From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 25AA6C433EF for ; Fri, 8 Apr 2022 07:18:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=p7/GthaB7XqJT4aVJV0KPK6GAQ/8CltmEnFcJDYnPbA=; b=OpX6UWcOh88ro3 akelv3oNvoOL4h+qTkYX5FSfq8B6qPOJv12f/HF6D+DZzRywuQhPX6p6m0Fg+8dx6ytXyuXfxbXG0 hcsbv4cZOm6MxG3X7uIBUYsOGMgL1vDTt3ajD+0zgfqkWTKg50vHJ+ikhSa+Ki2g9r0al3mS2MIVw EkT1O8xtVyZL1H7FmDYiLOQE6msYQ26zDnT8E6OFDbnoavv+jTgFUCJdJ6FdQAdYLcyL9RfO//Oki wGpz8iU20mci39TqMTwO2p1TLVhmsoCNgVuRIdUcA1MLKrRY44ZShyFZgqsz88EjAdYrEQuOzFq+3 BL6X6mA2vP019hkTsALA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1ncisE-00FSs3-Oh; Fri, 08 Apr 2022 07:17:39 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1ncis6-00FSnR-K8 for linux-arm-kernel@lists.infradead.org; Fri, 08 Apr 2022 07:17:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1649402247; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Ifzlundkn1RnCWxM37pYaRWRrJoFXMJv5HOJBtm1Sbo=; b=JU40pxXPGrcFs1ryUzvbuEzGdDjR176YQzQ7L7YufxjzRYtXvMutA+k0p246ixZqk36NqS lSqbMa/QZfB1yidXWw67KIYf4Hv6Llgop9RIqYk/5GbQzAAqJ1TA4DZbFTlC6xOOPgjFjC ctXwXsc6gTFfIz0QnA5Ci7sur/diHNM= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-582-54SSADbPO5GYWm5ZGFanKQ-1; Fri, 08 Apr 2022 03:17:24 -0400 X-MC-Unique: 54SSADbPO5GYWm5ZGFanKQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DC7051014A60; Fri, 8 Apr 2022 07:17:23 +0000 (UTC) Received: from localhost (ovpn-12-202.pek2.redhat.com [10.72.12.202]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3448A1400C2D; Fri, 8 Apr 2022 07:17:22 +0000 (UTC) Date: Fri, 8 Apr 2022 15:17:19 +0800 From: Baoquan He To: Coiby Xu , Michal Suchanek Cc: kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org, Dave Young , Will Deacon , "Eric W . Biederman" , akpm@linux-foundation.org Subject: Re: [PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature Message-ID: References: <20220401013118.348084-1-coxu@redhat.com> MIME-Version: 1.0 In-Reply-To: <20220401013118.348084-1-coxu@redhat.com> X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=bhe@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220408_001730_815931_59D7412A X-CRM114-Status: GOOD ( 19.49 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Coiby, On 04/01/22 at 09:31am, Coiby Xu wrote: > Currently, a problem faced by arm64 is if a kernel image is signed by a > MOK key, loading it via the kexec_file_load() system call would be > rejected with the error "Lockdown: kexec: kexec of unsigned images is > restricted; see man kernel_lockdown.7". > > This patch set allows arm64 to use more system keyrings to verify kdump > kernel image signature by making the existing code in x64 public. Thanks for updating. It would be great to tell why the problem is met, then allow arm64 to use more system keyrings can solve it. Meanwhile, I noticed Michal also posted a patchset to address the same issue, while he tries to make it work on s390 too. Could you check and consider if these two patches can be integrated? [PATCH 0/4] Unifrom keyring support across architectures and functions https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@suse.de/ Thanks Baoquan > > v5: > - improve commit message [Baoquan] > > v4: > - fix commit reference format issue and other checkpatch.pl warnings [Baoquan] > > v3: > - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric] > - clean up arch_kexec_kernel_verify_sig [Eric] > > v2: > - only x86_64 and arm64 need to enable PE file signature check [Dave] > > Coiby Xu (3): > kexec: clean up arch_kexec_kernel_verify_sig > kexec, KEYS: make the code in bzImage64_verify_sig generic > arm64: kexec_file: use more system keyrings to verify kernel image > signature > > arch/arm64/kernel/kexec_image.c | 4 +-- > arch/x86/kernel/kexec-bzimage64.c | 13 +------- > include/linux/kexec.h | 7 +++-- > kernel/kexec_file.c | 51 ++++++++++++++++++------------- > 4 files changed, 37 insertions(+), 38 deletions(-) > > -- > 2.34.1 > _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel