Hi Greg,
Good to see you here:)
On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
The patch below does not apply to the 5.19-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@xxxxxxxxxxxxxxx>.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
From: Coiby Xu <coxu@xxxxxxxxxx>
Date: Thu, 14 Jul 2022 21:40:26 +0800
Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
image signature
Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys, .machine and .platform keyrings. For example,
one resulting problem is kexec'ing a kernel image would be rejected
with the error "Lockdown: kexec: kexec of unsigned images is restricted;
see man kernel_lockdown.7".
This patch set enables arm64 to make use of the same keyrings as x86 to
verify the signature kexec'ed kernel image.
Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
Cc: stable@xxxxxxxxxxxxxxx # 105e10e2cf1c: kexec_file: drop weak attribute from functions
Cc: stable@xxxxxxxxxxxxxxx # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
Cc: stable@xxxxxxxxxxxxxxx # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
I've added the above three patch prerequisites following [1]. I assume
there is a program automatically picking up this patch. But somehow it
fails to pick up the prerequisites first. Is it because the commit ids
change when the patches are finally applied to Linus's tree? If it's
true, how do we make sure the we have the correct commit ids? Note [1]
strongly recommends "Cc: stable@xxxxxxxxxxxxxxx" to submit patches to
stable tree but it seems there is no way to know beforehand the correct
commit ids of the prerequisites that are yet to arrive in Linus's tree.
[1] https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
Acked-by: Baoquan He <bhe@xxxxxxxxxx>
Cc: kexec@xxxxxxxxxxxxxxxxxxx
Cc: keyrings@xxxxxxxxxxxxxxx
Cc: linux-security-module@xxxxxxxxxxxxxxx
Co-developed-by: Michal Suchanek <msuchanek@xxxxxxx>
Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
Acked-by: Will Deacon <will@xxxxxxxxxx>
Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..5ed6a585f21f 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
#include <linux/kexec.h>
#include <linux/pe.h>
#include <linux/string.h>
-#include <linux/verification.h>
#include <asm/byteorder.h>
#include <asm/cpufeature.h>
#include <asm/image.h>
@@ -130,18 +129,10 @@ static void *image_load(struct kimage *image,
return NULL;
}
-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
-static int image_verify_sig(const char *kernel, unsigned long kernel_len)
-{
- return verify_pefile_signature(kernel, kernel_len, NULL,
- VERIFYING_KEXEC_PE_SIGNATURE);
-}
-#endif
-
const struct kexec_file_ops kexec_image_ops = {
.probe = image_probe,
.load = image_load,
#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
- .verify_sig = image_verify_sig,
+ .verify_sig = kexec_kernel_verify_pe_sig,
#endif
};
--
Best regards,
Coiby
