From mboxrd@z Thu Jan 1 00:00:00 1970 From: Baoquan He Date: Mon, 11 Apr 2022 09:13:32 +0800 Subject: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature In-Reply-To: <20220408085931.GW163591@kunlun.suse.cz> References: <20220401013118.348084-1-coxu@redhat.com> <20220408085931.GW163591@kunlun.suse.cz> Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: kexec@lists.infradead.org On 04/08/22 at 10:59am, Michal Such?nek wrote: > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote: > > Hi Coiby, > > > > On 04/01/22 at 09:31am, Coiby Xu wrote: > > > Currently, a problem faced by arm64 is if a kernel image is signed by a > > > MOK key, loading it via the kexec_file_load() system call would be > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is > > > restricted; see man kernel_lockdown.7". > > > > > > This patch set allows arm64 to use more system keyrings to verify kdump > > > kernel image signature by making the existing code in x64 public. > > > > Thanks for updating. It would be great to tell why the problem is > > met, then allow arm64 to use more system keyrings can solve it. > > The reason is that MOK keys are (if anywhere) linked to the secondary > keyring, and only primary keyring is used on arm64. Thanks for explaining. This is valuable information and should be put into log for better understanding when reviewing or reading code later. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DB452C433EF for ; Mon, 11 Apr 2022 01:15:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZHqR6UzsdPSbVeOCDmPlJRy6lOi1Km74itl8oNQNa6U=; b=4BS0dGwSMuOd4K e8khBhN8hc4EyCYtn3fiDh05L9kgcieVP2cIp778+/iQHsrY+edsKOSUmLq+XkCxS1aHFVNUgebE2 dZVt/huLBAUYPKttu8izl2P1Y4Odh3exzQKaJIBGyYim/NAmGh+A2jANuV48OIwATRBhYqfChvgS2 oyiYYAlFI9YGiDA58rV5rR9PFWr/AdR7XMCd1eB19fiYR2H7ts0Kc8wjYqYDWUIxMlufcQJFKuk7P 1ODasz2fgngRjl31HvwPQvp/13ujPyKzAHcKfDTjY2VZNybx+pn+h800M/SjJHIrqFdIfpbAQ2Czh n20+/mrC4OZ/8or/DQeg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1ndick-0063Zc-Rh; Mon, 11 Apr 2022 01:13:46 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ndici-0063YP-3f for linux-arm-kernel@lists.infradead.org; Mon, 11 Apr 2022 01:13:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1649639622; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bzb26m11svbhakJjeqql27MLX/tQHpqAdXMJP0Zh5QY=; b=Fnj/uAa7+uZKSU15GEoz1UVClENwXZD6pXHxhXWGhMnBsYPZlgl5dE4LRAEvF8EtaQHHlH /+hC2mtXWw3bUbikEE0WxOtm+PoKgaoGte4W1wfJ5cmEHJJlnRBf08DatKhcx1qjz4xr+7 fj5zDbZ+W/5K0H/s+H3C06RLvPWNYG4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-302-e3w2AA-pP1WQ07GqITXsVQ-1; Sun, 10 Apr 2022 21:13:39 -0400 X-MC-Unique: e3w2AA-pP1WQ07GqITXsVQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2253B185A79C; Mon, 11 Apr 2022 01:13:39 +0000 (UTC) Received: from localhost (ovpn-12-19.pek2.redhat.com [10.72.12.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1D41820296A7; Mon, 11 Apr 2022 01:13:34 +0000 (UTC) Date: Mon, 11 Apr 2022 09:13:32 +0800 From: Baoquan He To: Michal =?iso-8859-1?Q?Such=E1nek?= Cc: Coiby Xu , kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org, Dave Young , Will Deacon , "Eric W . Biederman" , akpm@linux-foundation.org Subject: Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature Message-ID: References: <20220401013118.348084-1-coxu@redhat.com> <20220408085931.GW163591@kunlun.suse.cz> MIME-Version: 1.0 In-Reply-To: <20220408085931.GW163591@kunlun.suse.cz> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=bhe@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220410_181344_264348_693C7C9C X-CRM114-Status: GOOD ( 19.59 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 04/08/22 at 10:59am, Michal Such=E1nek wrote: > On Fri, Apr 08, 2022 at 03:17:19PM +0800, Baoquan He wrote: > > Hi Coiby, > > = > > On 04/01/22 at 09:31am, Coiby Xu wrote: > > > Currently, a problem faced by arm64 is if a kernel image is signed by= a > > > MOK key, loading it via the kexec_file_load() system call would be > > > rejected with the error "Lockdown: kexec: kexec of unsigned images is > > > restricted; see man kernel_lockdown.7". > > > = > > > This patch set allows arm64 to use more system keyrings to verify kdu= mp = > > > kernel image signature by making the existing code in x64 public. > > = > > Thanks for updating. It would be great to tell why the problem is > > met, then allow arm64 to use more system keyrings can solve it. > = > The reason is that MOK keys are (if anywhere) linked to the secondary > keyring, and only primary keyring is used on arm64. Thanks for explaining. This is valuable information and should be put into log for better understanding when reviewing or reading code later. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel