On Tue, Feb 15, 2022 at 08:39:39PM +0100, Michal Suchanek wrote: > commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") > adds platform keyring support on x86 kexec but not arm64. > > Add platform keyring support on arm64 as well. > > Fixes: 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") > Cc: kexec@xxxxxxxxxxxxxxxxxxx > Cc: keyrings@xxxxxxxxxxxxxxx > Cc: linux-security-module@xxxxxxxxxxxxxxx > Cc: stable@xxxxxxxxxx > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx> Reviewed-by: "Lee, Chun-Yi" <jlee@xxxxxxxx> > --- > arch/arm64/kernel/kexec_image.c | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c > index 1fbf2ee7c005..3dee7b2d8336 100644 > --- a/arch/arm64/kernel/kexec_image.c > +++ b/arch/arm64/kernel/kexec_image.c > @@ -133,9 +133,17 @@ static void *image_load(struct kimage *image, > #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG > static int image_verify_sig(const char *kernel, unsigned long kernel_len) > { > - return verify_pefile_signature(kernel, kernel_len, > - VERIFY_USE_SECONDARY_KEYRING, > - VERIFYING_KEXEC_PE_SIGNATURE); > + int ret; > + > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_SECONDARY_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + } > + return ret; > } > #endif > > -- > 2.31.1 _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec