On 7/11/23 13:49, Eric DeVolder wrote:
On 7/10/23 17:15, Randy Dunlap wrote:
On 7/10/23 14:27, Eric DeVolder wrote:
On 7/10/23 15:23, Eric DeVolder wrote:
On 7/10/23 15:11, Randy Dunlap wrote:
On 7/9/23 18:38, Stephen Rothwell wrote:
Hi all,
Changes since 20230707:
on s390:
../arch/s390/kernel/machine_kexec_file.c: In function 's390_verify_sig':
../arch/s390/kernel/machine_kexec_file.c:69:15: error: implicit declaration of function
'verify_pkcs7_signature' [-Werror=implicit-function-declaration]
69 | ret = verify_pkcs7_signature(kernel, kernel_len,
| ^~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
Full randconfig file is attached.
Randy,
Thanks for this. This appears to be randconfig testing against linux-next.
As of right now, linux-next does not contain the v5 that I posted friday.
The v5 posted friday was picked up by Andrew and over the weekend no fails
discovered, and the series currently sits in mm-everything branch. So hopefully
it will appear soon in linux-next!
Let me know if I misunderstand the situation.
Thanks!
eric
Well the root cause is a missing SYSTEM_DATA_VERIFICATION. This was discussed
through MODULE_SIG_FORMAT thread. I don't think v5 changed anything with
respect to this issue, so it will likely reveal itself again.
Since it was agreed to drop MODULE_SIG_FORMAT, and my attempt to select
SYSTEM_DATA_VERIFICATION results in same circular dependency as with
MODULE_SIG_FORMAT, I'm unsure how to proceed.
The arch/s390/Kconfig S390 option has a 'select KEXEC' (but not KEXEC_FILE),
maybe we consider adding a 'select SYSTEM_DATA_VERIFICATION' as well?
Sure, since some other configs select it also.
And as long as it doesn't cause a circular dependency problem.
thanks.
Randy, all,
I did the following for s390 and it "works", but I don't think we can use it.
Changed:
config ARCH_SUPPORTS_KEXEC_FILE
def_bool CRYPTO && CRYPTO_SHA256 && CRYPTO_SHA256_S390
to:
config ARCH_SELECTS_KEXEC_FILE
def_bool y
depends on KEXEC_FILE
select CRYPTO
select CRYPTO_SHA256
select CRYPTO_SHA256_S390
select SYSTEM_DATA_VERIFICATION
and this essentially passes my regression but for the following:
FAIL olddefconfig arch/s390/configs/defconfig
LHSB {'CONFIG_CRYPTO_SHA256_S390': 'm'}
RHSB {'CONFIG_CRYPTO_SHA256_S390': 'y'}
which simply means that the CRYPTO_SHA256_S390 is always built-in, whereas previously
it could be a module. This happens because 'select' is always =y; overwrites if
previously =m, as was the case with this particular config file.
I still don't know how to close this gap. Today I see linux-next has v5 in it.
eric
Alright, I found the solution; somewhat obvious now that I see it.
The current s390/Kconfig for KEXEC_SIG looks like:
config KEXEC_SIG
bool "Verify kernel signature during kexec_file_load() syscall"
depends on KEXEC_FILE && MODULE_SIG_FORMAT
help
and this caused issues with my original conversion. I now have the conversion as:
config ARCH_SUPPORTS_KEXEC_SIG
def_bool MODULE_SIG_FORMAT
(where previously it was simply def_bool y). This works and passes all my regressions
as well as the reported fail here.
And it makes perfect sense, now.
I'll be posting v6 shortly.
Thanks,
eric