From: Will Deacon <will@kernel.org>
To: Coiby Xu <coiby.xu@gmail.com>
Cc: kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
Coiby Xu <coxu@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
Date: Wed, 29 Sep 2021 17:24:28 +0100 [thread overview]
Message-ID: <20210929162428.GG22029@willie-the-truck> (raw)
In-Reply-To: <20210927005004.36367-3-coiby.xu@gmail.com>
On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
>
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
>
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
> arch/arm64/kernel/kexec_image.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
> #include <linux/kexec.h>
> #include <linux/pe.h>
> #include <linux/string.h>
> -#include <linux/verification.h>
> #include <asm/byteorder.h>
> #include <asm/cpufeature.h>
> #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
> #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
> static int image_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len, NULL,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
I'm fine with this in principle, but it looks like the first patch is the
important one.
So for the arm64 bit:
Acked-by: Will Deacon <will@kernel.org>
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will@kernel.org>
To: Coiby Xu <coiby.xu@gmail.com>
Cc: kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
Coiby Xu <coxu@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
Date: Wed, 29 Sep 2021 17:24:28 +0100 [thread overview]
Message-ID: <20210929162428.GG22029@willie-the-truck> (raw)
In-Reply-To: <20210927005004.36367-3-coiby.xu@gmail.com>
On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
>
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
>
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
> arch/arm64/kernel/kexec_image.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
> #include <linux/kexec.h>
> #include <linux/pe.h>
> #include <linux/string.h>
> -#include <linux/verification.h>
> #include <asm/byteorder.h>
> #include <asm/cpufeature.h>
> #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
> #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
> static int image_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len, NULL,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
I'm fine with this in principle, but it looks like the first patch is the
important one.
So for the arm64 bit:
Acked-by: Will Deacon <will@kernel.org>
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will@kernel.org>
To: Coiby Xu <coiby.xu@gmail.com>
Cc: kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
Coiby Xu <coxu@redhat.com>,
Catalin Marinas <catalin.marinas@arm.com>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature
Date: Wed, 29 Sep 2021 17:24:28 +0100 [thread overview]
Message-ID: <20210929162428.GG22029@willie-the-truck> (raw)
In-Reply-To: <20210927005004.36367-3-coiby.xu@gmail.com>
On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
>
> This allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.
>
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
> arch/arm64/kernel/kexec_image.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
> index 9ec34690e255..2357ee2f229a 100644
> --- a/arch/arm64/kernel/kexec_image.c
> +++ b/arch/arm64/kernel/kexec_image.c
> @@ -14,7 +14,6 @@
> #include <linux/kexec.h>
> #include <linux/pe.h>
> #include <linux/string.h>
> -#include <linux/verification.h>
> #include <asm/byteorder.h>
> #include <asm/cpufeature.h>
> #include <asm/image.h>
> @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
> #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
> static int image_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len, NULL,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len);
I'm fine with this in principle, but it looks like the first patch is the
important one.
So for the arm64 bit:
Acked-by: Will Deacon <will@kernel.org>
Will
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2021-09-29 16:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-27 0:50 [PATCH 0/2] use more system keyrings to verify kdump kernel image signature Coiby Xu
2021-09-27 0:50 ` Coiby Xu
2021-09-27 0:50 ` [PATCH 1/2] kexec, KEYS: make the code in bzImage64_verify_sig public Coiby Xu
2021-09-27 0:50 ` Coiby Xu
2021-09-27 0:50 ` Coiby Xu
2021-09-30 12:49 ` Dave Young
2021-09-30 12:49 ` Dave Young
2021-09-30 12:49 ` Dave Young
2021-09-30 12:52 ` Dave Young
2021-09-30 12:52 ` Dave Young
2021-09-30 12:52 ` Dave Young
2021-10-08 1:11 ` Coiby Xu
2021-10-08 1:11 ` Coiby Xu
2021-10-08 1:11 ` Coiby Xu
2021-09-27 0:50 ` [PATCH 2/2] arm64: kexec_file: use more system keyrings to verify kernel image signature Coiby Xu
2021-09-27 0:50 ` Coiby Xu
2021-09-27 0:50 ` Coiby Xu
2021-09-29 16:24 ` Will Deacon [this message]
2021-09-29 16:24 ` Will Deacon
2021-09-29 16:24 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210929162428.GG22029@willie-the-truck \
--to=will@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=coiby.xu@gmail.com \
--cc=coxu@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.