On Wed, Jul 06, 2022 at 07:35:36AM -0400, Mimi Zohar wrote: > On Mon, 2022-07-04 at 09:51 +0800, Coiby Xu wrote: > > Currently when loading a kernel image via the kexec_file_load() system > > call, x86 can make use of three keyrings i.e. the .builtin_trusted_keys, > > .secondary_trusted_keys and .platform keyrings to verify a signature. > > However, arm64 and s390 can only use the .builtin_trusted_keys and > > .platform keyring respectively. For example, one resulting problem is > > kexec'ing a kernel image would be rejected with the error "Lockdown: > > kexec: kexec of unsigned images is restricted; see man > > kernel_lockdown.7". > > > > This patch set enables arm64 and s390 to make use of the same keyrings > > as x86 to verify the signature kexec'ed kernel image. [...] > > For arm64, the tests were done as follows, > > 1. build 5.19.0-rc2 > > 2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI > > db; > > 3. sign different kernel images with different keys including keys > > from .builtin_trusted_key, .secondary_trusted_keys keyring, a UEFI db > > key and MOK key > > 4. Without lockdown, all kernel images can be kexec'ed; with lockdown > > enabled, only the kernel image signed by the key from the > > .builtin_trusted_key keyring can be kexec'ed > > Just confirming, for arm64, this patch set allows verifying the > kexec'ed kernel image signature using keys on either the .platform or > .secondary_trusted_keys keyrings. It looks like this series is ready to go, but it's not clear who should pick it up. Eric -- would you be the best person? Otherwise, I'm happy to take it via the arm64 tree (on its own branch) if that would be helpful. Thanks, Will
