[PATCH -next] arm64: enable ARCH_SUPPORTS_KEXEC_SIG_FORCE for arm64
Will Deacon
will at kernel.org
Tue Aug 27 05:43:38 PDT 2024
On Sat, Aug 24, 2024 at 07:12:34PM +0800, Li Zetao wrote:
> When the CONFIG_KEXEC_SIG is enabled, an illegal image is loaded through
> kexec, and the illegal image is successfully loaded. The test example is
> as follows:
>
> # cat /sys/kernel/kexec_loaded
> 0
> # kexec -s -l ./Image.illegal_signature
> # echo $?
> 0
> # dmesg | tail
> PEFILE: Digest mismatch
> # cat /sys/kernel/kexec_loaded
> 1
>
> The root cause of this problem is that CONFIG_KEXEC_SIG_FORCE is not
> enabled. Solve this problem by enabling the ARCH_SUPPORTS_KEXEC_SIG_FORCE
> feature.
I'm not sure this is a problem as such -- it seems to be working as
intended if you look at the Kconfig help text:
// Kconfig.kexec :: KEXEC_SIG
| The image can still be loaded without a valid signature unless you
| also enable KEXEC_SIG_FORCE, though if there's a signature that we
| can check, then it must be valid.
> Signed-off-by: Li Zetao <lizetao1 at huawei.com>
> ---
> arch/arm64/Kconfig | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index a2f8ff354ca6..9952c40a2bd8 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1549,6 +1549,9 @@ config ARCH_SELECTS_KEXEC_FILE
> config ARCH_SUPPORTS_KEXEC_SIG
> def_bool y
>
> +config ARCH_SUPPORTS_KEXEC_SIG_FORCE
> + def_bool y
I think the real question is why on Earth does KEXEC_SIG_FORCE depend on
this arch option? Can't we just remove ARCH_SUPPORTS_KEXEC_SIG_FORCE,
seeing as it doesn't appear to do anything?
Will
More information about the linux-arm-kernel
mailing list