* [PATCH -next] arm64: enable ARCH_SUPPORTS_KEXEC_SIG_FORCE for arm64
@ 2024-08-24 11:12 Li Zetao
2024-08-27 12:43 ` Will Deacon
0 siblings, 1 reply; 2+ messages in thread
From: Li Zetao @ 2024-08-24 11:12 UTC (permalink / raw)
To: catalin.marinas, will; +Cc: lizetao1, linux-arm-kernel, linux-kernel
When the CONFIG_KEXEC_SIG is enabled, an illegal image is loaded through
kexec, and the illegal image is successfully loaded. The test example is
as follows:
# cat /sys/kernel/kexec_loaded
0
# kexec -s -l ./Image.illegal_signature
# echo $?
0
# dmesg | tail
PEFILE: Digest mismatch
# cat /sys/kernel/kexec_loaded
1
The root cause of this problem is that CONFIG_KEXEC_SIG_FORCE is not
enabled. Solve this problem by enabling the ARCH_SUPPORTS_KEXEC_SIG_FORCE
feature.
Signed-off-by: Li Zetao <lizetao1@huawei.com>
---
arch/arm64/Kconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2f8ff354ca6..9952c40a2bd8 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1549,6 +1549,9 @@ config ARCH_SELECTS_KEXEC_FILE
config ARCH_SUPPORTS_KEXEC_SIG
def_bool y
+config ARCH_SUPPORTS_KEXEC_SIG_FORCE
+ def_bool y
+
config ARCH_SUPPORTS_KEXEC_IMAGE_VERIFY_SIG
def_bool y
--
2.34.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH -next] arm64: enable ARCH_SUPPORTS_KEXEC_SIG_FORCE for arm64
2024-08-24 11:12 [PATCH -next] arm64: enable ARCH_SUPPORTS_KEXEC_SIG_FORCE for arm64 Li Zetao
@ 2024-08-27 12:43 ` Will Deacon
0 siblings, 0 replies; 2+ messages in thread
From: Will Deacon @ 2024-08-27 12:43 UTC (permalink / raw)
To: Li Zetao
Cc: catalin.marinas, linux-arm-kernel, linux-kernel, eric.devolder,
ebiederm
On Sat, Aug 24, 2024 at 07:12:34PM +0800, Li Zetao wrote:
> When the CONFIG_KEXEC_SIG is enabled, an illegal image is loaded through
> kexec, and the illegal image is successfully loaded. The test example is
> as follows:
>
> # cat /sys/kernel/kexec_loaded
> 0
> # kexec -s -l ./Image.illegal_signature
> # echo $?
> 0
> # dmesg | tail
> PEFILE: Digest mismatch
> # cat /sys/kernel/kexec_loaded
> 1
>
> The root cause of this problem is that CONFIG_KEXEC_SIG_FORCE is not
> enabled. Solve this problem by enabling the ARCH_SUPPORTS_KEXEC_SIG_FORCE
> feature.
I'm not sure this is a problem as such -- it seems to be working as
intended if you look at the Kconfig help text:
// Kconfig.kexec :: KEXEC_SIG
| The image can still be loaded without a valid signature unless you
| also enable KEXEC_SIG_FORCE, though if there's a signature that we
| can check, then it must be valid.
> Signed-off-by: Li Zetao <lizetao1@huawei.com>
> ---
> arch/arm64/Kconfig | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index a2f8ff354ca6..9952c40a2bd8 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -1549,6 +1549,9 @@ config ARCH_SELECTS_KEXEC_FILE
> config ARCH_SUPPORTS_KEXEC_SIG
> def_bool y
>
> +config ARCH_SUPPORTS_KEXEC_SIG_FORCE
> + def_bool y
I think the real question is why on Earth does KEXEC_SIG_FORCE depend on
this arch option? Can't we just remove ARCH_SUPPORTS_KEXEC_SIG_FORCE,
seeing as it doesn't appear to do anything?
Will
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-08-27 12:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-08-24 11:12 [PATCH -next] arm64: enable ARCH_SUPPORTS_KEXEC_SIG_FORCE for arm64 Li Zetao
2024-08-27 12:43 ` Will Deacon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox