FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[gregkh]

The patch below does not apply to the 5.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@redhat.com>
Date: Thu, 14 Jul 2022 21:40:26 +0800
Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
 image signature

Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys, .machine and .platform keyrings. For example,
one resulting problem is kexec'ing a kernel image  would be rejected
with the error "Lockdown: kexec: kexec of unsigned images is restricted;
see man kernel_lockdown.7".

This patch set enables arm64 to make use of the same keyrings as x86 to
verify the signature kexec'ed kernel image.

Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
Acked-by: Baoquan He <bhe@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Co-developed-by: Michal Suchanek <msuchanek@suse.de>
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..5ed6a585f21f 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -130,18 +129,10 @@ static void *image_load(struct kimage *image,
 	return NULL;
 }
 
-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
-static int image_verify_sig(const char *kernel, unsigned long kernel_len)
-{
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
-}
-#endif
-
 const struct kexec_file_ops kexec_image_ops = {
 	.probe = image_probe,
 	.load = image_load,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
-	.verify_sig = image_verify_sig,
+	.verify_sig = kexec_kernel_verify_pe_sig,
 #endif
 };

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Mimi Zohar]

Hi Greg,

On Mon, 2022-08-15 at 17:33 +0200, gregkh@linuxfoundation.org wrote:
> The patch below does not apply to the 5.19-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.

The commits contained in the 88b61b130334 ("Merge remote-tracking
branch 'linux-integrity/kexec-keyrings' into next-integrity") should be
applied in the proper order to avoid merge conflicts.  

The third patch has a dependency on the first two commits, which were
initially in Andrew's tree.   The third commit says, "Note later
patches are dependent on this patch so it should be backported to the
stable tree as well."

thanks,

Mimi

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Coiby Xu]

Hi Greg,

Good to see you here:)

On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
>
>The patch below does not apply to the 5.19-stable tree.
>If someone wants it applied there, or to any other stable or longterm
>tree, then please email the backport, including the original git commit
>id to <stable@vger.kernel.org>.
>
>thanks,
>
>greg k-h
>
>------------------ original commit in Linus's tree ------------------
>
>From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
>From: Coiby Xu <coxu@redhat.com>
>Date: Thu, 14 Jul 2022 21:40:26 +0800
>Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> image signature
>
>Currently, when loading a kernel image via the kexec_file_load() system
>call, arm64 can only use the .builtin_trusted_keys keyring to verify
>a signature whereas x86 can use three more keyrings i.e.
>.secondary_trusted_keys, .machine and .platform keyrings. For example,
>one resulting problem is kexec'ing a kernel image  would be rejected
>with the error "Lockdown: kexec: kexec of unsigned images is restricted;
>see man kernel_lockdown.7".
>
>This patch set enables arm64 to make use of the same keyrings as x86 to
>verify the signature kexec'ed kernel image.
>
>Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
>Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
>Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
>Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic

I've added the above three patch prerequisites following [1]. I assume
there is a program automatically picking up this patch. But somehow it
fails to pick up the prerequisites first. Is it because the commit ids
change when the patches are finally applied to Linus's tree? If it's
true, how do we make sure the we have the correct commit ids? Note [1]
strongly recommends "Cc: stable@vger.kernel.org" to submit patches to
stable tree but it seems there is no way to know beforehand the correct
commit ids of the prerequisites that are yet to arrive in Linus's tree.

[1] https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html

>Acked-by: Baoquan He <bhe@redhat.com>
>Cc: kexec@lists.infradead.org
>Cc: keyrings@vger.kernel.org
>Cc: linux-security-module@vger.kernel.org
>Co-developed-by: Michal Suchanek <msuchanek@suse.de>
>Signed-off-by: Michal Suchanek <msuchanek@suse.de>
>Acked-by: Will Deacon <will@kernel.org>
>Signed-off-by: Coiby Xu <coxu@redhat.com>
>Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
>
>diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
>index 9ec34690e255..5ed6a585f21f 100644
>--- a/arch/arm64/kernel/kexec_image.c
>+++ b/arch/arm64/kernel/kexec_image.c
>@@ -14,7 +14,6 @@
> #include <linux/kexec.h>
> #include <linux/pe.h>
> #include <linux/string.h>
>-#include <linux/verification.h>
> #include <asm/byteorder.h>
> #include <asm/cpufeature.h>
> #include <asm/image.h>
>@@ -130,18 +129,10 @@ static void *image_load(struct kimage *image,
> 	return NULL;
> }
>
>-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>-static int image_verify_sig(const char *kernel, unsigned long kernel_len)
>-{
>-	return verify_pefile_signature(kernel, kernel_len, NULL,
>-				       VERIFYING_KEXEC_PE_SIGNATURE);
>-}
>-#endif
>-
> const struct kexec_file_ops kexec_image_ops = {
> 	.probe = image_probe,
> 	.load = image_load,
> #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
>-	.verify_sig = image_verify_sig,
>+	.verify_sig = kexec_kernel_verify_pe_sig,
> #endif
> };
>

-- 
Best regards,
Coiby

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Greg KH]

On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> Hi Greg,
> 
> Good to see you here:)
> 
> On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > 
> > The patch below does not apply to the 5.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > ------------------ original commit in Linus's tree ------------------
> > 
> > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > From: Coiby Xu <coxu@redhat.com>
> > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > image signature
> > 
> > Currently, when loading a kernel image via the kexec_file_load() system
> > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > a signature whereas x86 can use three more keyrings i.e.
> > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > one resulting problem is kexec'ing a kernel image  would be rejected
> > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > see man kernel_lockdown.7".
> > 
> > This patch set enables arm64 to make use of the same keyrings as x86 to
> > verify the signature kexec'ed kernel image.
> > 
> > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions

This is not a valid commit id in Linus's tree.

> > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig

This is not a valid commit id in Linus's tree

> > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic

And this too is not a valid commit in Linus's tree.

> 
> I've added the above three patch prerequisites following [1]. I assume
> there is a program automatically picking up this patch. But somehow it
> fails to pick up the prerequisites first. Is it because the commit ids
> change when the patches are finally applied to Linus's tree?

Where did you get those commit ids from?

> If it's
> true, how do we make sure the we have the correct commit ids? Note [1]
> strongly recommends "Cc: stable@vger.kernel.org" to submit patches to
> stable tree but it seems there is no way to know beforehand the correct
> commit ids of the prerequisites that are yet to arrive in Linus's tree.

Hopefully the git ids can be stable when they are merged to a
maintainer's tree.  If not, then you can respond to this "failed" email
with the full series of what needs to be done here, as I have no idea :(

thanks,

greg k-h

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Coiby Xu]

On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
>On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
>> Hi Greg,
>>
>> Good to see you here:)
>>
>> On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
>> >
>> > The patch below does not apply to the 5.19-stable tree.
>> > If someone wants it applied there, or to any other stable or longterm
>> > tree, then please email the backport, including the original git commit
>> > id to <stable@vger.kernel.org>.
>> >
>> > thanks,
>> >
>> > greg k-h
>> >
>> > ------------------ original commit in Linus's tree ------------------
>> >
>> > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
>> > From: Coiby Xu <coxu@redhat.com>
>> > Date: Thu, 14 Jul 2022 21:40:26 +0800
>> > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
>> > image signature
>> >
>> > Currently, when loading a kernel image via the kexec_file_load() system
>> > call, arm64 can only use the .builtin_trusted_keys keyring to verify
>> > a signature whereas x86 can use three more keyrings i.e.
>> > .secondary_trusted_keys, .machine and .platform keyrings. For example,
>> > one resulting problem is kexec'ing a kernel image  would be rejected
>> > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
>> > see man kernel_lockdown.7".
>> >
>> > This patch set enables arm64 to make use of the same keyrings as x86 to
>> > verify the signature kexec'ed kernel image.
>> >
>> > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
>> > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
>
>This is not a valid commit id in Linus's tree.
>
>> > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
>
>This is not a valid commit id in Linus's tree
>
>> > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
>
>And this too is not a valid commit in Linus's tree.

Sorry for the confusion. The correct commit ids are as follows,

0738eceb6201 ("kexec: drop weak attribute from functions")
689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")

>
>>
>> I've added the above three patch prerequisites following [1]. I assume
>> there is a program automatically picking up this patch. But somehow it
>> fails to pick up the prerequisites first. Is it because the commit ids
>> change when the patches are finally applied to Linus's tree?
>
>Where did you get those commit ids from?

I got the commit ids when rebasing the patches onto the then latest
Linus tree or next-integrity tree.

>
>> If it's
>> true, how do we make sure the we have the correct commit ids? Note [1]
>> strongly recommends "Cc: stable@vger.kernel.org" to submit patches to
>> stable tree but it seems there is no way to know beforehand the correct
>> commit ids of the prerequisites that are yet to arrive in Linus's tree.
>
>Hopefully the git ids can be stable when they are merged to a
>maintainer's tree.  

I notice the commit ids of these patches in current next-integrity tree
are still different from Linus's tree. It seems there is no way to avoid
manually backporting a patch for similar cases unless the commit ids are
automatically fixed when Linus merges the patch or we could match a
commit by its subject.

> If not, then you can respond to this "failed" email
>with the full series of what needs to be done here, as I have no idea :(

Sure, I'll email the backport to stable@vger.kernel.org as the response
to this "failed" email.   

>
>thanks,
>
>greg k-h
>

-- 
Best regards,
Coiby

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Mimi Zohar]

On Tue, 2022-08-16 at 18:45 +0800, Coiby Xu wrote:
> On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> 
> >Hopefully the git ids can be stable when they are merged to a
> >maintainer's tree.

A missing Ack was added to one of the commits resulting in a forced
rebase.

> 
> I notice the commit ids of these patches in current next-integrity tree
> are still different from Linus's tree. It seems there is no way to avoid
> manually backporting a patch for similar cases unless the commit ids are
> automatically fixed when Linus merges the patch or we could match a
> commit by its subject.

After "fixing" the topic branch merge message, I forgot to push it out
to the next-integrity branch. (Will be fixed shortly.)  Other than the
merge message commit itself, the commits in Linus' tree and the next-
integrity branch are the same.  The pull request was based on the
integrity-6.20 tag.

Tip of linux-integrity/next-integrity:
$ git log 1d212f9037b0 | head -2
commit 1d212f9037b035e638d53834bfe8d3094ca1d04c
Merge: c808a6ec7166 0828c4a39be5

Tip of the my local branch and what's in Linus' branch:
$ git log 88b61b130334 | head -2
commit 88b61b130334212f8f05175e291c04adeb2bf30b
Merge: c808a6ec7166 0828c4a39be5

The pull request tag:
$ git log integrity-6.20 | head -2
commit 88b61b130334212f8f05175e291c04adeb2bf30b
Merge: c808a6ec7166 0828c4a39be5

Mimi

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Coiby Xu]

On Tue, Aug 16, 2022 at 09:14:32AM -0400, Mimi Zohar wrote:
>On Tue, 2022-08-16 at 18:45 +0800, Coiby Xu wrote:
>> On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
>>
>> >Hopefully the git ids can be stable when they are merged to a
>> >maintainer's tree.
>
>A missing Ack was added to one of the commits resulting in a forced
>rebase.
>
>>
>> I notice the commit ids of these patches in current next-integrity tree
>> are still different from Linus's tree. It seems there is no way to avoid
>> manually backporting a patch for similar cases unless the commit ids are
>> automatically fixed when Linus merges the patch or we could match a
>> commit by its subject.
>
>After "fixing" the topic branch merge message, I forgot to push it out
>to the next-integrity branch. (Will be fixed shortly.)  Other than the
>merge message commit itself, the commits in Linus' tree and the next-
>integrity branch are the same.  The pull request was based on the
>integrity-6.20 tag.
>
>Tip of linux-integrity/next-integrity:
>$ git log 1d212f9037b0 | head -2
>commit 1d212f9037b035e638d53834bfe8d3094ca1d04c
>Merge: c808a6ec7166 0828c4a39be5
>
>Tip of the my local branch and what's in Linus' branch:
>$ git log 88b61b130334 | head -2
>commit 88b61b130334212f8f05175e291c04adeb2bf30b
>Merge: c808a6ec7166 0828c4a39be5
>
>The pull request tag:
>$ git log integrity-6.20 | head -2
>commit 88b61b130334212f8f05175e291c04adeb2bf30b
>Merge: c808a6ec7166 0828c4a39be5

Thanks for the explanation! Previously I thought the commit ids are
different because Linus may have picked up the patches from the next
tree and the git ids can only be determined in the last moment. But
according to [2][3], Linus always merges a signed tag from a subsystem
maintainer and unlike cherry-pick-up a merge could preserves the commit
ids so a subsystem maintainer could know stable commit ids.

[2] https://www.spinics.net/lists/newbies/msg63520.html
[3] https://docs.kernel.org/maintainer/pull-requests.html

>
>Mimi
>

-- 
Best regards,
Coiby

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Greg KH]

On Mon, Aug 15, 2022 at 02:11:44PM -0400, Mimi Zohar wrote:
> Hi Greg,
> 
> On Mon, 2022-08-15 at 17:33 +0200, gregkh@linuxfoundation.org wrote:
> > The patch below does not apply to the 5.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> 
> The commits contained in the 88b61b130334 ("Merge remote-tracking
> branch 'linux-integrity/kexec-keyrings' into next-integrity") should be
> applied in the proper order to avoid merge conflicts.  
> 
> The third patch has a dependency on the first two commits, which were
> initially in Andrew's tree.   The third commit says, "Note later
> patches are dependent on this patch so it should be backported to the
> stable tree as well."

I need git commit ids of those commits please.  Otherwise this is
impossible to determine given the huge number of commits in the tree.

thanks,

greg k-h

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Greg KH]

On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > Hi Greg,
> > > 
> > > Good to see you here:)
> > > 
> > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > >
> > > > The patch below does not apply to the 5.19-stable tree.
> > > > If someone wants it applied there, or to any other stable or longterm
> > > > tree, then please email the backport, including the original git commit
> > > > id to <stable@vger.kernel.org>.
> > > >
> > > > thanks,
> > > >
> > > > greg k-h
> > > >
> > > > ------------------ original commit in Linus's tree ------------------
> > > >
> > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > From: Coiby Xu <coxu@redhat.com>
> > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > image signature
> > > >
> > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > a signature whereas x86 can use three more keyrings i.e.
> > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > one resulting problem is kexec'ing a kernel image  would be rejected
> > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > see man kernel_lockdown.7".
> > > >
> > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > verify the signature kexec'ed kernel image.
> > > >
> > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > 
> > This is not a valid commit id in Linus's tree.
> > 
> > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > 
> > This is not a valid commit id in Linus's tree
> > 
> > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > 
> > And this too is not a valid commit in Linus's tree.
> 
> Sorry for the confusion. The correct commit ids are as follows,
> 
> 0738eceb6201 ("kexec: drop weak attribute from functions")
> 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")

What order do they need to be applied in?

thanks,

greg k-h

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Michal Suchánek]

On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
> On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> > On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > > Hi Greg,
> > > > 
> > > > Good to see you here:)
> > > > 
> > > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > > >
> > > > > The patch below does not apply to the 5.19-stable tree.
> > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > tree, then please email the backport, including the original git commit
> > > > > id to <stable@vger.kernel.org>.
> > > > >
> > > > > thanks,
> > > > >
> > > > > greg k-h
> > > > >
> > > > > ------------------ original commit in Linus's tree ------------------
> > > > >
> > > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > > From: Coiby Xu <coxu@redhat.com>
> > > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > > image signature
> > > > >
> > > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > > a signature whereas x86 can use three more keyrings i.e.
> > > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > > one resulting problem is kexec'ing a kernel image  would be rejected
> > > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > > see man kernel_lockdown.7".
> > > > >
> > > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > > verify the signature kexec'ed kernel image.
> > > > >
> > > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > > 
> > > This is not a valid commit id in Linus's tree.
> > > 
> > > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > > 
> > > This is not a valid commit id in Linus's tree
> > > 
> > > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > > 
> > > And this too is not a valid commit in Linus's tree.
> > 
> > Sorry for the confusion. The correct commit ids are as follows,
> > 
> > 0738eceb6201 ("kexec: drop weak attribute from functions")
> > 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> > c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
> 
> What order do they need to be applied in?

This is the whole series as seen in Linus tree from oldest to newest:

65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions
0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions
689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig
c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic
0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature

(with the exception of the s390 patch which stands on its own)

Thanks

Michal

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Greg KH]

On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
> On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
> > On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> > > On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > > > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > > > Hi Greg,
> > > > > 
> > > > > Good to see you here:)
> > > > > 
> > > > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > > > >
> > > > > > The patch below does not apply to the 5.19-stable tree.
> > > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > > tree, then please email the backport, including the original git commit
> > > > > > id to <stable@vger.kernel.org>.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > > >
> > > > > > ------------------ original commit in Linus's tree ------------------
> > > > > >
> > > > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > > > From: Coiby Xu <coxu@redhat.com>
> > > > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > > > image signature
> > > > > >
> > > > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > > > a signature whereas x86 can use three more keyrings i.e.
> > > > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > > > one resulting problem is kexec'ing a kernel image  would be rejected
> > > > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > > > see man kernel_lockdown.7".
> > > > > >
> > > > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > > > verify the signature kexec'ed kernel image.
> > > > > >
> > > > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > > > 
> > > > This is not a valid commit id in Linus's tree.
> > > > 
> > > > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > > > 
> > > > This is not a valid commit id in Linus's tree
> > > > 
> > > > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > > > 
> > > > And this too is not a valid commit in Linus's tree.
> > > 
> > > Sorry for the confusion. The correct commit ids are as follows,
> > > 
> > > 0738eceb6201 ("kexec: drop weak attribute from functions")
> > > 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> > > c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
> > 
> > What order do they need to be applied in?
> 
> This is the whole series as seen in Linus tree from oldest to newest:
> 
> 65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions
> 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions
> 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig
> c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic
> 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature

Great!

> (with the exception of the s390 patch which stands on its own)

What s390 patch?

Now you confused me again...

greg k-h

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Michal Suchánek]

On Wed, Aug 17, 2022 at 02:16:41PM +0200, Greg KH wrote:
> On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
> > On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
> > > On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> > > > On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > > > > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > > > > Hi Greg,
> > > > > > 
> > > > > > Good to see you here:)
> > > > > > 
> > > > > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > > > > >
> > > > > > > The patch below does not apply to the 5.19-stable tree.
> > > > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > > > tree, then please email the backport, including the original git commit
> > > > > > > id to <stable@vger.kernel.org>.
> > > > > > >
> > > > > > > thanks,
> > > > > > >
> > > > > > > greg k-h
> > > > > > >
> > > > > > > ------------------ original commit in Linus's tree ------------------
> > > > > > >
> > > > > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > > > > From: Coiby Xu <coxu@redhat.com>
> > > > > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > > > > image signature
> > > > > > >
> > > > > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > > > > a signature whereas x86 can use three more keyrings i.e.
> > > > > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > > > > one resulting problem is kexec'ing a kernel image  would be rejected
> > > > > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > > > > see man kernel_lockdown.7".
> > > > > > >
> > > > > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > > > > verify the signature kexec'ed kernel image.
> > > > > > >
> > > > > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > > > > 
> > > > > This is not a valid commit id in Linus's tree.
> > > > > 
> > > > > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > > > > 
> > > > > This is not a valid commit id in Linus's tree
> > > > > 
> > > > > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > > > > 
> > > > > And this too is not a valid commit in Linus's tree.
> > > > 
> > > > Sorry for the confusion. The correct commit ids are as follows,
> > > > 
> > > > 0738eceb6201 ("kexec: drop weak attribute from functions")
> > > > 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> > > > c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
> > > 
> > > What order do they need to be applied in?
> > 
> > This is the whole series as seen in Linus tree from oldest to newest:
> > 
> > 65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions
> > 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions
> > 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig
> > c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic
> > 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature
> 
> Great!
> 
> > (with the exception of the s390 patch which stands on its own)
> 
> What s390 patch?

