This is a note to let you know that I've just added the patch titled Fix kexec forbidding kernels signed with keys in the secondary keyring to boot to the 4.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch and it can be found in the queue-4.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From ea93102f32244e3f45c8b26260be77ed0cc1d16c Mon Sep 17 00:00:00 2001 From: Yannik Sembritzki <yannik@xxxxxxxxxxxxx> Date: Thu, 16 Aug 2018 14:05:23 +0100 Subject: Fix kexec forbidding kernels signed with keys in the secondary keyring to boot From: Yannik Sembritzki <yannik@xxxxxxxxxxxxx> commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream. The split of .system_keyring into .builtin_trusted_keys and .secondary_trusted_keys broke kexec, thereby preventing kernels signed by keys which are now in the secondary keyring from being kexec'd. Fix this by passing VERIFY_USE_SECONDARY_KEYRING to verify_pefile_signature(). Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Cc: kexec@xxxxxxxxxxxxxxxxxxx Cc: keyrings@xxxxxxxxxxxxxxx Cc: linux-security-module@xxxxxxxxxxxxxxx Cc: stable@xxxxxxxxxx Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- arch/x86/kernel/kexec-bzimage64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loade static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) { return verify_pefile_signature(kernel, kernel_len, - NULL, + VERIFY_USE_SECONDARY_KEYRING, VERIFYING_KEXEC_PE_SIGNATURE); } #endif Patches currently in stable-queue which might be from yannik@xxxxxxxxxxxxx are queue-4.18/replace-magic-for-trusting-the-secondary-keyring-with-define.patch queue-4.18/fix-kexec-forbidding-kernels-signed-with-keys-in-the-secondary-keyring-to-boot.patch _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec