On Mon, Apr 11, 2022 at 10:43:06AM +0200, Michal Suchánek wrote:
On Mon, Apr 11, 2022 at 09:52:18AM +0800, Coiby Xu wrote:
On Mon, Apr 11, 2022 at 09:13:32AM +0800, Baoquan He wrote:
> On 04/08/22 at 10:59am, Michal Suchánek wrote:
> > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote:
> > > Hi Coiby,
> > >
> > > On 04/01/22 at 09:31am, Coiby Xu wrote:
> > > > Currently, a problem faced by arm64 is if a kernel image is signed by a
> > > > MOK key, loading it via the kexec_file_load() system call would be
> > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is
> > > > restricted; see man kernel_lockdown.7".
> > > >
> > > > This patch set allows arm64 to use more system keyrings to verify kdump
> > > > kernel image signature by making the existing code in x64 public.
> > >
> > > Thanks for updating. It would be great to tell why the problem is
> > > met, then allow arm64 to use more system keyrings can solve it.
> >
> > The reason is that MOK keys are (if anywhere) linked to the secondary
                                                               ^^^^^^^^^
                                                               platform?
> > keyring, and only primary keyring is used on arm64.

Thanks Michal for providing the info! Btw, I think you made a typo
because MOK keys are linked to the platform keyring, right?

No, I mean secondary, through this patchset:
https://lore.kernel.org/lkml/yhkp12kemyqys...@iki.fi/

Thanks for the info! This provides another approach to verify kernel
image's signature via the secondary keyring once the end-use chooses to
trust MOK keys by setting MokListTrustedRT.


Apparently support for importing the MOK keys into the platform keyring
also exists but I am not sure if this is upstream or downstream feature.

This is actually an upstream feature,

commit 15ea0e1e3e185040bed6119f815096f2e4326242
Author: Josh Boyer <jwbo...@fedoraproject.org>
Date:   Thu Dec 13 01:37:56 2018 +0530

    efi: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
    This patch imports those certificates into the platform keyring. The shim
    UEFI bootloader has a similar certificate list stored in the 'MokListRT'
    variable. We import those as well.
Secure Boot also maintains a list of disallowed certificates in the 'dbx'
    variable. We load those certificates into the system blacklist keyring
    and forbid any kernel signed with those from loading.
[zo...@linux.ibm.com: dropped Josh's original patch description]
    Signed-off-by: Josh Boyer <jwbo...@fedoraproject.org>
    Signed-off-by: David Howells <dhowe...@redhat.com>
    Signed-off-by: Nayna Jain <na...@linux.ibm.com>
    Acked-by: Serge Hallyn <se...@hallyn.com>
    Signed-off-by: Mimi Zohar <zo...@linux.ibm.com>


At any rate the MOK keys are not included in the primary keyring which
is the only keyring currently in use for kexec on arm64.

Good summary, thanks!


Thanks

Michal


--
Best regards,
Coiby


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Reply via email to