[RESEND PATCH v3 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[RESEND PATCH v3 0/3] use more system keyrings to verify arm64 kdump kernel image signature

[Coiby Xu]

This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.

v3:
 - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
 - clean up arch_kexec_kernel_verify_sig [Eric]

v2:
 - only x86_64 and arm64 need to enable PE file signature check [Dave]

Coiby Xu (3):
  kexec: clean up arch_kexec_kernel_verify_sig
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +--
 arch/x86/kernel/kexec-bzimage64.c | 13 +-------
 include/linux/kexec.h             |  7 +++--
 kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
 4 files changed, 37 insertions(+), 38 deletions(-)

-- 
2.34.1

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

From: Coiby Xu <coxu@redhat.com>

commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
powerpc: factor out kexec_file_ops functions" allows implementing
the arch-specific implementation of kernel image verification
in kexec_file_ops->verify_sig. Currently, there is no arch-specific
implementation of arch_kexec_kernel_verify_sig. So clean it up.

Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 include/linux/kexec.h |  4 ----
 kernel/kexec_file.c   | 34 +++++++++++++---------------------
 2 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 0c994ae37729..755fed183224 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
-#ifdef CONFIG_KEXEC_SIG
-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-				 unsigned long buf_len);
-#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 8347fc158d2b..3720435807eb 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
 	return kexec_image_post_load_cleanup_default(image);
 }
 
-#ifdef CONFIG_KEXEC_SIG
-static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
-					  unsigned long buf_len)
-{
-	if (!image->fops || !image->fops->verify_sig) {
-		pr_debug("kernel loader does not support signature verification.\n");
-		return -EKEYREJECTED;
-	}
-
-	return image->fops->verify_sig(buf, buf_len);
-}
-
-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
-					unsigned long buf_len)
-{
-	return kexec_image_verify_sig_default(image, buf, buf_len);
-}
-#endif
-
 /*
  * arch_kexec_apply_relocations_add - apply relocations of type RELA
  * @pi:		Purgatory to be relocated.
@@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+static int kexec_image_verify_sig(struct kimage *image, void *buf,
+		unsigned long buf_len)
+{
+	if (!image->fops || !image->fops->verify_sig) {
+		pr_debug("kernel loader does not support signature verification.\n");
+		return -EKEYREJECTED;
+	}
+
+	return image->fops->verify_sig(buf, buf_len);
+}
+
 static int
 kimage_validate_signature(struct kimage *image)
 {
 	int ret;
 
-	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
-					   image->kernel_buf_len);
+	ret = kexec_image_verify_sig(image, image->kernel_buf,
+			image->kernel_buf_len);
 	if (ret) {
 
 		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
-- 
2.34.1

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Baoquan He]

On 03/04/22 at 10:03am, Coiby Xu wrote:
> From: Coiby Xu <coxu@redhat.com>
> 
> commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
> powerpc: factor out kexec_file_ops functions" allows implementing
> the arch-specific implementation of kernel image verification
> in kexec_file_ops->verify_sig. Currently, there is no arch-specific
> implementation of arch_kexec_kernel_verify_sig. So clean it up.

This is a nice cleanup, while the log may need to be improved. You
should run ./scripts/checkpatch.pl on your patch before sending out.
When we refer to a commit in log, please refer to
Documentation/process/submitting-patches.rst.

