* [PATCH 5.15 02/45] arm64: kexec_file: use more system keyrings to verify kernel image signature
[not found] <20220921153646.931277075@linuxfoundation.org>
@ 2022-09-21 15:45 ` Greg Kroah-Hartman
2022-09-22 10:00 ` [PATCH 5.15 00/45] 5.15.70-rc1 review Naresh Kamboju
1 sibling, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2022-09-21 15:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Baoquan He, kexec, keyrings,
linux-security-module, Michal Suchanek, Will Deacon, Coiby Xu,
Mimi Zohar, Sasha Levin
From: Coiby Xu <coxu@redhat.com>
[ Upstream commit 0d519cadf75184a24313568e7f489a7fc9b1be3b ]
Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys, .machine and .platform keyrings. For example,
one resulting problem is kexec'ing a kernel image would be rejected
with the error "Lockdown: kexec: kexec of unsigned images is restricted;
see man kernel_lockdown.7".
This patch set enables arm64 to make use of the same keyrings as x86 to
verify the signature kexec'ed kernel image.
Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions
Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig
Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic
Acked-by: Baoquan He <bhe@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Co-developed-by: Michal Suchanek <msuchanek@suse.de>
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/kexec_image.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c
index 9ec34690e255..5ed6a585f21f 100644
--- a/arch/arm64/kernel/kexec_image.c
+++ b/arch/arm64/kernel/kexec_image.c
@@ -14,7 +14,6 @@
#include <linux/kexec.h>
#include <linux/pe.h>
#include <linux/string.h>
-#include <linux/verification.h>
#include <asm/byteorder.h>
#include <asm/cpufeature.h>
#include <asm/image.h>
@@ -130,18 +129,10 @@ static void *image_load(struct kimage *image,
return NULL;
}
-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
-static int image_verify_sig(const char *kernel, unsigned long kernel_len)
-{
- return verify_pefile_signature(kernel, kernel_len, NULL,
- VERIFYING_KEXEC_PE_SIGNATURE);
-}
-#endif
-
const struct kexec_file_ops kexec_image_ops = {
.probe = image_probe,
.load = image_load,
#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG
- .verify_sig = image_verify_sig,
+ .verify_sig = kexec_kernel_verify_pe_sig,
#endif
};
--
2.35.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 5.15 00/45] 5.15.70-rc1 review
[not found] <20220921153646.931277075@linuxfoundation.org>
2022-09-21 15:45 ` [PATCH 5.15 02/45] arm64: kexec_file: use more system keyrings to verify kernel image signature Greg Kroah-Hartman
@ 2022-09-22 10:00 ` Naresh Kamboju
1 sibling, 0 replies; 2+ messages in thread
From: Naresh Kamboju @ 2022-09-22 10:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
slade, Coiby Xu, Baoquan He, kexec, keyrings,
linux-security-module, Michal Suchanek
On Wed, 21 Sept 2022 at 21:19, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.70 release.
> There are 45 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Sep 2022 15:36:33 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.70-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
Regressions on arm64 allmodconfig builds failed.
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
* arm64, build failed.
- clang-12-allmodconfig
- clang-13-allmodconfig
- clang-14-allmodconfig
- clang-nightly-allmodconfig
- gcc-10-allmodconfig
- gcc-11-allmodconfig
- gcc-12-allmodconfig
> Coiby Xu <coxu@redhat.com>
> arm64: kexec_file: use more system keyrings to verify kernel image signature
Build errors:
---------------
arch/arm64/kernel/kexec_image.c:136:23: error:
'kexec_kernel_verify_pe_sig' undeclared here (not in a function); did
you mean 'arch_kexec_kernel_verify_sig'?
136 | .verify_sig = kexec_kernel_verify_pe_sig,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
| arch_kexec_kernel_verify_sig
## Build
* kernel: 5.15.70-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.15.y
* git commit: 16d41e601858766935e69e3f9d62db810e5d277d
* git describe: v5.15.69-46-g16d41e601858
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.69-46-g16d41e601858
## Test Regressions (compared to v5.15.69)
* arm64, build
- clang-12-allmodconfig
- clang-13-allmodconfig
- clang-14-allmodconfig
- clang-nightly-allmodconfig
- gcc-10-allmodconfig
- gcc-11-allmodconfig
- gcc-12-allmodconfig
## No Metric Regressions (compared to v5.15.69)
## No Test Fixes (compared to v5.15.69)
## No Metric Fixes (compared to v5.15.69)
## Test result summary
total: 106713, pass: 94034, fail: 687, skip: 11680, xfail: 312
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 339 total, 336 passed, 3 failed
* arm64: 72 total, 63 passed, 9 failed
* i386: 61 total, 55 passed, 6 failed
* mips: 62 total, 59 passed, 3 failed
* parisc: 14 total, 14 passed, 0 failed
* powerpc: 69 total, 66 passed, 3 failed
* riscv: 27 total, 27 passed, 0 failed
* s390: 30 total, 27 passed, 3 failed
* sh: 26 total, 24 passed, 2 failed
* sparc: 14 total, 14 passed, 0 failed
* x86_64: 65 total, 63 passed, 2 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kunit
* kvm-unit-tests
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-open-posix-tests
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* packetdrill
* rcutorture
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-22 10:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20220921153646.931277075@linuxfoundation.org>
2022-09-21 15:45 ` [PATCH 5.15 02/45] arm64: kexec_file: use more system keyrings to verify kernel image signature Greg Kroah-Hartman
2022-09-22 10:00 ` [PATCH 5.15 00/45] 5.15.70-rc1 review Naresh Kamboju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).