[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

Coiby Xu coxu at redhat.com
Wed Apr 13 02:32:36 PDT 2022 

On Mon, Apr 11, 2022 at 10:43:06AM +0200, Michal Suchánek wrote:
>On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
>> On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>> > On 04/08/22 at 10:59am, Michal Suchánek wrote:
>> > > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > > > Hi Coiby,
>> > > >
>> > > > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > > > MOK key, loading it via the kexec_file_load() system call would be
>> > > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > > > restricted; see man kernel_lockdown.7".
>> > > > >
>> > > > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > > > kernel image signature by making the existing code in x64 public.
>> > > >
>> > > > Thanks for updating. It would be great to tell why the problem is
>> > > > met, then allow arm64 to use more system keyrings can solve it.
>> > >
>> > > The reason is that MOK keys are (if anywhere) linked to the secondary
>>                                                                ^^^^^^^^^
>>                                                                platform?
>> > > keyring, and only primary keyring is used on arm64.
>>
>> Thanks Michal for providing the info! Btw, I think you made a typo
>> because MOK keys are linked to the platform keyring, right?
>
>No, I mean secondary, through this patchset:
>https://lore.kernel.org/lkml/YhKP12KEmyqyS8rj@iki.fi/

Thanks for the info! This provides another approach to verify kernel
image's signature via the secondary keyring once the end-use chooses to
trust MOK keys by setting MokListTrustedRT.

>
>Apparently support for importing the MOK keys into the platform keyring
>also exists but I am not sure if this is upstream or downstream feature.

This is actually an upstream feature,

commit 15ea0e1e3e185040bed6119f815096f2e4326242
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Dec 13 01:37:56 2018 +0530

     efi: Import certificates from UEFI Secure Boot
     
     Secure Boot stores a list of allowed certificates in the 'db' variable.
     This patch imports those certificates into the platform keyring. The shim
     UEFI bootloader has a similar certificate list stored in the 'MokListRT'
     variable. We import those as well.
     
     Secure Boot also maintains a list of disallowed certificates in the 'dbx'
     variable. We load those certificates into the system blacklist keyring
     and forbid any kernel signed with those from loading.
     
     [zohar at linux.ibm.com: dropped Josh's original patch description]
     Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
     Signed-off-by: David Howells <dhowells at redhat.com>
     Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
     Acked-by: Serge Hallyn <serge at hallyn.com>
     Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>

>
>At any rate the MOK keys are not included in the primary keyring which
>is the only keyring currently in use for kexec on arm64.

Good summary, thanks!

>
>Thanks
>
>Michal
>

-- 
Best regards,
Coiby

More information about the linux-arm-kernel mailing list