[PATCH v8 3/4] arm64: kexec_file: use more system keyrings to verify kernel image signature
Mimi Zohar
zohar at linux.ibm.com
Thu Jun 9 16:15:27 PDT 2022
On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote:
> Currently, a problem faced by arm64 is if a kernel image is signed by a
> MOK key, loading it via the kexec_file_load() system call would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7".
>
> This happens because image_verify_sig uses only the primary keyring that
> contains only kernel built-in keys to verify the kexec image.
>From the git history it's clear that .platform keyring was upstreamed
during the same open window as commit 732b7b93d849 ("arm64: kexec_file:
add kernel signature verification support"). Loading the MOK keys
onto the .platform keyring was upstreamed much later. For this reason,
commit 732b7b93d849 only used keys on the .builtin_trusted_keys
keyring. This patch is now addressing it and the newly upstreamed
.machine keyring.
Only using the .builtin_trusted_keys is the problem statement, which
should be one of the first lines of the patch description, if not the
first line.
>
> This patch allows to verify arm64 kernel image signature using not only
> .builtin_trusted_keys but also .platform and .secondary_trusted_keys
> keyring.
Please remember to update this to include the .machine keyring.
>
> Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
Since the MOK keys weren't loaded onto the .platform keyring until much
later, I would not classify this as a fix.
thanks,
Mimi
More information about the kexec
mailing list