Currently, a problem faced by arm64 is if a kernel image is signed by a MOK key, loading it via the kexec_file_load() system call would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7". This happens because arm64 uses only the primary keyring that contains only kernel built-in keys to verify the kexec image. Similarly, s390 only uses platform keyring for kernel image signature verification and built-in keys and secondary keyring are not used. This patch set allows arm64 and s390 to use more system keyrings to verify kexec kernel image signature as x86 does. v6: - integrate the first three patches of "[PATCH 0/4] Unifrom keyring support across architectures and functions" from Michal [1] - improve commit message [Baoquan, Michal] - directly assign kexec_kernel_verify_pe_sig to kexec_file_ops->verify_sig [Michal] v5: - improve commit message [Baoquan] v4: - fix commit reference format issue and other checkpatch.pl warnings [Baoquan] v3: - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric] - clean up arch_kexec_kernel_verify_sig [Eric] v2: - only x86_64 and arm64 need to enable PE file signature check [Dave] [1] https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@xxxxxxx/ Coiby Xu (3): kexec: clean up arch_kexec_kernel_verify_sig kexec, KEYS: make the code in bzImage64_verify_sig generic arm64: kexec_file: use more system keyrings to verify kernel image signature Michal Suchanek (1): kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification arch/arm64/kernel/kexec_image.c | 11 +----- arch/s390/kernel/machine_kexec_file.c | 18 +++++++--- arch/x86/kernel/kexec-bzimage64.c | 20 +---------- include/linux/kexec.h | 7 ++-- kernel/kexec_file.c | 51 ++++++++++++++++----------- 5 files changed, 50 insertions(+), 57 deletions(-) -- 2.34.1 _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
