On Mon, Sep 27, 2021 at 08:50:04AM +0800, Coiby Xu wrote: > From: Coiby Xu <coxu@xxxxxxxxxx> > > This allows to verify arm64 kernel image signature using not only > .builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring. > > Signed-off-by: Coiby Xu <coiby.xu@xxxxxxxxx> > --- > arch/arm64/kernel/kexec_image.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c > index 9ec34690e255..2357ee2f229a 100644 > --- a/arch/arm64/kernel/kexec_image.c > +++ b/arch/arm64/kernel/kexec_image.c > @@ -14,7 +14,6 @@ > #include <linux/kexec.h> > #include <linux/pe.h> > #include <linux/string.h> > -#include <linux/verification.h> > #include <asm/byteorder.h> > #include <asm/cpufeature.h> > #include <asm/image.h> > @@ -133,8 +132,7 @@ static void *image_load(struct kimage *image, > #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG > static int image_verify_sig(const char *kernel, unsigned long kernel_len) > { > - return verify_pefile_signature(kernel, kernel_len, NULL, > - VERIFYING_KEXEC_PE_SIGNATURE); > + return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len); I'm fine with this in principle, but it looks like the first patch is the important one. So for the arm64 bit: Acked-by: Will Deacon <will@xxxxxxxxxx> Will _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec