[PATCH v6 0/4] use more system keyrings to verify arm64 and s390 kexec kernel image signature

Coiby Xu coxu at redhat.com
Wed Apr 13 18:43:40 PDT 2022 

Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7". This happens because arm64 uses
only the primary keyring that contains only kernel built-in keys to
verify the kexec image.

Similarly, s390 only uses platform keyring for kernel image signature
verification and built-in keys and secondary keyring are not used.

This patch set allows arm64 and s390 to use more system keyrings to
verify kexec kernel image signature as x86 does.

v6:
 - integrate the first three patches of "[PATCH 0/4] Unifrom keyring
   support across architectures and functions" from Michal [1]
 - improve commit message [Baoquan, Michal]
 - directly assign kexec_kernel_verify_pe_sig to
   kexec_file_ops->verify_sig [Michal]

v5:
 - improve commit message [Baoquan]

v4:
 - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]

v3:
 - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
 - clean up arch_kexec_kernel_verify_sig [Eric]

v2:
 - only x86_64 and arm64 need to enable PE file signature check [Dave]

[1] https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@suse.de/

Coiby Xu (3):
  kexec: clean up arch_kexec_kernel_verify_sig
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

Michal Suchanek (1):
  kexec, KEYS, s390: Make use of built-in and secondary keyring for
    signature verification

 arch/arm64/kernel/kexec_image.c       | 11 +-----
 arch/s390/kernel/machine_kexec_file.c | 18 +++++++---
 arch/x86/kernel/kexec-bzimage64.c     | 20 +----------
 include/linux/kexec.h                 |  7 ++--
 kernel/kexec_file.c                   | 51 ++++++++++++++++-----------
 5 files changed, 50 insertions(+), 57 deletions(-)

-- 
2.34.1

More information about the kexec mailing list