> 
> Suggested-by: Eric W. Biederman <ebiederm@xmission.com>
> Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
> ---
>  include/linux/kexec.h |  4 ----
>  kernel/kexec_file.c   | 34 +++++++++++++---------------------
>  2 files changed, 13 insertions(+), 25 deletions(-)
> 
> diff --git a/include/linux/kexec.h b/include/linux/kexec.h
> index 0c994ae37729..755fed183224 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>  				 const Elf_Shdr *relsec,
>  				 const Elf_Shdr *symtab);
>  int arch_kimage_file_post_load_cleanup(struct kimage *image);
> -#ifdef CONFIG_KEXEC_SIG
> -int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -				 unsigned long buf_len);
> -#endif
>  int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>  
>  extern int kexec_add_buffer(struct kexec_buf *kbuf);
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index 8347fc158d2b..3720435807eb 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image)
>  	return kexec_image_post_load_cleanup_default(image);
>  }
>  
> -#ifdef CONFIG_KEXEC_SIG
> -static int kexec_image_verify_sig_default(struct kimage *image, void *buf,
> -					  unsigned long buf_len)
> -{
> -	if (!image->fops || !image->fops->verify_sig) {
> -		pr_debug("kernel loader does not support signature verification.\n");
> -		return -EKEYREJECTED;
> -	}
> -
> -	return image->fops->verify_sig(buf, buf_len);
> -}
> -
> -int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf,
> -					unsigned long buf_len)
> -{
> -	return kexec_image_verify_sig_default(image, buf, buf_len);
> -}
> -#endif
> -
>  /*
>   * arch_kexec_apply_relocations_add - apply relocations of type RELA
>   * @pi:		Purgatory to be relocated.
> @@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image)
>  }
>  
>  #ifdef CONFIG_KEXEC_SIG
> +static int kexec_image_verify_sig(struct kimage *image, void *buf,
> +		unsigned long buf_len)
> +{
> +	if (!image->fops || !image->fops->verify_sig) {
> +		pr_debug("kernel loader does not support signature verification.\n");
> +		return -EKEYREJECTED;
> +	}
> +
> +	return image->fops->verify_sig(buf, buf_len);
> +}
> +
>  static int
>  kimage_validate_signature(struct kimage *image)
>  {
>  	int ret;
>  
> -	ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf,
> -					   image->kernel_buf_len);
> +	ret = kexec_image_verify_sig(image, image->kernel_buf,
> +			image->kernel_buf_len);
>  	if (ret) {
>  
>  		if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
> -- 
> 2.34.1
> 

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

On Thu, Mar 17, 2022 at 08:45:35PM +0800, Baoquan He wrote:
>On 03/04/22 at 10:03am, Coiby Xu wrote:
>> From: Coiby Xu <coxu@redhat.com>
>>
>> commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
>> powerpc: factor out kexec_file_ops functions" allows implementing
>> the arch-specific implementation of kernel image verification
>> in kexec_file_ops->verify_sig. Currently, there is no arch-specific
>> implementation of arch_kexec_kernel_verify_sig. So clean it up.
>
>This is a nice cleanup, while the log may need to be improved. You
>should run ./scripts/checkpatch.pl on your patch before sending out.
>When we refer to a commit in log, please refer to
>Documentation/process/submitting-patches.rst.

Thanks for the reminder! I've used git pre-commit hook to run 
scripts/checkpatch.pl automatically but obviously this hook doesn't
apply to "git rebase --continue" and currently this no git hook that
for this situation. I'll use the following trick [1] to avoid this
mistake in the future,
  $ git rebase -i HEAD~3 --reschedule-failed-exec --exec "git show | perl ./scripts/checkpatch.pl"

[1] https://stackoverflow.com/a/70568833/1203522


-- 
Best regards,
Coiby

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Baoquan He]

On 03/18/22 at 10:48am, Coiby Xu wrote:
> On Thu, Mar 17, 2022 at 08:45:35PM +0800, Baoquan He wrote:
> > On 03/04/22 at 10:03am, Coiby Xu wrote:
> > > From: Coiby Xu <coxu@redhat.com>
> > > 
> > > commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
> > > powerpc: factor out kexec_file_ops functions" allows implementing
> > > the arch-specific implementation of kernel image verification
> > > in kexec_file_ops->verify_sig. Currently, there is no arch-specific
> > > implementation of arch_kexec_kernel_verify_sig. So clean it up.
> > 
> > This is a nice cleanup, while the log may need to be improved. You
> > should run ./scripts/checkpatch.pl on your patch before sending out.
> > When we refer to a commit in log, please refer to
> > Documentation/process/submitting-patches.rst.
> 
> Thanks for the reminder! I've used git pre-commit hook to run
> scripts/checkpatch.pl automatically but obviously this hook doesn't
> apply to "git rebase --continue" and currently this no git hook that
> for this situation. I'll use the following trick [1] to avoid this
> mistake in the future,
>  $ git rebase -i HEAD~3 --reschedule-failed-exec --exec "git show | perl ./scripts/checkpatch.pl"

