From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7930EC07E9D for ; Fri, 23 Sep 2022 19:17:46 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4MZ23X720xz3dql for ; Sat, 24 Sep 2022 05:17:44 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=RxICWe9S; dkim=fail reason="signature verification failed" header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=3o5yz8IU; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=suse.de (client-ip=2001:67c:2178:6::1d; helo=smtp-out2.suse.de; envelope-from=msuchanek@suse.de; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256 header.s=susede2_rsa header.b=RxICWe9S; dkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256 header.s=susede2_ed25519 header.b=3o5yz8IU; dkim-atps=neutral Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4MZ22m4JdBz3cBq for ; Sat, 24 Sep 2022 05:17:03 +1000 (AEST) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id D7BDD1F88F; Fri, 23 Sep 2022 19:16:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1663960612; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=M7ZPOnaCl1bvAhxAcIcfHQhBd3XlM8j/v3z+xwYqH9Y=; b=RxICWe9ShUOJ30yrxK1Sg337ibKGDWiBuCCfxe3PxnQDXehTnWoUAxFGm5efJJElnCRWYC T/EEFnwjXDbp1a3EUY+qRjBlZgJmh01Kq/w3WmKQrPle99zuvPSp1ZWQvpmJBRW3Md/Gh+ hUMW16JhjAIT9slsMZQE8GgUslBWn+U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1663960612; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=M7ZPOnaCl1bvAhxAcIcfHQhBd3XlM8j/v3z+xwYqH9Y=; b=3o5yz8IUMFuZYyHXKnE++yxz0+3AfWIuGDj2UVpRZKJG7D+gcy2qYgZToe/bEoYUVe37Df Pa8q+QubOpYRpICg== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 841FF2C15C; Fri, 23 Sep 2022 19:16:51 +0000 (UTC) Date: Fri, 23 Sep 2022 21:16:50 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Mimi Zohar Subject: Re: [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Message-ID: <20220923191650.GX28810@kitsune.suse.cz> References: <67337b60a4d3cae00794d3cfd0e5add9899f18b7.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67337b60a4d3cae00794d3cfd0e5add9899f18b7.camel@linux.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dave Hansen , Alexander Egorenkov , keyrings@vger.kernel.org, Paul Mackerras , "H. Peter Anvin" , Alexander Gordeev , Will Deacon , Sasha Levin , "open list:S390" , Coiby Xu , Baoquan He , AKASHI Takahiro , "maintainer:X86 ARCHITECTURE \(32-BIT AND 64-BIT\)" , Christian Borntraeger , Ingo Molnar , Catalin Marinas , "Naveen N. Rao" , Eric Biederman , Vasily Gorbik , Heiko Carstens , Borislav Petkov , Thomas Gleixner , "moderated list:ARM64 PORT \(AARCH64 ARCHITECTURE\)" , Philipp Rudo , " open list:KEXEC" , linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-security-module@vger.kernel.org, James Morse , Sven Schnelle , Greg Kroah-Hartman , Andrew Morton , "open list:LINUX FOR POWERPC \(32-BIT AND 64-BIT\)" Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" Hello, On Fri, Sep 23, 2022 at 03:03:36PM -0400, Mimi Zohar wrote: > On Fri, 2022-09-23 at 19:10 +0200, Michal Suchanek wrote: > > Hello, > > > > this is backport of commit 0d519cadf751 > > ("arm64: kexec_file: use more system keyrings to verify kernel image signature") > > to table 5.15 tree including the preparatory patches. > > > > Some patches needed minor adjustment for context. > > In general when backporting this patch set, there should be a > dependency on backporting these commits as well. In this instance for > linux-5.15.y, they've already been backported. > > 543ce63b664e ("lockdown: Fix kexec lockdown bypass with ima policy") > af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") Thanks for bringing these up. It might be in general useful to backport these fixes as well. However, this patchset does one very specific thing: it lifts the x86 kexec_file signature verification to arch-independent and uses it on arm64 to unify all features (and any existing warts) between EFI architectures. So unless I am missing something the fixes you pointed out are completely independent of this. Thanks Michal