On Tue, Jun 12, 2018 at 5:03 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > Fedora bug > https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > > With Fedora kernels on Secure Boot enabled machine kexec_file_load > fails because kernel can not use any keys other than kernel builtin > keyring. verify_pefile_signature() requires caller to pass 1UL as > the keyring pointer to use other keyring. > > Posted a fix in upstream, but no response for long time. Thus going > with a Fedora fix same as what the module code does. > > Latest upstream effort: > https://www.spinics.net/lists/kernel/msg2825184.html > > Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > I would really like to hear David Howell's opinion on this before we consider carrying it. I have CCed him. Thanks, Justin > --- > kernel.spec | 3 ++ > kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ > 2 files changed, 35 insertions(+) > create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch > > diff --git a/kernel.spec b/kernel.spec > index d5e16d7f..7a20da1e 100644 > --- a/kernel.spec > +++ b/kernel.spec > @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch > # rhbz 1431375 > Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch > > +# rhbz 1470995 > +Patch503: kexec-bzimage-verify-pe-signature-fix.patch > + > # END OF PATCH DEFINITIONS > > %endif > diff --git a/kexec-bzimage-verify-pe-signature-fix.patch > b/kexec-bzimage-verify-pe-signature-fix.patch > new file mode 100644 > index 00000000..866b74b9 > --- /dev/null > +++ b/kexec-bzimage-verify-pe-signature-fix.patch > @@ -0,0 +1,32 @@ > +From: Dave Young <dyoung@xxxxxxxxxx> > + > +Fix kexec_file_load pefile signature verification > + > +Similar with Fix-for-module-sig-verification.patch, kexec_file syscall > also > +need pass 1UL to verify_pefile_signature so that secondary keys can be > used. > + > +Fedora bug > +https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > + > +Latest upstream effort is below: > +https://www.spinics.net/lists/kernel/msg2825184.html > + > +Ideally this need an upstream fix, but since nobody response we can > workaround > +it like the module code did. > + > +Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > +--- > + arch/x86/kernel/kexec-bzimage64.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c > ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c > +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade > + static int bzImage64_verify_sig(const char *kernel, unsigned long > kernel_len) > + { > + return verify_pefile_signature(kernel, kernel_len, > +- NULL, > ++ (void *)1UL, > + VERIFYING_KEXEC_PE_SIGNATURE); > + } > + #endif > -- > 2.17.0 > _______________________________________________ > kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/kernel@ > lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/ > _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/FOROXDORJ57A25CKRC57ONUTGA7WT5SO/
