On 06/14/18 at 02:18pm, Dave Young wrote: > On 06/13/18 at 09:38am, Justin Forbes wrote: > > On Tue, Jun 12, 2018 at 5:03 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > > > > > Fedora bug > > > https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > > > > > > With Fedora kernels on Secure Boot enabled machine kexec_file_load > > > fails because kernel can not use any keys other than kernel builtin > > > keyring. verify_pefile_signature() requires caller to pass 1UL as > > > the keyring pointer to use other keyring. > > > > > > Posted a fix in upstream, but no response for long time. Thus going > > > with a Fedora fix same as what the module code does. > > > > > > Latest upstream effort: > > > https://www.spinics.net/lists/kernel/msg2825184.html > > > > > > Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > > > > > > > I would really like to hear David Howell's opinion on this before we > > consider carrying it. I have CCed him. > > Justin, thanks for adding cc, I'm also waiting for his review in > upstream. But forgot to add him for the Fedora patch. > > Since our module code already takes this workaround, for kexec it is > pretty safe. I tested this patch with a scratch build, pesigned the > kernel with a temp key, import it in mokutil. The build works well for > me. > > If the 1UL passing is wrong then we should drop the module patch as > well as this one and take some reasonable fix. But seems nobody cares about this in upstream, so I'm not sure when it can be fixed. We can take this workaround in Fedora for the time being. > > > > > Thanks, > > Justin > > > > > > > --- > > > kernel.spec | 3 ++ > > > kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ > > > 2 files changed, 35 insertions(+) > > > create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch > > > > > > diff --git a/kernel.spec b/kernel.spec > > > index d5e16d7f..7a20da1e 100644 > > > --- a/kernel.spec > > > +++ b/kernel.spec > > > @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch > > > # rhbz 1431375 > > > Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch > > > > > > +# rhbz 1470995 > > > +Patch503: kexec-bzimage-verify-pe-signature-fix.patch > > > + > > > # END OF PATCH DEFINITIONS > > > > > > %endif > > > diff --git a/kexec-bzimage-verify-pe-signature-fix.patch > > > b/kexec-bzimage-verify-pe-signature-fix.patch > > > new file mode 100644 > > > index 00000000..866b74b9 > > > --- /dev/null > > > +++ b/kexec-bzimage-verify-pe-signature-fix.patch > > > @@ -0,0 +1,32 @@ > > > +From: Dave Young <dyoung@xxxxxxxxxx> > > > + > > > +Fix kexec_file_load pefile signature verification > > > + > > > +Similar with Fix-for-module-sig-verification.patch, kexec_file syscall > > > also > > > +need pass 1UL to verify_pefile_signature so that secondary keys can be > > > used. > > > + > > > +Fedora bug > > > +https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > > > + > > > +Latest upstream effort is below: > > > +https://www.spinics.net/lists/kernel/msg2825184.html > > > + > > > +Ideally this need an upstream fix, but since nobody response we can > > > workaround > > > +it like the module code did. > > > + > > > +Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > > > +--- > > > + arch/x86/kernel/kexec-bzimage64.c | 2 +- > > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > > + > > > +--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c > > > ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c > > > +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade > > > + static int bzImage64_verify_sig(const char *kernel, unsigned long > > > kernel_len) > > > + { > > > + return verify_pefile_signature(kernel, kernel_len, > > > +- NULL, > > > ++ (void *)1UL, > > > + VERIFYING_KEXEC_PE_SIGNATURE); > > > + } > > > + #endif > > > -- > > > 2.17.0 > > > _______________________________________________ > > > kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx > > > To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: https://lists.fedoraproject.org/archives/list/kernel@ > > > lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/ > > > _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/N2S3HAEXZ6UQCIX3TJAJIMIJQ5X6DMCO/
