[PATCH v9 0/4] unify the keyrings of arm64 and s390 with x86 to verify kexec'ed kernel signature
Will Deacon
will at kernel.org
Wed Jul 6 04:48:07 PDT 2022
On Wed, Jul 06, 2022 at 07:35:36AM -0400, Mimi Zohar wrote:
> On Mon, 2022-07-04 at 09:51 +0800, Coiby Xu wrote:
> > Currently when loading a kernel image via the kexec_file_load() system
> > call, x86 can make use of three keyrings i.e. the .builtin_trusted_keys,
> > .secondary_trusted_keys and .platform keyrings to verify a signature.
> > However, arm64 and s390 can only use the .builtin_trusted_keys and
> > .platform keyring respectively. For example, one resulting problem is
> > kexec'ing a kernel image would be rejected with the error "Lockdown:
> > kexec: kexec of unsigned images is restricted; see man
> > kernel_lockdown.7".
> >
> > This patch set enables arm64 and s390 to make use of the same keyrings
> > as x86 to verify the signature kexec'ed kernel image.
[...]
> > For arm64, the tests were done as follows,
> > 1. build 5.19.0-rc2
> > 2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI
> > db;
> > 3. sign different kernel images with different keys including keys
> > from .builtin_trusted_key, .secondary_trusted_keys keyring, a UEFI db
> > key and MOK key
> > 4. Without lockdown, all kernel images can be kexec'ed; with lockdown
> > enabled, only the kernel image signed by the key from the
> > .builtin_trusted_key keyring can be kexec'ed
>
> Just confirming, for arm64, this patch set allows verifying the
> kexec'ed kernel image signature using keys on either the .platform or
> .secondary_trusted_keys keyrings.
It looks like this series is ready to go, but it's not clear who should
pick it up. Eric -- would you be the best person? Otherwise, I'm happy to
take it via the arm64 tree (on its own branch) if that would be helpful.
Thanks,
Will
More information about the kexec
mailing list