commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") adds platform keyring support on x86 kexec but not arm64. Add platform keyring support on arm64 as well. Fixes: 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") Cc: kexec@xxxxxxxxxxxxxxxxxxx Cc: keyrings@xxxxxxxxxxxxxxx Cc: linux-security-module@xxxxxxxxxxxxxxx Cc: stable@xxxxxxxxxx Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx> --- arch/arm64/kernel/kexec_image.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c index 1fbf2ee7c005..3dee7b2d8336 100644 --- a/arch/arm64/kernel/kexec_image.c +++ b/arch/arm64/kernel/kexec_image.c @@ -133,9 +133,17 @@ static void *image_load(struct kimage *image, #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG static int image_verify_sig(const char *kernel, unsigned long kernel_len) { - return verify_pefile_signature(kernel, kernel_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_KEXEC_PE_SIGNATURE); + int ret; + + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + } + return ret; } #endif -- 2.31.1