From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6CE1C433EF for ; Fri, 8 Apr 2022 08:51:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232374AbiDHIxb (ORCPT ); Fri, 8 Apr 2022 04:53:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232367AbiDHIx0 (ORCPT ); Fri, 8 Apr 2022 04:53:26 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D610C215921; Fri, 8 Apr 2022 01:51:23 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 67E5A1F862; Fri, 8 Apr 2022 08:51:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1649407882; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uTGU4pxoIdecWm4trOJxGHJ9iItKUNYJ1jmjMl6SEx4=; b=VhVZqo81opV2Tbo6thBWgam3/nXYsf0Hhvr72+/6xVkPHVFlyEHjkpREVrE1QtAumjQbwq 9+xR0oASwZ79uam/ix++zW/7rzcCT6DFEvU63PzZlDSJf9u/SS/E/W5I4dWkGjlQpHlaU4 ygdzXpwmqr+MdCNxWxMkcXqRnK8TUyQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1649407882; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uTGU4pxoIdecWm4trOJxGHJ9iItKUNYJ1jmjMl6SEx4=; b=t0ijmoGdavYzXFzGXhf38G2KTYQ7SjR1398XagWLNdHqgp6418CKRIc9Rl5ZYfDDJLr6a4 Zd0+zw+Iw5L3tpAw== Received: from kunlun.suse.cz (unknown [10.100.128.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 02632A3B93; Fri, 8 Apr 2022 08:51:21 +0000 (UTC) Date: Fri, 8 Apr 2022 10:51:20 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Coiby Xu Cc: Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , "Lee, Chun-Yi" , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [PATCH 0/4] Unifrom keyring support across architectures and functions Message-ID: <20220408085120.GV163591@kunlun.suse.cz> References: <20220408074704.wkyyv2qnx66iinzo@Rk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220408074704.wkyyv2qnx66iinzo@Rk> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 08, 2022 at 03:47:04PM +0800, Coiby Xu wrote: > Hi Michal, > > As mentioned by Baoquan, I have a patch set "[PATCH v5 0/3] use more > system keyrings to verify arm64 kdump kernel image signature" [1]. The > differences between your patch set and mine are as follows, - my patch set > only adds support for arm64 while yours also extends to > s390 > - I made the code for verifying signed kernel image as PE file in x86 > public so arm64 can reuse the code as well which seems to be better > approach > - I also cleaned up clean up arch_kexec_kernel_verify_sig > > Would you mind if I integrate your first 3 patches with mine as follows > - for arm64, I'll use my version > - for s390, I'll use your version Great less code duplication is always good. Thanks Michal > > For your last patch which allows to use of platform keyring for > signature verification of kernel module, I'll leave it to yourself. How > do you think about it? > > > [1] https://lore.kernel.org/all/20220401013118.348084-1-coxu@redhat.com/ > > On Tue, Feb 15, 2022 at 08:39:37PM +0100, Michal Suchanek wrote: > > While testing KEXEC_SIG on powerpc I noticed discrepancy in support for > > different keyrings across architectures and between KEXEC_SIG and > > MODULE_SIG. Fix this by enabling suport for the missing keyrings. > > > > The latter two patches obviously conflict with the ongoing module code > > cleanup. If they turn out desirable I will add them to the other series > > dealing with KEXEC_SIG. > > > > The arm patches can be merged independently. > > > > Thanks > > > > Michal > > > > Michal Suchanek (4): > > Fix arm64 kexec forbidding kernels signed with keys in the secondary > > keyring to boot > > kexec, KEYS, arm64: Make use of platform keyring for signature > > verification > > kexec, KEYS, s390: Make use of built-in and secondary keyring for > > signature verification > > module, KEYS: Make use of platform keyring for signature verification > > > > arch/arm64/kernel/kexec_image.c | 13 +++++++++++-- > > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > > kernel/module_signing.c | 14 ++++++++++---- > > 3 files changed, 34 insertions(+), 11 deletions(-) > > > > -- > > 2.31.1 > > > > -- > Best regards, > Coiby > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 732D2C433EF for ; Fri, 8 Apr 2022 08:52:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=fYKQJ7G9RPGdciK/5/VLBZ2l2uPLbTU9vxEdMz4D1wc=; b=ppUfwvF2na+z3v dg1SX4iM3VFdpxsv4mcWX/rKhse0kWWbbdrV9OuuHzzYq6ug4G35FIInl6Iqa6uYKBAl9YMJfbxTq 2TAhbgPsR6v3dzdnrZ9BnhMftcwxlXcSXLoCpCPiLSox3xDI6scAtsQA82Cc0866wZgfC5YsIM6cH sjbZk3K+mg5bcpb+t4PM4y2KLBL0CEZmJbWQxgFqlAOs3BW/+oD3BfubJ5rc+VptXvK6oVnXKRqqz R/Pl15wSYWPHM4ZEiRXrR6OmkNiTv77CX9xFCh5UzussqEkY7K3pCFI4kFVirsxkuRlDYHiR0OMyg /MEtey/dMb/uZ4ZgoX1w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nckL4-00G0Uw-VP; Fri, 08 Apr 2022 08:51:31 +0000 Received: from smtp-out2.suse.de ([195.135.220.29]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nckL0-00G0U0-CU; Fri, 08 Apr 2022 08:51:28 +0000 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 67E5A1F862; Fri, 8 Apr 2022 08:51:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1649407882; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uTGU4pxoIdecWm4trOJxGHJ9iItKUNYJ1jmjMl6SEx4=; b=VhVZqo81opV2Tbo6thBWgam3/nXYsf0Hhvr72+/6xVkPHVFlyEHjkpREVrE1QtAumjQbwq 9+xR0oASwZ79uam/ix++zW/7rzcCT6DFEvU63PzZlDSJf9u/SS/E/W5I4dWkGjlQpHlaU4 ygdzXpwmqr+MdCNxWxMkcXqRnK8TUyQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1649407882; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uTGU4pxoIdecWm4trOJxGHJ9iItKUNYJ1jmjMl6SEx4=; b=t0ijmoGdavYzXFzGXhf38G2KTYQ7SjR1398XagWLNdHqgp6418CKRIc9Rl5ZYfDDJLr6a4 Zd0+zw+Iw5L3tpAw== Received: from kunlun.suse.cz (unknown [10.100.128.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 02632A3B93; Fri, 8 Apr 2022 08:51:21 +0000 (UTC) Date: Fri, 8 Apr 2022 10:51:20 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Coiby Xu Cc: Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , "Lee, Chun-Yi" , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [PATCH 0/4] Unifrom keyring support across architectures and functions Message-ID: <20220408085120.GV163591@kunlun.suse.cz> References: <20220408074704.wkyyv2qnx66iinzo@Rk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220408074704.wkyyv2qnx66iinzo@Rk> User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220408_015126_608020_5A89559A X-CRM114-Status: GOOD ( 29.34 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Apr 08, 2022 at 03:47:04PM +0800, Coiby Xu wrote: > Hi Michal, > > As mentioned by Baoquan, I have a patch set "[PATCH v5 0/3] use more > system keyrings to verify arm64 kdump kernel image signature" [1]. The > differences between your patch set and mine are as follows, - my patch set > only adds support for arm64 while yours also extends to > s390 > - I made the code for verifying signed kernel image as PE file in x86 > public so arm64 can reuse the code as well which seems to be better > approach > - I also cleaned up clean up arch_kexec_kernel_verify_sig > > Would you mind if I integrate your first 3 patches with mine as follows > - for arm64, I'll use my version > - for s390, I'll use your version Great less code duplication is always good. Thanks Michal > > For your last patch which allows to use of platform keyring for > signature verification of kernel module, I'll leave it to yourself. How > do you think about it? > > > [1] https://lore.kernel.org/all/20220401013118.348084-1-coxu@redhat.com/ > > On Tue, Feb 15, 2022 at 08:39:37PM +0100, Michal Suchanek wrote: > > While testing KEXEC_SIG on powerpc I noticed discrepancy in support for > > different keyrings across architectures and between KEXEC_SIG and > > MODULE_SIG. Fix this by enabling suport for the missing keyrings. > > > > The latter two patches obviously conflict with the ongoing module code > > cleanup. If they turn out desirable I will add them to the other series > > dealing with KEXEC_SIG. > > > > The arm patches can be merged independently. > > > > Thanks > > > > Michal > > > > Michal Suchanek (4): > > Fix arm64 kexec forbidding kernels signed with keys in the secondary > > keyring to boot > > kexec, KEYS, arm64: Make use of platform keyring for signature > > verification > > kexec, KEYS, s390: Make use of built-in and secondary keyring for > > signature verification > > module, KEYS: Make use of platform keyring for signature verification > > > > arch/arm64/kernel/kexec_image.c | 13 +++++++++++-- > > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > > kernel/module_signing.c | 14 ++++++++++---- > > 3 files changed, 34 insertions(+), 11 deletions(-) > > > > -- > > 2.31.1 > > > > -- > Best regards, > Coiby > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michal =?unknown-8bit?q?Such=C3=A1nek?= Date: Fri, 8 Apr 2022 10:51:20 +0200 Subject: [PATCH 0/4] Unifrom keyring support across architectures and functions In-Reply-To: <20220408074704.wkyyv2qnx66iinzo@Rk> References: <20220408074704.wkyyv2qnx66iinzo@Rk> Message-ID: <20220408085120.GV163591@kunlun.suse.cz> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: kexec@lists.infradead.org On Fri, Apr 08, 2022 at 03:47:04PM +0800, Coiby Xu wrote: > Hi Michal, > > As mentioned by Baoquan, I have a patch set "[PATCH v5 0/3] use more > system keyrings to verify arm64 kdump kernel image signature" [1]. The > differences between your patch set and mine are as follows, - my patch set > only adds support for arm64 while yours also extends to > s390 > - I made the code for verifying signed kernel image as PE file in x86 > public so arm64 can reuse the code as well which seems to be better > approach > - I also cleaned up clean up arch_kexec_kernel_verify_sig > > Would you mind if I integrate your first 3 patches with mine as follows > - for arm64, I'll use my version > - for s390, I'll use your version Great less code duplication is always good. Thanks Michal > > For your last patch which allows to use of platform keyring for > signature verification of kernel module, I'll leave it to yourself. How > do you think about it? > > > [1] https://lore.kernel.org/all/20220401013118.348084-1-coxu at redhat.com/ > > On Tue, Feb 15, 2022 at 08:39:37PM +0100, Michal Suchanek wrote: > > While testing KEXEC_SIG on powerpc I noticed discrepancy in support for > > different keyrings across architectures and between KEXEC_SIG and > > MODULE_SIG. Fix this by enabling suport for the missing keyrings. > > > > The latter two patches obviously conflict with the ongoing module code > > cleanup. If they turn out desirable I will add them to the other series > > dealing with KEXEC_SIG. > > > > The arm patches can be merged independently. > > > > Thanks > > > > Michal > > > > Michal Suchanek (4): > > Fix arm64 kexec forbidding kernels signed with keys in the secondary > > keyring to boot > > kexec, KEYS, arm64: Make use of platform keyring for signature > > verification > > kexec, KEYS, s390: Make use of built-in and secondary keyring for > > signature verification > > module, KEYS: Make use of platform keyring for signature verification > > > > arch/arm64/kernel/kexec_image.c | 13 +++++++++++-- > > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > > kernel/module_signing.c | 14 ++++++++++---- > > 3 files changed, 34 insertions(+), 11 deletions(-) > > > > -- > > 2.31.1 > > > > -- > Best regards, > Coiby >