0828c4a39be57768b8788e8cbd0d84683ea757e5 kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification

> Now you confused me again...
> 
> greg k-h

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Coiby Xu]

On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
>On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
[...]
>> > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
>> > > > From: Coiby Xu <coxu@redhat.com>
>> > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
>> > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
>> > > > image signature
>> > > >
>> > > > Currently, when loading a kernel image via the kexec_file_load() system
>> > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
>> > > > a signature whereas x86 can use three more keyrings i.e.
>> > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
>> > > > one resulting problem is kexec'ing a kernel image  would be rejected
>> > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
>> > > > see man kernel_lockdown.7".
>> > > >
>> > > > This patch set enables arm64 to make use of the same keyrings as x86 to
>> > > > verify the signature kexec'ed kernel image.
>> > > >
>> > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
>> > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
>> >
>> > This is not a valid commit id in Linus's tree.
>> >
>> > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
>> >
>> > This is not a valid commit id in Linus's tree
>> >
>> > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
>> >
>> > And this too is not a valid commit in Linus's tree.
>>
>> Sorry for the confusion. The correct commit ids are as follows,
>>
>> 0738eceb6201 ("kexec: drop weak attribute from functions")

Sorry, the first one should be 65d9a9a60fd7 ("kexec_file: drop weak
attribute from functions").

>> 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
>> c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
>
>What order do they need to be applied in?

They should be applied from top-down, i.e.

1. 65d9a9a60fd7 ("kexec_file: drop weak attribute from functions")
2. 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
3. c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")

But I notice stable/linux-5.19.y has already the first two prerequisites
backported. So only the 3rd prerequisite is needed.

>
>thanks,
>
>greg k-h
>

-- 
Best regards,
Coiby

Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

[Greg KH]

On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
> On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
> > On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> > > On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > > > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > > > Hi Greg,
> > > > > 
> > > > > Good to see you here:)
> > > > > 
> > > > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > > > >
> > > > > > The patch below does not apply to the 5.19-stable tree.
> > > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > > tree, then please email the backport, including the original git commit
> > > > > > id to <stable@vger.kernel.org>.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > > >
> > > > > > ------------------ original commit in Linus's tree ------------------
> > > > > >
> > > > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > > > From: Coiby Xu <coxu@redhat.com>
> > > > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > > > image signature
> > > > > >
> > > > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > > > a signature whereas x86 can use three more keyrings i.e.
> > > > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > > > one resulting problem is kexec'ing a kernel image  would be rejected
> > > > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > > > see man kernel_lockdown.7".
> > > > > >
> > > > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > > > verify the signature kexec'ed kernel image.
> > > > > >
> > > > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > > > 
> > > > This is not a valid commit id in Linus's tree.
> > > > 
> > > > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > > > 
> > > > This is not a valid commit id in Linus's tree
> > > > 
> > > > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > > > 
> > > > And this too is not a valid commit in Linus's tree.
> > > 
> > > Sorry for the confusion. The correct commit ids are as follows,
> > > 
> > > 0738eceb6201 ("kexec: drop weak attribute from functions")
> > > 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> > > c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
> > 
> > What order do they need to be applied in?
> 
> This is the whole series as seen in Linus tree from oldest to newest:
> 
> 65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions
> 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions
> 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig
> c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic
> 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature
> 
> (with the exception of the s390 patch which stands on its own)

Ok, I think I now have all of this straightened out.  If not, please let
me know.

greg k-h