Re: linux-next: Tree for Jul 10 (arch/s390/kernel/machine_kexec_file.c)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 7/11/23 13:49, Eric DeVolder wrote:


On 7/10/23 17:15, Randy Dunlap wrote:


On 7/10/23 14:27, Eric DeVolder wrote:


On 7/10/23 15:23, Eric DeVolder wrote:


On 7/10/23 15:11, Randy Dunlap wrote:


On 7/9/23 18:38, Stephen Rothwell wrote:
Hi all,

Changes since 20230707:


on s390:

../arch/s390/kernel/machine_kexec_file.c: In function 's390_verify_sig':
../arch/s390/kernel/machine_kexec_file.c:69:15: error: implicit declaration of function 'verify_pkcs7_signature' [-Werror=implicit-function-declaration]
     69 |         ret = verify_pkcs7_signature(kernel, kernel_len,
        |               ^~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors


Full randconfig file is attached.


Randy,
Thanks for this. This appears to be randconfig testing against linux-next.
As of right now, linux-next does not contain the v5 that I posted friday.
The v5 posted friday was picked up by Andrew and over the weekend no fails
discovered, and the series currently sits in mm-everything branch. So hopefully
it will appear soon in linux-next!

Let me know if I misunderstand the situation.
Thanks!
eric

Well the root cause is a missing SYSTEM_DATA_VERIFICATION. This was discussed
through MODULE_SIG_FORMAT thread. I don't think v5 changed anything with
respect to this issue, so it will likely reveal itself again.

Since it was agreed to drop MODULE_SIG_FORMAT, and my attempt to select
SYSTEM_DATA_VERIFICATION results in same circular dependency as with
MODULE_SIG_FORMAT, I'm unsure how to proceed.

The arch/s390/Kconfig S390 option has a 'select KEXEC' (but not KEXEC_FILE),
maybe we consider adding a 'select SYSTEM_DATA_VERIFICATION' as well?

Sure, since some other configs select it also.
And as long as it doesn't cause a circular dependency problem.

thanks.

Randy, all,
I did the following for s390 and it "works", but I don't think we can use it.

Changed:

config ARCH_SUPPORTS_KEXEC_FILE
     def_bool CRYPTO && CRYPTO_SHA256 && CRYPTO_SHA256_S390

to:

config ARCH_SELECTS_KEXEC_FILE
         def_bool y
         depends on KEXEC_FILE
         select CRYPTO
         select CRYPTO_SHA256
         select CRYPTO_SHA256_S390
         select SYSTEM_DATA_VERIFICATION

and this essentially passes my regression but for the following:

FAIL olddefconfig arch/s390/configs/defconfig
LHSB {'CONFIG_CRYPTO_SHA256_S390': 'm'}
RHSB {'CONFIG_CRYPTO_SHA256_S390': 'y'}

which simply means that the CRYPTO_SHA256_S390 is always built-in, whereas previously
it could be a module. This happens because 'select' is always =y; overwrites if
previously =m, as was the case with this particular config file.

I still don't know how to close this gap. Today I see linux-next has v5 in it.
eric


Alright, I found the solution; somewhat obvious now that I see it.

The current s390/Kconfig for KEXEC_SIG looks like:

config KEXEC_SIG
    bool "Verify kernel signature during kexec_file_load() syscall"
    depends on KEXEC_FILE && MODULE_SIG_FORMAT
    help

and this caused issues with my original conversion. I now have the conversion as:

config ARCH_SUPPORTS_KEXEC_SIG
    def_bool MODULE_SIG_FORMAT

(where previously it was simply def_bool y). This works and passes all my regressions
as well as the reported fail here.

And it makes perfect sense, now.

I'll be posting v6 shortly.
Thanks,
eric



[Index of Archives]     [Linux Kernel]     [Linux USB Development]     [Yosemite News]     [Linux SCSI]

  Powered by Linux