On Wed, 2022-07-06 at 12:48 +0100, Will Deacon wrote: > On Wed, Jul 06, 2022 at 07:35:36AM -0400, Mimi Zohar wrote: > > On Mon, 2022-07-04 at 09:51 +0800, Coiby Xu wrote: > > > Currently when loading a kernel image via the kexec_file_load() system > > > call, x86 can make use of three keyrings i.e. the .builtin_trusted_keys, > > > .secondary_trusted_keys and .platform keyrings to verify a signature. > > > However, arm64 and s390 can only use the .builtin_trusted_keys and > > > .platform keyring respectively. For example, one resulting problem is > > > kexec'ing a kernel image would be rejected with the error "Lockdown: > > > kexec: kexec of unsigned images is restricted; see man > > > kernel_lockdown.7". > > > > > > This patch set enables arm64 and s390 to make use of the same keyrings > > > as x86 to verify the signature kexec'ed kernel image. > > [...] > > > > For arm64, the tests were done as follows, > > > 1. build 5.19.0-rc2 > > > 2. generate keys and add them to .secondary_trusted_keys, MOK, UEFI > > > db; > > > 3. sign different kernel images with different keys including keys > > > from .builtin_trusted_key, .secondary_trusted_keys keyring, a UEFI db > > > key and MOK key > > > 4. Without lockdown, all kernel images can be kexec'ed; with lockdown > > > enabled, only the kernel image signed by the key from the > > > .builtin_trusted_key keyring can be kexec'ed > > > > Just confirming, for arm64, this patch set allows verifying the > > kexec'ed kernel image signature using keys on either the .platform or > > .secondary_trusted_keys keyrings. > > It looks like this series is ready to go, but it's not clear who should > pick it up. Eric -- would you be the best person? Otherwise, I'm happy to > take it via the arm64 tree (on its own branch) if that would be helpful. Unless Eric is interested, I was asked to pick this patch set up. thanks, Mimi
