Re: [RESEND PATCH v1 1/1] s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Heiko Carstens <hca@linux.ibm.com>
To: Baoquan He <bhe@redhat.com>
Cc: Alexander Egorenkov <egorenar@linux.ibm.com>,
	linux-s390@vger.kernel.org, akpm@linux-foundation.org,
	kexec@lists.infradead.org
Subject: Re: [RESEND PATCH v1 1/1] s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n
Date: Tue, 10 Feb 2026 14:36:52 +0100	[thread overview]
Message-ID: <20260210133652.15669A6b-hca@linux.ibm.com> (raw)
In-Reply-To: <aYqWhWQO265YRnPP@fedora>

On Tue, Feb 10, 2026 at 10:23:01AM +0800, Baoquan He wrote:
> On 02/09/26 at 02:33pm, Alexander Egorenkov wrote:
> > The commit c8424e776b09 ("MODSIGN: Export module signature definitions")
> > replaced the dependency of KEXEC_SIG on SYSTEM_DATA_VERIFICATION with
> > the dependency on MODULE_SIG_FORMAT. This change disables KEXEC_SIG
> > in s390 kernels built with MODULES=n if nothing else selects
> > MODULE_SIG_FORMAT.
> > 
> > Furthermore, the signature verification in s390 kexec does not require
> > MODULE_SIG_FORMAT because it requires only the struct module_signature and,
> > therefore, does not depend on code in kernel/module_signature.c.
> > 
> > But making ARCH_SUPPORTS_KEXEC_SIG depend on SYSTEM_DATA_VERIFICATION
> > is also incorrect because it makes KEXEC_SIG available on s390 only
> > if some other arbitrary option (for instance a file system or device driver)
> > selects it directly or indirectly.
> > 
> > To properly make KEXEC_SIG available for s390 kernels built with MODULES=y
> > as well as MODULES=n _and_ also not depend on arbitrary options selecting
> > SYSTEM_DATA_VERIFICATION, we set ARCH_SUPPORTS_KEXEC_SIG=y for s390 and
> > select SYSTEM_DATA_VERIFICATION when KEXEC_SIG=y.
> 
> Thanks for fixing the issue.
> 
> Seems the background and change is a little twisting, and selecting
> SYSTEM_DATA_VERIFICATION will cause a bunch of verification feature
> selected. While the change is only s390 related, request s390 expert to
> have look at this change. If no concern from s390 developer, I am also
> fine to it.

...

> > diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> > index c2c7bf974397..385c1052cf45 100644
> > --- a/arch/s390/Kconfig
> > +++ b/arch/s390/Kconfig
> > @@ -313,7 +313,7 @@ config ARCH_SUPPORTS_KEXEC_FILE
> >  	def_bool y
> >  
> >  config ARCH_SUPPORTS_KEXEC_SIG
> > -	def_bool MODULE_SIG_FORMAT
> > +	def_bool y
> >  
> >  config ARCH_SUPPORTS_KEXEC_PURGATORY
> >  	def_bool y
> > diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
> > index 15632358bcf7..df97227cfca9 100644
> > --- a/kernel/Kconfig.kexec
> > +++ b/kernel/Kconfig.kexec
> > @@ -50,6 +50,7 @@ config KEXEC_SIG
> >  	bool "Verify kernel signature during kexec_file_load() syscall"
> >  	depends on ARCH_SUPPORTS_KEXEC_SIG
> >  	depends on KEXEC_FILE
> > +	select SYSTEM_DATA_VERIFICATION if S390

Alexander, would it make sense to move this to arch/s390/Kconfig and
add something like

	select SYSTEM_DATA_VERIFICATION if KEXEC_SIG

instead? This would have the slight advantage to keep arch specifics
out of common code Kconfig.

next prev parent reply	other threads:[~2026-02-10 13:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-09 13:33 [RESEND PATCH v1 1/1] s390/kexec: Make KEXEC_SIG available when CONFIG_MODULES=n Alexander Egorenkov
2026-02-10  2:23 ` Baoquan He
2026-02-10 13:36   ` Heiko Carstens [this message]
2026-02-10 14:01     ` Alexander Egorenkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260210133652.15669A6b-hca@linux.ibm.com \
    --to=hca@linux.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=bhe@redhat.com \
    --cc=egorenar@linux.ibm.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-s390@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.