On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
Hi Greg,
Good to see you here:)
On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
>
> The patch below does not apply to the 5.19-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@xxxxxxxxxxxxxxx>.
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> From: Coiby Xu <coxu@xxxxxxxxxx>
> Date: Thu, 14 Jul 2022 21:40:26 +0800
> Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> image signature
>
> Currently, when loading a kernel image via the kexec_file_load() system
> call, arm64 can only use the .builtin_trusted_keys keyring to verify
> a signature whereas x86 can use three more keyrings i.e.
> .secondary_trusted_keys, .machine and .platform keyrings. For example,
> one resulting problem is kexec'ing a kernel image would be rejected
> with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> see man kernel_lockdown.7".
>
> This patch set enables arm64 to make use of the same keyrings as x86 to
> verify the signature kexec'ed kernel image.
>
> Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> Cc: stable@xxxxxxxxxxxxxxx # 105e10e2cf1c: kexec_file: drop weak attribute from functions
This is not a valid commit id in Linus's tree.
> Cc: stable@xxxxxxxxxxxxxxx # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
This is not a valid commit id in Linus's tree
> Cc: stable@xxxxxxxxxxxxxxx # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
And this too is not a valid commit in Linus's tree.
Sorry for the confusion. The correct commit ids are as follows,
0738eceb6201 ("kexec: drop weak attribute from functions")
689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
I've added the above three patch prerequisites following [1]. I assume
there is a program automatically picking up this patch. But somehow it
fails to pick up the prerequisites first. Is it because the commit ids
change when the patches are finally applied to Linus's tree?
Where did you get those commit ids from?
I got the commit ids when rebasing the patches onto the then latest
Linus tree or next-integrity tree.
If it's
true, how do we make sure the we have the correct commit ids? Note [1]
strongly recommends "Cc: stable@xxxxxxxxxxxxxxx" to submit patches to
stable tree but it seems there is no way to know beforehand the correct
commit ids of the prerequisites that are yet to arrive in Linus's tree.
Hopefully the git ids can be stable when they are merged to a
maintainer's tree.
I notice the commit ids of these patches in current next-integrity tree
are still different from Linus's tree. It seems there is no way to avoid
manually backporting a patch for similar cases unless the commit ids are
automatically fixed when Linus merges the patch or we could match a
commit by its subject.
If not, then you can respond to this "failed" email
with the full series of what needs to be done here, as I have no idea :(
Sure, I'll email the backport to stable@xxxxxxxxxxxxxxx as the response
to this "failed" email.
thanks,
greg k-h
--
Best regards,
Coiby
