On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote: > Currently, a problem faced by arm64 is if a kernel image is signed by a > MOK key, loading it via the kexec_file_load() system call would be > rejected with the error "Lockdown: kexec: kexec of unsigned images is > restricted; see man kernel_lockdown.7". > > This happens because image_verify_sig uses only the primary keyring that > contains only kernel built-in keys to verify the kexec image. >From the git history it's clear that .platform keyring was upstreamed during the same open window as commit 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support"). Loading the MOK keys onto the .platform keyring was upstreamed much later. For this reason, commit 732b7b93d849 only used keys on the .builtin_trusted_keys keyring. This patch is now addressing it and the newly upstreamed .machine keyring. Only using the .builtin_trusted_keys is the problem statement, which should be one of the first lines of the patch description, if not the first line. > > This patch allows to verify arm64 kernel image signature using not only > .builtin_trusted_keys but also .platform and .secondary_trusted_keys > keyring. Please remember to update this to include the .machine keyring. > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") Since the MOK keys weren't loaded onto the .platform keyring until much later, I would not classify this as a fix. thanks, Mimi