• Coiby Xu's avatar
    arm64: kexec_file: use more system keyrings to verify kernel image signature · 0d519cad
    Coiby Xu authored
    Currently, when loading a kernel image via the kexec_file_load() system
    call, arm64 can only use the .builtin_trusted_keys keyring to verify
    a signature whereas x86 can use three more keyrings i.e.
    .secondary_trusted_keys, .machine and .platform keyrings. For example,
    one resulting problem is kexec'ing a kernel image  would be rejected
    with the error "Lockdown: kexec: kexec of unsigned images is restricted;
    see man kernel_lockdown.7".
    
    This patch set enables arm64 to make use of the same keyrings as x86 to
    verify the signature kexec'ed kernel image.
    
    Fixes: 732b7b93 ("arm64: kexec_file: add kernel signature verification support")
    Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
    Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
    Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
    Acked-by: default avatarBaoquan He <bhe@redhat.com>
    Cc: kexec@lists.infradead.org
    Cc: keyrings@vger.kernel.org
    Cc: linux-security-module@vger.kernel.org
    Co-developed-by: default avatarMichal Suchanek <msuchanek@suse.de>
    Signed-off-by: default avatarMichal Suchanek <msuchanek@suse.de>
    Acked-by: default avatarWill Deacon <will@kernel.org>
    Signed-off-by: default avatarCoiby Xu <coxu@redhat.com>
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    0d519cad
kexec_image.c 3.74 KB