Re: [systemd-devel] [PATCHv6 02/13] kexec_file: Move signature validation ahead

Mon, 19 Jan 2026 10:46:00 -0800 

> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index eb62a9794242..0222d17072d4 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -231,18 +231,19 @@ kimage_file_prepare_segments(struct kimage *image, int 
> kernel_fd, int initrd_fd,
>       kexec_dprintk("kernel: %p kernel_size: %#lx\n",
>                     image->kernel_buf, image->kernel_buf_len);
>
> -     /* Call arch image probe handlers */
> -     ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> -                                         image->kernel_buf_len);
> -     if (ret)
> -             goto out;
> -
>  #ifdef CONFIG_KEXEC_SIG
>       ret = kimage_validate_signature(image);
>
>       if (ret)
>               goto out;
>  #endif

Does this reordering break signature verification? The 
kimage_validate_signature()
function calls kexec_image_verify_sig(), which accesses image->fops->verify_sig:

  static int kexec_image_verify_sig(struct kimage *image, void *buf,
                                    unsigned long buf_len)
  {
      if (!image->fops || !image->fops->verify_sig) {
          pr_debug("kernel loader does not support signature verification.\n");
          return -EKEYREJECTED;
      }
      return image->fops->verify_sig(buf, buf_len);
  }

However, image->fops is set by arch_kexec_kernel_image_probe() via
kexec_image_probe_default(), which now runs after kimage_validate_signature().
Since the kimage struct is zero-initialized by do_kimage_alloc_init(),
image->fops will be NULL when kexec_image_verify_sig() is called.

With this ordering, kexec_image_verify_sig() will always return -EKEYREJECTED.
When CONFIG_KEXEC_SIG_FORCE is enabled (sig_enforce = true), this causes
kimage_validate_signature() to return the error and kexec_file_load() fails.

Is this intentional, or should arch_kexec_kernel_image_probe() remain before
the signature validation call?

> +
> +     /* Call arch image probe handlers */
> +     ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> +                                         image->kernel_buf_len);
> +     if (ret)
> +             goto out;
> +

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/21147860407

Reply via email to