From: Coiby Xu <coxu@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Baoquan He" <bhe@redhat.com>,
"Michal Suchánek" <msuchanek@suse.de>,
"Heiko Carstens" <hca@linux.ibm.com>,
akpm@linux-foundation.org, kexec@lists.infradead.org,
keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
"Dave Young" <dyoung@redhat.com>, "Will Deacon" <will@kernel.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Chun-Yi Lee" <jlee@suse.com>,
stable@vger.kernel.org, "Philipp Rudo" <prudo@linux.ibm.com>,
linux-security-module@vger.kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"open list:S390" <linux-s390@vger.kernel.org>,
"open list" <linux-kernel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>
Subject: Re: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
Date: Thu, 16 Jun 2022 09:46:50 +0800 [thread overview]
Message-ID: <20220616014650.wd6saed72breqeyb@Rk> (raw)
In-Reply-To: <20220519171134.GN163591@kunlun.suse.cz>
Hi Mimi,
>> >
>> > This patch set could probably go through KEYS/KEYRINGS_INTEGRITY, but
>> > it's kind of late to be asking. Has it been in linux-next? Should I
>> > assume this patch set has been fully tested or can we get some "tags"?
>>
[...]
>>
>> IIRC, Coiby has tested it on x86_64/arm64, not sure if he took test on
>> s390. No, this hasn't been in linux-next.
For arm64, recently I did a new round of test and the patches works as
expected,
1. Build 5.19.0-rc2
2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI
db;
3. sign different kernel images with different keys including keys
from .builtin_trusted_key, .secondary_trusted_keys keyring, UEFI db
key and MOK key
4. Without lockdown, all kernel images can be kexec'ed; with lockdown
enabled, only the kernel image signed by the key from
.builtin_trusted_key can be kexec'ed
Then I build a new kernel with the patches applied and confirm all
kernel images can be kexec'ed.
>
>I used the s390 code on powerpc and there it did not work because the
>built-in key was needed to verify the kernel.
>
>I did not really run this on s390, only ported the fix I needed on
>powerpc back to s390.
For 390, I commented out the code that skips signature verification
when secure boot is not enabled since I couldn't find a machine that
supports secure boot and confirm before applying the patch, kernel
images signed by keys from .builtin_trusted_key, .secondary_trusted_keys
couldn't be kexec'ed when lockdown is enabled; after applying the
patch, those kernel images could be kexec'ed.
>
>Thanks
>
>Michal
>
--
Best regards,
Coiby
WARNING: multiple messages have this Message-ID (diff)
From: Coiby Xu <coxu@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Baoquan He" <bhe@redhat.com>,
"Michal Suchánek" <msuchanek@suse.de>,
"Heiko Carstens" <hca@linux.ibm.com>,
akpm@linux-foundation.org, kexec@lists.infradead.org,
keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
"Dave Young" <dyoung@redhat.com>, "Will Deacon" <will@kernel.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Chun-Yi Lee" <jlee@suse.com>,
stable@vger.kernel.org, "Philipp Rudo" <prudo@linux.ibm.com>,
linux-security-module@vger.kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"open list:S390" <linux-s390@vger.kernel.org>,
"open list" <linux-kernel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>
Subject: Re: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
Date: Thu, 16 Jun 2022 09:46:50 +0800 [thread overview]
Message-ID: <20220616014650.wd6saed72breqeyb@Rk> (raw)
In-Reply-To: <20220519171134.GN163591@kunlun.suse.cz>
Hi Mimi,
>> >
>> > This patch set could probably go through KEYS/KEYRINGS_INTEGRITY, but
>> > it's kind of late to be asking. Has it been in linux-next? Should I
>> > assume this patch set has been fully tested or can we get some "tags"?
>>
[...]
>>
>> IIRC, Coiby has tested it on x86_64/arm64, not sure if he took test on
>> s390. No, this hasn't been in linux-next.
For arm64, recently I did a new round of test and the patches works as
expected,
1. Build 5.19.0-rc2
2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI
db;
3. sign different kernel images with different keys including keys
from .builtin_trusted_key, .secondary_trusted_keys keyring, UEFI db
key and MOK key
4. Without lockdown, all kernel images can be kexec'ed; with lockdown
enabled, only the kernel image signed by the key from
.builtin_trusted_key can be kexec'ed
Then I build a new kernel with the patches applied and confirm all
kernel images can be kexec'ed.
>
>I used the s390 code on powerpc and there it did not work because the
>built-in key was needed to verify the kernel.
>
>I did not really run this on s390, only ported the fix I needed on
>powerpc back to s390.
For 390, I commented out the code that skips signature verification
when secure boot is not enabled since I couldn't find a machine that
supports secure boot and confirm before applying the patch, kernel
images signed by keys from .builtin_trusted_key, .secondary_trusted_keys
couldn't be kexec'ed when lockdown is enabled; after applying the
patch, those kernel images could be kexec'ed.
>
>Thanks
>
>Michal
>
--
Best regards,
Coiby
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Coiby Xu <coxu@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: "Baoquan He" <bhe@redhat.com>,
"Michal Suchánek" <msuchanek@suse.de>,
"Heiko Carstens" <hca@linux.ibm.com>,
akpm@linux-foundation.org, kexec@lists.infradead.org,
keyrings@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
"Dave Young" <dyoung@redhat.com>, "Will Deacon" <will@kernel.org>,
"Eric W . Biederman" <ebiederm@xmission.com>,
"Chun-Yi Lee" <jlee@suse.com>,
stable@vger.kernel.org, "Philipp Rudo" <prudo@linux.ibm.com>,
linux-security-module@vger.kernel.org,
"Vasily Gorbik" <gor@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"open list:S390" <linux-s390@vger.kernel.org>,
"open list" <linux-kernel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>
Subject: Re: [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification
Date: Thu, 16 Jun 2022 09:46:50 +0800 [thread overview]
Message-ID: <20220616014650.wd6saed72breqeyb@Rk> (raw)
In-Reply-To: <20220519171134.GN163591@kunlun.suse.cz>
Hi Mimi,
>> >
>> > This patch set could probably go through KEYS/KEYRINGS_INTEGRITY, but
>> > it's kind of late to be asking. Has it been in linux-next? Should I
>> > assume this patch set has been fully tested or can we get some "tags"?
>>
[...]
>>
>> IIRC, Coiby has tested it on x86_64/arm64, not sure if he took test on
>> s390. No, this hasn't been in linux-next.
For arm64, recently I did a new round of test and the patches works as
expected,
1. Build 5.19.0-rc2
2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI
db;
3. sign different kernel images with different keys including keys
from .builtin_trusted_key, .secondary_trusted_keys keyring, UEFI db
key and MOK key
4. Without lockdown, all kernel images can be kexec'ed; with lockdown
enabled, only the kernel image signed by the key from
.builtin_trusted_key can be kexec'ed
Then I build a new kernel with the patches applied and confirm all
kernel images can be kexec'ed.
>
>I used the s390 code on powerpc and there it did not work because the
>built-in key was needed to verify the kernel.
>
>I did not really run this on s390, only ported the fix I needed on
>powerpc back to s390.
For 390, I commented out the code that skips signature verification
when secure boot is not enabled since I couldn't find a machine that
supports secure boot and confirm before applying the patch, kernel
images signed by keys from .builtin_trusted_key, .secondary_trusted_keys
couldn't be kexec'ed when lockdown is enabled; after applying the
patch, those kernel images could be kexec'ed.
