Re: [PATCH 2/4] kexec, KEYS, arm64: Make use of platform keyring for signature verification
On Tue, Feb 15, 2022 at 08:39:39PM +0100, Michal Suchanek wrote: > commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature > verify") > adds platform keyring support on x86 kexec but not arm64. > > Add platform keyring support on arm64 as well. > > Fixes: 278311e417be ("kexec, KEYS: Make use of platform keyring for signature > verify") > Cc: kexec@lists.infradead.org > Cc: keyri...@vger.kernel.org > Cc: linux-security-mod...@vger.kernel.org > Cc: sta...@kernel.org > Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" > --- > arch/arm64/kernel/kexec_image.c | 14 +++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c > index 1fbf2ee7c005..3dee7b2d8336 100644 > --- a/arch/arm64/kernel/kexec_image.c > +++ b/arch/arm64/kernel/kexec_image.c > @@ -133,9 +133,17 @@ static void *image_load(struct kimage *image, > #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG > static int image_verify_sig(const char *kernel, unsigned long kernel_len) > { > - return verify_pefile_signature(kernel, kernel_len, > -VERIFY_USE_SECONDARY_KEYRING, > -VERIFYING_KEXEC_PE_SIGNATURE); > + int ret; > + > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_SECONDARY_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + } > + return ret; > } > #endif > > -- > 2.31.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
[PATCH 2/4] kexec, KEYS, arm64: Make use of platform keyring for signature verification
commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") adds platform keyring support on x86 kexec but not arm64. Add platform keyring support on arm64 as well. Fixes: 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify") Cc: kexec@lists.infradead.org Cc: keyri...@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: sta...@kernel.org Signed-off-by: Michal Suchanek --- arch/arm64/kernel/kexec_image.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c index 1fbf2ee7c005..3dee7b2d8336 100644 --- a/arch/arm64/kernel/kexec_image.c +++ b/arch/arm64/kernel/kexec_image.c @@ -133,9 +133,17 @@ static void *image_load(struct kimage *image, #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG static int image_verify_sig(const char *kernel, unsigned long kernel_len) { - return verify_pefile_signature(kernel, kernel_len, - VERIFY_USE_SECONDARY_KEYRING, - VERIFYING_KEXEC_PE_SIGNATURE); + int ret; + + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_SECONDARY_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { + ret = verify_pefile_signature(kernel, kernel_len, + VERIFY_USE_PLATFORM_KEYRING, + VERIFYING_KEXEC_PE_SIGNATURE); + } + return ret; } #endif -- 2.31.1 ___ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec