[PATCH v9 0/4] unify the keyrings of arm64 and s390 with x86 to verify kexec'ed kernel signature

[Will Deacon]

On Wed, Jul 06, 2022 at 07:35:36AM -0400, Mimi Zohar wrote:
> On Mon, 2022-07-04 at 09:51 +0800, Coiby Xu wrote:
> > Currently when loading a kernel image via the kexec_file_load() system
> > call, x86 can make use of three keyrings i.e. the .builtin_trusted_keys,
> > .secondary_trusted_keys and .platform keyrings to verify a signature.
> > However, arm64 and s390 can only use the .builtin_trusted_keys and
> > .platform keyring respectively. For example, one resulting problem is
> > kexec'ing a kernel image  would be rejected with the error "Lockdown:
> > kexec: kexec of unsigned images is restricted; see man
> > kernel_lockdown.7".
> > 
> > This patch set enables arm64 and s390 to make use of the same keyrings
> > as x86 to verify the signature kexec'ed kernel image.

[...]

> > For arm64, the tests were done as follows,
> >   1. build 5.19.0-rc2
> >   2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI
> >      db;
> >   3. sign different kernel images with different keys including keys
> >      from .builtin_trusted_key, .secondary_trusted_keys keyring, a UEFI db
> >      key and MOK key
> >   4. Without lockdown, all kernel images can be kexec'ed; with lockdown
> >      enabled, only the kernel image signed by the key from the
> >      .builtin_trusted_key keyring can be kexec'ed
> 
> Just confirming, for arm64, this patch set allows verifying the
> kexec'ed kernel image signature using keys on either the .platform or
> .secondary_trusted_keys keyrings.

It looks like this series is ready to go, but it's not clear who should
pick it up. Eric -- would you be the best person? Otherwise, I'm happy to
take it via the arm64 tree (on its own branch) if that would be helpful.

Thanks,

Will