Sorry, Coiby. It could be late yesterday so I was dizzy when writing
down the comment, I didn't make my concern clear. What I meant is
the referenced commit in log should be taken in a standard format.
Abstracted one paragraph of Documentation/process/submitting-patches.rst
here. We usually take the first 12 characters of the commit SHA-1 ID
in log, but not the whole of them.

=====
If you want to refer to a specific commit, don't just refer to the
SHA-1 ID of the commit. Please also include the oneline summary of
the commit, to make it easier for reviewers to know what it is about.
Example::

        Commit e21d2170f36602ae2708 ("video: remove unnecessary
        platform_set_drvdata()") removed the unnecessary
        platform_set_drvdata(), but left the variable "dev" unused,
        delete it.
=====

And the right parenthesis enclousing the commit subject is missing.

> 
> [1] https://stackoverflow.com/a/70568833/1203522
> 
> 
> -- 
> Best regards,
> Coiby
> 

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

On Fri, Mar 18, 2022 at 11:27:09AM +0800, Baoquan He wrote:
>On 03/18/22 at 10:48am, Coiby Xu wrote:
>> On Thu, Mar 17, 2022 at 08:45:35PM +0800, Baoquan He wrote:
>> > On 03/04/22 at 10:03am, Coiby Xu wrote:
>> > > From: Coiby Xu <coxu@redhat.com>
>> > >
>> > > commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
>> > > powerpc: factor out kexec_file_ops functions" allows implementing
>> > > the arch-specific implementation of kernel image verification
>> > > in kexec_file_ops->verify_sig. Currently, there is no arch-specific
>> > > implementation of arch_kexec_kernel_verify_sig. So clean it up.
>> >
>> > This is a nice cleanup, while the log may need to be improved. You
>> > should run ./scripts/checkpatch.pl on your patch before sending out.
>> > When we refer to a commit in log, please refer to
>> > Documentation/process/submitting-patches.rst.
>>
>> Thanks for the reminder! I've used git pre-commit hook to run
>> scripts/checkpatch.pl automatically but obviously this hook doesn't
>> apply to "git rebase --continue" and currently this no git hook that
>> for this situation. I'll use the following trick [1] to avoid this
>> mistake in the future,
>>  $ git rebase -i HEAD~3 --reschedule-failed-exec --exec "git show | perl ./scripts/checkpatch.pl"
>
>Sorry, Coiby. It could be late yesterday so I was dizzy when writing
>down the comment, I didn't make my concern clear. What I meant is
>the referenced commit in log should be taken in a standard format.
>Abstracted one paragraph of Documentation/process/submitting-patches.rst
>here. We usually take the first 12 characters of the commit SHA-1 ID
>in log, but not the whole of them.
>
>=====
>If you want to refer to a specific commit, don't just refer to the
>SHA-1 ID of the commit. Please also include the oneline summary of
>the commit, to make it easier for reviewers to know what it is about.
>Example::
>
>        Commit e21d2170f36602ae2708 ("video: remove unnecessary
>        platform_set_drvdata()") removed the unnecessary
>        platform_set_drvdata(), but left the variable "dev" unused,
>        delete it.
>=====
>
>And the right parenthesis enclousing the commit subject is missing.

Thanks for the detailed explanation! Your message has got across to me
successfully:) I have ran scripts/checkpatch.pl manually after seeing your
first reply and checkpatch.pl reported the exact same issues as explained
by you today. My approach of avoiding making mistakes on format is to run
checkpatch.pl automatically in the git precommit hook so I don't need to
remember the details about format. I had expected the git precommit hook
could help me find the issues pointed out by you but obviously it failed.
So I tried to find out what's wrong. I think the format issues were
introduced when doing rebase to improve the old version and the precommit
hook wasn't triggered in this case. Another thing I still missed is I used
"git diff --cached | scripts/checkpatch.pl" in the pre-commit hook which
obviously won't check the format issue in the commit message (it only
check the format issue in the code). With the two problems resolved, I
shall not make format mistakes in the future:)

Btw, checkpatch.pl seems to requires referring to a specific commit on
the same line, 

     ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 9ec4ecef0af7 ("kexec_file,x86,powerpc: factor out kexec_file_ops functions")'
     #6: 
     commit 9ec4ecef0af7 ("kexec_file,x86, powerpc: factor out kexec_file_ops
     functions") allows implementing the arch-specific implementation of kernel
     
     total: 1 errors, 0 warnings, 61 lines checked
     
     NOTE: For some of the reported defects, checkpatch may be able to
           mechanically convert to the typical style using --fix or --fix-inplace.
     
     "[PATCH] kexec: clean up arch_kexec_kernel_verify_sig" has style problems, please review.
     
     NOTE: If any of the errors are false positives, please report
           them to the maintainer, see CHECKPATCH in MAINTAINERS.

Is this a false positive?

>
>>
>> [1] https://stackoverflow.com/a/70568833/1203522
>>
>>
>> --
>> Best regards,
>> Coiby
>>
>

-- 
Best regards,
Coiby

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Baoquan He]

On 03/18/22 at 03:18pm, Coiby Xu wrote:
> On Fri, Mar 18, 2022 at 11:27:09AM +0800, Baoquan He wrote:
> > On 03/18/22 at 10:48am, Coiby Xu wrote:
> > > On Thu, Mar 17, 2022 at 08:45:35PM +0800, Baoquan He wrote:
> > > > On 03/04/22 at 10:03am, Coiby Xu wrote:
> > > > > From: Coiby Xu <coxu@redhat.com>
> > > > >
> > > > > commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86,
> > > > > powerpc: factor out kexec_file_ops functions" allows implementing
> > > > > the arch-specific implementation of kernel image verification
> > > > > in kexec_file_ops->verify_sig. Currently, there is no arch-specific
> > > > > implementation of arch_kexec_kernel_verify_sig. So clean it up.
> > > >
> > > > This is a nice cleanup, while the log may need to be improved. You
> > > > should run ./scripts/checkpatch.pl on your patch before sending out.
> > > > When we refer to a commit in log, please refer to
> > > > Documentation/process/submitting-patches.rst.
> > > 
> > > Thanks for the reminder! I've used git pre-commit hook to run
> > > scripts/checkpatch.pl automatically but obviously this hook doesn't
> > > apply to "git rebase --continue" and currently this no git hook that
> > > for this situation. I'll use the following trick [1] to avoid this
> > > mistake in the future,
> > >  $ git rebase -i HEAD~3 --reschedule-failed-exec --exec "git show | perl ./scripts/checkpatch.pl"
> > 
> > Sorry, Coiby. It could be late yesterday so I was dizzy when writing
> > down the comment, I didn't make my concern clear. What I meant is
> > the referenced commit in log should be taken in a standard format.
> > Abstracted one paragraph of Documentation/process/submitting-patches.rst
> > here. We usually take the first 12 characters of the commit SHA-1 ID
> > in log, but not the whole of them.
> > 
> > =====
> > If you want to refer to a specific commit, don't just refer to the
> > SHA-1 ID of the commit. Please also include the oneline summary of
> > the commit, to make it easier for reviewers to know what it is about.
> > Example::
> > 
> >        Commit e21d2170f36602ae2708 ("video: remove unnecessary
> >        platform_set_drvdata()") removed the unnecessary
> >        platform_set_drvdata(), but left the variable "dev" unused,
> >        delete it.
> > =====
> > 
> > And the right parenthesis enclousing the commit subject is missing.
> 
> Thanks for the detailed explanation! Your message has got across to me
> successfully:) I have ran scripts/checkpatch.pl manually after seeing your
> first reply and checkpatch.pl reported the exact same issues as explained
> by you today. My approach of avoiding making mistakes on format is to run
> checkpatch.pl automatically in the git precommit hook so I don't need to
> remember the details about format. I had expected the git precommit hook
> could help me find the issues pointed out by you but obviously it failed.
> So I tried to find out what's wrong. I think the format issues were
> introduced when doing rebase to improve the old version and the precommit
> hook wasn't triggered in this case. Another thing I still missed is I used
> "git diff --cached | scripts/checkpatch.pl" in the pre-commit hook which
> obviously won't check the format issue in the commit message (it only
> check the format issue in the code). With the two problems resolved, I
> shall not make format mistakes in the future:)
> 
> Btw, checkpatch.pl seems to requires referring to a specific commit on
> the same line,
> 
>     ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 9ec4ecef0af7 ("kexec_file,x86,powerpc: factor out kexec_file_ops functions")'
>     #6:     commit 9ec4ecef0af7 ("kexec_file,x86, powerpc: factor out
> kexec_file_ops
>     functions") allows implementing the arch-specific implementation of kernel
>     total: 1 errors, 0 warnings, 61 lines checked
>     NOTE: For some of the reported defects, checkpatch may be able to
>           mechanically convert to the typical style using --fix or --fix-inplace.
>     "[PATCH] kexec: clean up arch_kexec_kernel_verify_sig" has style problems, please review.
>     NOTE: If any of the errors are false positives, please report
>           them to the maintainer, see CHECKPATCH in MAINTAINERS.
> 
> Is this a false positive?