>
>Thanks
>
>Michal
>
--
Best regards,
Coiby
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-06-16 1:50 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-12 7:01 [PATCH v8 0/4] use more system keyrings to verify arm64 and s390 kexec kernel image signature Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:01 ` [PATCH v8 1/4] kexec: clean up arch_kexec_kernel_verify_sig Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-06-09 21:57 ` Mimi Zohar
2022-06-09 21:57 ` Mimi Zohar
2022-06-09 21:57 ` Mimi Zohar
2022-05-12 7:01 ` [PATCH v8 2/4] kexec, KEYS: make the code in bzImage64_verify_sig generic Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:21 ` Baoquan He
2022-05-12 7:21 ` Baoquan He
2022-05-12 7:21 ` Baoquan He
2022-06-09 22:18 ` Mimi Zohar
2022-06-09 22:18 ` Mimi Zohar
2022-06-09 22:18 ` Mimi Zohar
2022-06-16 1:47 ` Coiby Xu
2022-06-16 1:47 ` Coiby Xu
2022-06-16 1:47 ` Coiby Xu
2022-05-12 7:01 ` [PATCH v8 3/4] arm64: kexec_file: use more system keyrings to verify kernel image signature Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-06-09 23:15 ` Mimi Zohar
2022-06-09 23:15 ` Mimi Zohar
2022-06-09 23:15 ` Mimi Zohar
2022-06-16 1:22 ` Coiby Xu
2022-06-16 1:22 ` Coiby Xu
2022-06-16 1:22 ` Coiby Xu
2022-06-17 9:34 ` Michal Suchánek
2022-06-17 9:34 ` Michal Suchánek
2022-06-17 9:34 ` Michal Suchánek
2022-05-12 7:01 ` [PATCH v8 4/4] kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-12 7:01 ` Coiby Xu
2022-05-18 11:29 ` Heiko Carstens
2022-05-18 11:29 ` Heiko Carstens
2022-05-18 11:29 ` Heiko Carstens
2022-05-19 0:39 ` Baoquan He
2022-05-19 0:39 ` Baoquan He
2022-05-19 0:39 ` Baoquan He
2022-05-19 11:56 ` Mimi Zohar
2022-05-19 11:56 ` Mimi Zohar
2022-05-19 11:56 ` Mimi Zohar
2022-05-19 14:22 ` Baoquan He
2022-05-19 14:22 ` Baoquan He
2022-05-19 14:22 ` Baoquan He
2022-05-19 17:11 ` Michal Suchánek
2022-05-19 17:11 ` Michal =?unknown-8bit?q?Such=C3=A1nek?=
2022-05-19 17:11 ` Michal Suchánek
2022-06-16 1:46 ` Coiby Xu [this message]
2022-06-16 1:46 ` Coiby Xu
2022-06-16 1:46 ` Coiby Xu
2022-05-20 17:04 ` [PATCH v8 0/4] use more system keyrings to verify arm64 and s390 kexec kernel image signature Mimi Zohar
2022-05-20 17:04 ` Mimi Zohar
2022-05-25 9:59 ` Coiby Xu
2022-05-25 9:59 ` Coiby Xu
2022-05-25 13:30 ` Mimi Zohar
2022-05-25 13:30 ` Mimi Zohar
2022-05-27 13:43 ` Coiby Xu
2022-05-27 13:43 ` Coiby Xu
2022-05-27 16:45 ` Mimi Zohar
2022-05-27 16:45 ` Mimi Zohar
2022-06-16 1:15 ` Coiby Xu
2022-06-16 1:15 ` Coiby Xu
2022-06-17 3:57 ` Coiby Xu
2022-06-17 3:57 ` Coiby Xu
2022-06-17 11:58 ` Mimi Zohar
2022-06-17 11:58 ` Mimi Zohar
2022-06-20 13:14 ` Coiby Xu
2022-06-20 13:14 ` Coiby Xu
2022-06-09 15:35 ` Mimi Zohar
2022-06-09 15:35 ` Mimi Zohar
2022-06-16 1:21 ` Coiby Xu
2022-06-16 1:21 ` Coiby Xu
2022-06-17 12:06 ` Mimi Zohar
2022-06-17 12:06 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220616014650.wd6saed72breqeyb@Rk \
--to=coxu@redhat.com \
--cc=agordeev@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=dyoung@redhat.com \
--cc=ebiederm@xmission.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=jarkko@kernel.org \
--cc=jlee@suse.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=msuchanek@suse.de \
--cc=prudo@linux.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
--cc=svens@linux.ibm.com \
--cc=will@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.