On 01/17/19 at 08:08pm, Mimi Zohar wrote: > On Wed, 2019-01-16 at 18:16 +0800, Kairui Song wrote: > > This patch series adds a .platform_trusted_keys in system_keyring as the > > reference to .platform keyring in integrity subsystem, when platform > > keyring is being initialized it will be updated. So other component could > > use this keyring as well. > > Remove "other component could use ...". > > > > This patch series also let kexec_file_load use platform keyring as fall > > back if it failed to verify the image against secondary keyring, make it > > possible to load kernel signed by third part key if third party key is > > imported in the firmware. > > This is the only reason for these patches. Please remove "also". > > > > > After this patch kexec_file_load will be able to verify a signed PE > > bzImage using keys in platform keyring. > > > > Tested in a VM with locally signed kernel with pesign and imported the > > cert to EFI's MokList variable. > > It's taken so long for me to review/test this patch set due to a > regression in sanity_check_segment_list(), introduced somewhere > between 4.20 and 5.0.0-rc1. The sgement overlap test - "if ((mend > > pstart) && (mstart < pend))" - fails, returning a -EINVAL. > > Is anyone else seeing this? Mimi, should be this issue? I have sent a fix for that. https://lore.kernel.org/lkml/20181228011247.GA9999@xxxxxxxxxxxxxxxxxxxxxxxxxx/ Thanks Dave