On Tue, Feb 15, 2022 at 08:39:38PM +0100, Michal Suchanek wrote: > commit d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") > split of .system_keyring into .builtin_trusted_keys and > .secondary_trusted_keys broke kexec, thereby preventing kernels signed by > keys which are now in the secondary keyring from being kexec'd. > > Fix this by passing VERIFY_USE_SECONDARY_KEYRING to > verify_pefile_signature(). > > Cherry-picked from > commit ea93102f3224 ("Fix kexec forbidding kernels signed with keys in the secondary keyring to boot") > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") > Cc: kexec@xxxxxxxxxxxxxxxxxxx > Cc: keyrings@xxxxxxxxxxxxxxx > Cc: linux-security-module@xxxxxxxxxxxxxxx > Cc: stable@xxxxxxxxxx > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx> Reviewed-by: "Lee, Chun-Yi" <jlee@xxxxxxxx> > --- > arch/arm64/kernel/kexec_image.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c > index 9ec34690e255..1fbf2ee7c005 100644 > --- a/arch/arm64/kernel/kexec_image.c > +++ b/arch/arm64/kernel/kexec_image.c > @@ -133,7 +133,8 @@ static void *image_load(struct kimage *image, > #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG > static int image_verify_sig(const char *kernel, unsigned long kernel_len) > { > - return verify_pefile_signature(kernel, kernel_len, NULL, > + return verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_SECONDARY_KEYRING, > VERIFYING_KEXEC_PE_SIGNATURE); > } > #endif > -- > 2.31.1