Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring for signature verify

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 15, 2019 at 11:47 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
>
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 7d97e432cbbc..a06b04065bb1 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data)
> >  #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> >  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> >  {
> > -     return verify_pefile_signature(kernel, kernel_len,
> > -                                    VERIFY_USE_SECONDARY_KEYRING,
> > -                                    VERIFYING_KEXEC_PE_SIGNATURE);
> > +     int ret;
> > +     ret = verify_pefile_signature(kernel, kernel_len,
> > +                     VERIFY_USE_SECONDARY_KEYRING,
> > +                     VERIFYING_KEXEC_PE_SIGNATURE);
> > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>
> Consider using IS_ENABLED() or IS_BUILTIN().
>
> Mimi

Thanks for the suggestion, will update the patch later if there are no
other comments.

>
> > +     if (ret == -ENOKEY) {
> > +             ret = verify_pefile_signature(kernel, kernel_len,
> > +                             VERIFY_USE_PLATFORM_KEYRING,
> > +                             VERIFYING_KEXEC_PE_SIGNATURE);
> > +     }
> > +#endif
> > +     return ret;
> >  }
> >  #endif
>



--
Best Regards,
Kairui Song

_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec
[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]
  Powered by Linux