From: Greg KH <gregkh@linuxfoundation.org>
To: "Michal Suchánek" <msuchanek@suse.de>
Cc: Coiby Xu <coxu@redhat.com>,
bhe@redhat.com, will@kernel.org, zohar@linux.ibm.com,
stable@vger.kernel.org
Subject: Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree
Date: Wed, 17 Aug 2022 14:16:41 +0200 [thread overview]
Message-ID: <YvzcKd2BMSpM9IZV@kroah.com> (raw)
In-Reply-To: <20220817121115.GA28810@kitsune.suse.cz>
On Wed, Aug 17, 2022 at 02:11:15PM +0200, Michal Suchánek wrote:
> On Wed, Aug 17, 2022 at 02:03:44PM +0200, Greg KH wrote:
> > On Tue, Aug 16, 2022 at 06:45:59PM +0800, Coiby Xu wrote:
> > > On Tue, Aug 16, 2022 at 09:59:57AM +0200, Greg KH wrote:
> > > > On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> > > > > Hi Greg,
> > > > >
> > > > > Good to see you here:)
> > > > >
> > > > > On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > > > > >
> > > > > > The patch below does not apply to the 5.19-stable tree.
> > > > > > If someone wants it applied there, or to any other stable or longterm
> > > > > > tree, then please email the backport, including the original git commit
> > > > > > id to <stable@vger.kernel.org>.
> > > > > >
> > > > > > thanks,
> > > > > >
> > > > > > greg k-h
> > > > > >
> > > > > > ------------------ original commit in Linus's tree ------------------
> > > > > >
> > > > > > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > > > > > From: Coiby Xu <coxu@redhat.com>
> > > > > > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > > > > > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > > > > > image signature
> > > > > >
> > > > > > Currently, when loading a kernel image via the kexec_file_load() system
> > > > > > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > > > > > a signature whereas x86 can use three more keyrings i.e.
> > > > > > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > > > > > one resulting problem is kexec'ing a kernel image would be rejected
> > > > > > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > > > > > see man kernel_lockdown.7".
> > > > > >
> > > > > > This patch set enables arm64 to make use of the same keyrings as x86 to
> > > > > > verify the signature kexec'ed kernel image.
> > > > > >
> > > > > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > > > > > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
> > > >
> > > > This is not a valid commit id in Linus's tree.
> > > >
> > > > > > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
> > > >
> > > > This is not a valid commit id in Linus's tree
> > > >
> > > > > > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
> > > >
> > > > And this too is not a valid commit in Linus's tree.
> > >
> > > Sorry for the confusion. The correct commit ids are as follows,
> > >
> > > 0738eceb6201 ("kexec: drop weak attribute from functions")
> > > 689a71493bd2 ("kexec: clean up arch_kexec_kernel_verify_sig")
> > > c903dae8941d ("kexec, KEYS: make the code in bzImage64_verify_sig generic")
> >
> > What order do they need to be applied in?
>
> This is the whole series as seen in Linus tree from oldest to newest:
>
> 65d9a9a60fd71be964effb2e94747a6acb6e7015 kexec_file: drop weak attribute from functions
> 0738eceb6201691534df07e0928d0a6168a35787 kexec: drop weak attribute from functions
> 689a71493bd2f31c024f8c0395f85a1fd4b2138e kexec: clean up arch_kexec_kernel_verify_sig
> c903dae8941deb55043ee46ded29e84e97cd84bb kexec, KEYS: make the code in bzImage64_verify_sig generic
> 0d519cadf75184a24313568e7f489a7fc9b1be3b arm64: kexec_file: use more system keyrings to verify kernel image signature
Great!
> (with the exception of the s390 patch which stands on its own)
What s390 patch?
Now you confused me again...
greg k-h
next prev parent reply other threads:[~2022-08-17 12:16 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 15:33 FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree gregkh
2022-08-15 18:11 ` Mimi Zohar
2022-08-17 12:02 ` Greg KH
2022-08-16 6:32 ` Coiby Xu
2022-08-16 7:59 ` Greg KH
2022-08-16 10:45 ` Coiby Xu
2022-08-16 13:14 ` Mimi Zohar
2022-08-17 10:22 ` Coiby Xu
2022-08-17 12:03 ` Greg KH
2022-08-17 12:11 ` Michal Suchánek
2022-08-17 12:16 ` Greg KH [this message]
2022-08-17 12:29 ` Michal Suchánek
2022-08-19 14:45 ` Greg KH
2022-08-18 3:44 ` Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvzcKd2BMSpM9IZV@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=bhe@redhat.com \
--cc=coxu@redhat.com \
--cc=msuchanek@suse.de \
--cc=stable@vger.kernel.org \
--cc=will@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.