
>> The code in bzImage64_verify_sig could make use of system keyrings including
>> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
>> signed kernel image as PE file. Move it to a public function.
>>
>> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  3 +++
>>  kernel/kexec_file.c               | 15 +++++++++++++++
>>  3 files changed, 19 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..4136dd3be5a9 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 0c994ae37729..d45f32336dbe 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>>  #ifdef CONFIG_KEXEC_SIG
>>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  				 unsigned long buf_len);
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>>  #endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 33400ff051a8..85ed6984ad8f 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  {
>>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>>  }
>> +
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>
>Since the function is moved as generic code, the kconfig option
>CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

>
>Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
>not need to be compiled for only platform which support UEFI pefile
>signature verification.  And the related arch kexec_file kconfig can
>just select it.


Thanks for the suggestion! I notice KEXEC_BZIMAGE_VERIFY_SIG depends 
on SIGNED_PE_FILE_VERIFICATION and selects SYSTEM_TRUSTED_KEYRING. So 
maybe SIGNED_PE_FILE_VERIFICATION could do the job of 
CONFIG_KEXEC_PEFILE_VERIFY_SIG. And arch/arm64/Kconfig also have 
KEXEC_IMAGE_VERIFY_SIG. So maybe it's better we don't keep
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.

>
>Coiby, can you try above?
>
>>  #endif
>>
>>  /*
>> --
>> 2.33.0
>>
>>
>> _______________________________________________
>> kexec mailing list
>> kexec@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/kexec
>>
>>
>
>Thanks
>Dave
>

-- 
Best regards,
Coiby

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 20+ messages in thread

* Re: [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public
@ 2021-10-08  1:11       ` Coiby Xu
  0 siblings, 0 replies; 20+ messages in thread
From: Coiby Xu @ 2021-10-08  1:11 UTC (permalink / raw)
  To: Dave Young
  Cc: kexec, linux-arm-kernel, Coiby Xu, Thomas Gleixner, Ingo Molnar,
	Borislav Petkov, maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT),
	H. Peter Anvin, Eric Biederman,
	open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)

Hi Dave,

On Thu, Sep 30, 2021 at 08:49:02PM +0800, Dave Young wrote:
>Hi Coiby,
>On 09/27/21 at 08:50am, Coiby Xu wrote:
>> From: Coiby Xu <coxu@redhat.com>
>>
>> The code in bzImage64_verify_sig could make use of system keyrings including
>> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
>> signed kernel image as PE file. Move it to a public function.
>>
>> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
>> ---
>>  arch/x86/kernel/kexec-bzimage64.c | 13 +------------
>>  include/linux/kexec.h             |  3 +++
>>  kernel/kexec_file.c               | 15 +++++++++++++++
>>  3 files changed, 19 insertions(+), 12 deletions(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 170d0fd68b1f..4136dd3be5a9 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -17,7 +17,6 @@
>>  #include <linux/kernel.h>
>>  #include <linux/mm.h>
>>  #include <linux/efi.h>
>> -#include <linux/verification.h>
>>
>>  #include <asm/bootparam.h>
>>  #include <asm/setup.h>
>> @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
>>  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
>>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>>  {
>> -	int ret;
>> -
>> -	ret = verify_pefile_signature(kernel, kernel_len,
>> -				      VERIFY_USE_SECONDARY_KEYRING,
>> -				      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> -		ret = verify_pefile_signature(kernel, kernel_len,
>> -					      VERIFY_USE_PLATFORM_KEYRING,
>> -					      VERIFYING_KEXEC_PE_SIGNATURE);
>> -	}
>> -	return ret;
>> +	return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
>>  }
>>  #endif
>>
>> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
>> index 0c994ae37729..d45f32336dbe 100644
>> --- a/include/linux/kexec.h
>> +++ b/include/linux/kexec.h
>> @@ -19,6 +19,7 @@
>>  #include <asm/io.h>
>>
>>  #include <uapi/linux/kexec.h>
>> +#include <linux/verification.h>
>>
>>  #ifdef CONFIG_KEXEC_CORE
>>  #include <linux/list.h>
>> @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image);
>>  #ifdef CONFIG_KEXEC_SIG
>>  int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  				 unsigned long buf_len);
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel,
>> +				    unsigned long kernel_len);
>>  #endif
>>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
>> index 33400ff051a8..85ed6984ad8f 100644
>> --- a/kernel/kexec_file.c
>> +++ b/kernel/kexec_file.c
>> @@ -106,6 +106,21 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
>>  {
>>  	return kexec_image_verify_sig_default(image, buf, buf_len);
>>  }
>> +
>> +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
>> +{
>> +	int ret;
>> +
>> +	ret = verify_pefile_signature(kernel, kernel_len,
>> +				      VERIFY_USE_SECONDARY_KEYRING,
>> +				      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
>> +		ret = verify_pefile_signature(kernel, kernel_len,
>> +					      VERIFY_USE_PLATFORM_KEYRING,
>> +					      VERIFYING_KEXEC_PE_SIGNATURE);
>> +	}
>> +	return ret;
>> +}
>
>Since the function is moved as generic code, the kconfig option
>CONFIG_KEXEC_BZIMAGE_VERIFY_SIG can be removed.

>
>Instead a CONFIG_KEXEC_PEFILE_VERIFY_SIG can be added so that it does
>not need to be compiled for only platform which support UEFI pefile
>signature verification.  And the related arch kexec_file kconfig can
>just select it.


Thanks for the suggestion! I notice KEXEC_BZIMAGE_VERIFY_SIG depends 
on SIGNED_PE_FILE_VERIFICATION and selects SYSTEM_TRUSTED_KEYRING. So 
maybe SIGNED_PE_FILE_VERIFICATION could do the job of 
CONFIG_KEXEC_PEFILE_VERIFY_SIG. And arch/arm64/Kconfig also have 
KEXEC_IMAGE_VERIFY_SIG. So maybe it's better we don't keep
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.

>
>Coiby, can you try above?
>
>>  #endif
>>
>>  /*
>> --
>> 2.33.0
>>
>>
>> _______________________________________________
>> kexec mailing list
>> kexec@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/kexec
>>
>>
>
>Thanks
>Dave
>

-- 
Best regards,
Coiby

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

^ permalink raw reply	[flat|nested] 20+ messages in thread

end of thread, other threads:[~2021-10-08  1:18 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-27  0:50 [PATCH 0/2] use more system keyrings to verify kdump kernel image signature Coiby Xu
2021-09-27  0:50 ` Coiby Xu
2021-09-27  0:50 ` [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public Coiby Xu
2021-09-27  0:50   ` Coiby Xu
2021-09-27  0:50   ` Coiby Xu
2021-09-30 12:49   ` Dave Young
2021-09-30 12:49     ` Dave Young
2021-09-30 12:49     ` Dave Young
2021-09-30 12:52     ` Dave Young
2021-09-30 12:52       ` Dave Young
2021-09-30 12:52       ` Dave Young
2021-10-08  1:11     ` Coiby Xu
2021-10-08  1:11       ` Coiby Xu
2021-10-08  1:11       ` Coiby Xu
2021-09-27  0:50 ` [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature Coiby Xu
2021-09-27  0:50   ` Coiby Xu
2021-09-27  0:50   ` Coiby Xu
2021-09-29 16:24   ` Will Deacon
2021-09-29 16:24     ` Will Deacon
2021-09-29 16:24     ` Will Deacon

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.