On 3/11/22 11:42, Jarkko Sakkinen wrote:
On Fri, 2022-03-11 at 10:11 +0530, Nageswara Sastry wrote:
On 11/03/22 3:14 am, Nayna Jain wrote:
Some firmware support secure boot by embedding static keys to verify the
Linux kernel during boot. However, these firmware do not expose an
interface for the kernel to load firmware keys onto the ".platform"
keyring, preventing the kernel from verifying the kexec kernel image
signature.
This patchset exports load_certificate_list() and defines a new function
load_builtin_platform_cert() to load compiled in certificates onto the
".platform" keyring.
Changelog:
v11:
* Added a new patch to conditionally build extract-cert if
PLATFORM_KEYRING is enabled.
Tested the following four patches with and with out setting
CONFIG_INTEGRITY_PLATFORM_KEYS
Tested-by: Nageswara R Sastry <rnsastry@xxxxxxxxxxxxx>
OK, I added it:
git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
Thanks Jarkko. Masahiro Yamada would prefer to revert the original
commit 340a02535ee785c64c62a9c45706597a0139e972 i.e. move extract-cert
back to the scripts/ directory.
I am just posting v12 which includes Masahiro feedback. Nageswara has
already tested v12 version as well.
I am fine either way 1.) Adding v11 and then separately handling of
reverting of the commit or 2.) Adding v12 version which includes the
revert. I leave the decision on you as to which one to upstream.
Thanks & Regards,
- Nayna