No, it's not. Youp probably copied the commit subject and modified it.
Please copy below two lines into your patch to replace and try again.

commit 9ec4ecef0af7 ("kexec_file,x86,powerpc: factor out kexec_file_ops
functions")

> 
> > 
> > > 
> > > [1] https://stackoverflow.com/a/70568833/1203522
> > > 
> > > 
> > > --
> > > Best regards,
> > > Coiby
> > > 
> > 
> 
> -- 
> Best regards,
> Coiby
> 

[RESEND PATCH v3 1/3] kexec: clean up arch_kexec_kernel_verify_sig

[Coiby Xu]

On Fri, Mar 18, 2022 at 04:54:01PM +0800, Baoquan He wrote:
[...]
>> Btw, checkpatch.pl seems to requires referring to a specific commit on
>> the same line,
>>
>>     ERROR: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 9ec4ecef0af7 ("kexec_file,x86,powerpc: factor out kexec_file_ops functions")'
>>     #6:     commit 9ec4ecef0af7 ("kexec_file,x86, powerpc: factor out
>> kexec_file_ops
>>     functions") allows implementing the arch-specific implementation of kernel
>>     total: 1 errors, 0 warnings, 61 lines checked
>>     NOTE: For some of the reported defects, checkpatch may be able to
>>           mechanically convert to the typical style using --fix or --fix-inplace.
>>     "[PATCH] kexec: clean up arch_kexec_kernel_verify_sig" has style problems, please review.
>>     NOTE: If any of the errors are false positives, please report
>>           them to the maintainer, see CHECKPATCH in MAINTAINERS.
>>
>> Is this a false positive?
>
>No, it's not. Youp probably copied the commit subject and modified it.
>Please copy below two lines into your patch to replace and try again.
>
>commit 9ec4ecef0af7 ("kexec_file,x86,powerpc: factor out kexec_file_ops
>functions")

Yes, you are right. I unintentionally changed the subject. I've sent 
v4 to fix this commit reference issue and other checkpatch.pl warnings.
Thanks!

-- 
Best regards,
Coiby

[RESEND PATCH v3 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic

[Coiby Xu]

From: Coiby Xu <coxu@redhat.com>

The code in bzImage64_verify_sig could make use of system keyrings including
.buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify
signed kernel image as PE file. Make it generic so both x86_64 and arm64 can
use it.

Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/x86/kernel/kexec-bzimage64.c | 13 +------------
 include/linux/kexec.h             |  7 +++++++
 kernel/kexec_file.c               | 17 +++++++++++++++++
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 170d0fd68b1f..f73aab3fde33 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -17,7 +17,6 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
-#include <linux/verification.h>
 
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	int ret;
-
-	ret = verify_pefile_signature(kernel, kernel_len,
-				      VERIFY_USE_SECONDARY_KEYRING,
-				      VERIFYING_KEXEC_PE_SIGNATURE);
-	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
-		ret = verify_pefile_signature(kernel, kernel_len,
-					      VERIFY_USE_PLATFORM_KEYRING,
-					      VERIFYING_KEXEC_PE_SIGNATURE);
-	}
-	return ret;
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
diff --git a/include/linux/kexec.h b/include/linux/kexec.h
index 755fed183224..2fe39e946988 100644
--- a/include/linux/kexec.h
+++ b/include/linux/kexec.h
@@ -19,6 +19,7 @@
 #include <asm/io.h>
 
 #include <uapi/linux/kexec.h>
+#include <linux/verification.h>
 
 #ifdef CONFIG_KEXEC_CORE
 #include <linux/list.h>
@@ -196,6 +197,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
 				 const Elf_Shdr *relsec,
 				 const Elf_Shdr *symtab);
 int arch_kimage_file_post_load_cleanup(struct kimage *image);
+#ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel,
+				    unsigned long kernel_len);
+#endif
+#endif
 int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
 
 extern int kexec_add_buffer(struct kexec_buf *kbuf);
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 3720435807eb..754885b96aab 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -165,6 +165,23 @@ void kimage_file_post_load_cleanup(struct kimage *image)
 }
 
 #ifdef CONFIG_KEXEC_SIG
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len)
+{
+	int ret;
+
+	ret = verify_pefile_signature(kernel, kernel_len,
+				      VERIFY_USE_SECONDARY_KEYRING,
+				      VERIFYING_KEXEC_PE_SIGNATURE);
+	if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+		ret = verify_pefile_signature(kernel, kernel_len,
+					      VERIFY_USE_PLATFORM_KEYRING,
+					      VERIFYING_KEXEC_PE_SIGNATURE);
+	}
+	return ret;
+}
+#endif
+
 static int kexec_image_verify_sig(struct kimage *image, void *buf,
 		unsigned long buf_len)
 {
-- 
2.34.1

[RESEND PATCH v3 3/3] arm64: kexec_file: use more system keyrings to verify kernel image signature

[Coiby Xu]

From: Coiby Xu <coxu@redhat.com>

This allows to verify arm64 kernel image signature using not only
.builtin_trusted_keys but also .secondary_trusted_keys and .platform keyring.

Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coiby.xu@gmail.com>
---
 arch/arm64/kernel/kexec_image.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..51af1c22d6da 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
 #include <linux/kexec.h>
 #include <linux/pe.h>
 #include <linux/string.h>
-#include <linux/verification.h>
 #include <asm/byteorder.h>
 #include <asm/cpufeature.h>
 #include <asm/image.h>
@@ -133,8 +132,7 @@ static void *image_load(struct kimage *image,
 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
 static int image_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-	return verify_pefile_signature(kernel, kernel_len, NULL,
-				       VERIFYING_KEXEC_PE_SIGNATURE);
+	return kexec_kernel_verify_pe_sig(kernel, kernel_len);
 }
 #endif
 
-- 
2.34.1