From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Michal Such??nek <msuchanek@suse.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Alexander Egorenkov <egorenar@linux.ibm.com>,
keyrings@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>,
"open list:S390" <linux-s390@vger.kernel.org>,
Coiby Xu <coxu@redhat.com>, Baoquan He <bhe@redhat.com>,
"maintainer:X86 ARCHITECTURE \(32-BIT AND 64-BIT\)"
<x86@kernel.org>, Christian Borntraeger <borntraeger@de.ibm.com>,
Ingo Molnar <mingo@redhat.com>,
"Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>,
Eric Biederman <ebiederm@xmission.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Borislav Petkov <bp@alien8.de>, Mimi Zohar <zohar@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"moderated list:ARM64 PORT \(AARCH64 ARCHITECTURE\)"
<linux-arm-kernel@lists.infradead.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org >,
"open list:KEXEC" <kexec@lists.infradead.org>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
linux-security-module@vger.kernel.org,
James Morse <james.morse@arm.com>,
Sven Schnelle <svens@linux.ibm.com>,
Philipp Rudo <prudo@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
"open list:LINUX FOR POWERPC \(32-BIT AND 64-BIT\)"
<linuxppc-dev@lists.ozlabs.org>
Subject: Re: [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies
Date: Tue, 27 Sep 2022 11:39:52 +0900 [thread overview]
Message-ID: <20220927023952.GB34139@laputa> (raw)
In-Reply-To: <20220926074024.GD28810@kitsune.suse.cz>
On Mon, Sep 26, 2022 at 09:40:25AM +0200, Michal Such??nek wrote:
> On Mon, Sep 26, 2022 at 08:47:32AM +0200, Greg Kroah-Hartman wrote:
> > On Sat, Sep 24, 2022 at 01:55:23PM +0200, Michal Suchánek wrote:
> > > On Sat, Sep 24, 2022 at 12:13:34PM +0200, Greg Kroah-Hartman wrote:
> > > > On Sat, Sep 24, 2022 at 11:45:21AM +0200, Michal Suchánek wrote:
> > > > > On Sat, Sep 24, 2022 at 11:19:19AM +0200, Greg Kroah-Hartman wrote:
> > > > > > On Fri, Sep 23, 2022 at 07:10:28PM +0200, Michal Suchanek wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > this is backport of commit 0d519cadf751
> > > > > > > ("arm64: kexec_file: use more system keyrings to verify kernel image signature")
> > > > > > > to table 5.15 tree including the preparatory patches.
> > > > > >
> > > > > > This feels to me like a new feature for arm64, one that has never worked
> > > > > > before and you are just making it feature-parity with x86, right?
> > > > > >
> > > > > > Or is this a regression fix somewhere? Why is this needed in 5.15.y and
> > > > > > why can't people who need this new feature just use a newer kernel
> > > > > > version (5.19?)
> > > > >
> > > > > It's half-broken implementation of the kexec kernel verification. At the time
> > > > > it was implemented for arm64 we had the platform and secondary keyrings
> > > > > and x86 was using them but on arm64 the initial implementation ignores
> > > > > them.
> > > >
> > > > Ok, so it's something that never worked. Adding support to get it to
> > > > work doesn't really fall into the stable kernel rules, right?
> > >
> > > Not sure. It was defective, not using the facilities available at the
> > > time correctly. Which translates to kernels that can be kexec'd on x86
> > > failing to kexec on arm64 without any explanation (signed with same key,
> > > built for the appropriate arch).
> >
> > Feature parity across architectures is not a "regression", but rather a
> > "this feature is not implemented for this architecture yet" type of
> > thing.
>
> That depends on the view - before kexec verification you could boot any
> kernel, now you can boot some kernels signed with a valid key, but not
> others - the initial implementation is buggy, probably because it
> is based on an old version of the x86 code.
Buggy?
The feature of supporting platform ring had been slipped in just before
I submitted the latest patch series which was eventually merged.
(I should have noticed it though.)
Looking at changes in the commit 278311e417be ("kexec, KEYS: Make use of platform
keyring for signature verify"), it seems to be obvious that it is a new feature
because it introduced a new Kconfig option, CONFIG_INTEGRITY_PLATFORM_KEYRING,
which allows for enabling/disabling platform ring support.
-Takahiro Akashi
> >
> > > > Again, what's wrong with 5.19 for anyone who wants this? Who does want
> > > > this?
> > >
> > > Not sure, really.
> > >
> > > The final patch was repeatedly backported to stable and failed to build
> > > because the prerequisites were missing.
> >
> > That's because it was tagged, but now that you show the full set of
> > requirements, it's pretty obvious to me that this is not relevant for
> > going this far back.
>
> That also works.
>
> Thanks
>
> Michal
next prev parent reply other threads:[~2022-09-27 2:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-23 17:10 [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Michal Suchanek
2022-09-23 17:10 ` [PATCH 5.15 2/6] kexec_file: drop weak attribute from functions Michal Suchanek
2022-09-23 17:10 ` [PATCH 5.15 3/6] kexec: " Michal Suchanek
2022-09-23 19:03 ` [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Mimi Zohar
2022-09-23 19:16 ` Michal Suchánek
2022-09-24 14:44 ` Michal Suchánek
2022-09-24 9:19 ` Greg Kroah-Hartman
2022-09-24 9:45 ` Michal Suchánek
2022-09-24 10:13 ` Greg Kroah-Hartman
2022-09-24 11:55 ` Michal Suchánek
2022-09-26 6:47 ` Greg Kroah-Hartman
2022-09-26 7:40 ` Michal Suchánek
2022-09-27 2:39 ` AKASHI Takahiro [this message]
2022-09-27 7:49 ` Michal Suchánek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220927023952.GB34139@laputa \
--to=takahiro.akashi@linaro.org \
--cc=agordeev@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=coxu@redhat.com \
--cc=dave.hansen@linux.intel.com \
--cc=ebiederm@xmission.com \
--cc=egorenar@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=hca@linux.ibm.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=msuchanek@suse.de \
--cc=naveen.n.rao@linux.vnet.ibm.com \
--cc=paulus@samba.org \
--cc=prudo@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).