[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature

Coiby Xu coxu at redhat.com
Sun Apr 10 18:52:18 PDT 2022


On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
>On 04/08/22 at 10:59am, Michal Suchánek wrote:
>> On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
>> > Hi Coiby,
>> >
>> > On 04/01/22 at 09:31am, Coiby Xu wrote:
>> > > Currently, a problem faced by arm64 is if a kernel image is signed by a
>> > > MOK key, loading it via the kexec_file_load() system call would be
>> > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
>> > > restricted; see man kernel_lockdown.7".
>> > >
>> > > This patch set allows arm64 to use more system keyrings to verify kdump
>> > > kernel image signature by making the existing code in x64 public.
>> >
>> > Thanks for updating. It would be great to tell why the problem is
>> > met, then allow arm64 to use more system keyrings can solve it.
>>
>> The reason is that MOK keys are (if anywhere) linked to the secondary
                                                                ^^^^^^^^^
                                                                platform?
>> keyring, and only primary keyring is used on arm64.

Thanks Michal for providing the info! Btw, I think you made a typo
because MOK keys are linked to the platform keyring, right?

>
>Thanks for explaining. This is valuable information and should
>be put into log for better understanding when reviewing or
>reading code later.

Thanks for the reminder! I'll include this info in the commit message.

>

-- 
Best regards,
Coiby




More information about the linux-arm-kernel mailing list