[PATCH 2/2] The split of .system_keyring into .builtin_trusted_keys and .secondary_trusted_keys broke kexec, thereby preventing kernels signed by keys which are now in the secondary keyring from being kexec'd.

Yannik Sembritzki <yannik@xxxxxxxxxxxxx> · Fri, 7 Sep 2018 13:19:23 +0200

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Backport of ea93102f32244e3f45c8b26260be77ed0cc1d16c

Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
---
 arch/x86/kernel/kexec-bzimage64.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 3407b148..490f9be3 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -529,7 +529,7 @@ static int bzImage64_cleanup(void *loader_data)
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
 	return verify_pefile_signature(kernel, kernel_len,
-				       NULL,
+				       VERIFY_USE_SECONDARY_KEYRING,
 				       VERIFYING_KEXEC_PE_SIGNATURE);
 }
 #endif
-- 
2.17.1







