From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8441CC433F5 for ; Thu, 10 Feb 2022 23:31:31 +0000 (UTC) Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4JvtL92F38z3cGW for ; Fri, 11 Feb 2022 10:31:29 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=2qwKcjjD; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=mcgrof@infradead.org; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=2qwKcjjD; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4JvtKL2g6dz2yK6 for ; Fri, 11 Feb 2022 10:30:41 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=VDWZ1wyLkqnqT/23Ht0M/a/jxjSGdpdjwIwIjoTRRRI=; b=2qwKcjjD3mCCh/1mVgk1hdA+xC o2mTeS3P/3a/J49I96p9n7gshQPUYwIog5WvpAFPL31pFS8p2fRNxgmU8mEX5RoaNTgPuZnXMDfLZ JWZ1ZbigBEZevMhTDtYwDT28JH8nWX3HftkxCd5K7OmQ/7bRzk06Mhs+kn2Xh5QGjm6JwLn8Ik+Nn z4536VqIxXodC18gOtdY4kjUl8LClWDdhQxHTG+8VLLoqNd7ENE89lRlK/bMSBVTPJwoy+TnOd1Iq 71uF/rfluUzxshhkFlCJzD8kq9rzIK5fF7MRS32xDLlMRMmy474AtN1n1zA+pqAb6gpeyqrHVfGv2 iKoIQMYg==; Received: from mcgrof by bombadil.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1nIItQ-005Awh-D2; Thu, 10 Feb 2022 23:30:28 +0000 Date: Thu, 10 Feb 2022 15:30:28 -0800 From: Luis Chamberlain To: Michael Ellerman Subject: Re: [PATCH v5 0/6] KEXEC_SIG with appended signature Message-ID: References: <87pmnwlkaa.fsf@mpe.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87pmnwlkaa.fsf@mpe.ellerman.id.au> X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nayna , Mimi Zohar , Sven Schnelle , David Howells , keyrings@vger.kernel.org, Paul Mackerras , Alexander Gordeev , Rob Herring , Herbert Xu , Baoquan He , Christian Borntraeger , James Morris , Lakshmi Ramasubramanian , Aaron Tomlin , Michal Suchanek , "Serge E. Hallyn" , Vasily Gorbik , linux-s390@vger.kernel.org, Heiko Carstens , Dmitry Kasatkin , Hari Bathini , Daniel Axtens , Christian Borntraeger , Philipp Rudo , Frank van der Linden , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-crypto@vger.kernel.org, Jessica Yu , linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, "David S. Miller" , Thiago Jung Bauermann , buendgen@de.ibm.com Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Wed, Feb 09, 2022 at 03:46:05PM +1100, Michael Ellerman wrote: > Luis Chamberlain writes: > > On Tue, Jan 11, 2022 at 12:37:42PM +0100, Michal Suchanek wrote: > >> Hello, > >> > >> This is a refresh of the KEXEC_SIG series. > >> > >> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing > >> with appended signatures in the kernel. > >> > >> powerpc supports IMA_KEXEC but that's an exception rather than the norm. > >> On the other hand, KEXEC_SIG is portable across platforms. > >> > >> For distributions to have uniform security features across platforms one > >> option should be used on all platforms. > >> > >> Thanks > >> > >> Michal > >> > >> Previous revision: https://lore.kernel.org/linuxppc-dev/cover.1637862358.git.msuchanek@suse.de/ > >> Patched kernel tree: https://github.com/hramrach/kernel/tree/kexec_sig > >> > >> Michal Suchanek (6): > >> s390/kexec_file: Don't opencode appended signature check. > >> powerpc/kexec_file: Add KEXEC_SIG support. > >> kexec_file: Don't opencode appended signature verification. > >> module: strip the signature marker in the verification function. > >> module: Use key_being_used_for for log messages in > >> verify_appended_signature > >> module: Move duplicate mod_check_sig users code to mod_parse_sig > > > > What tree should this go through? I'd prefer if over through modules > > tree as it can give a chance for Aaron Tomlin to work with this for his > > code refactoring of kernel/module*.c to kernel/module/ > > Yeah that's fine by me, the arch changes are pretty minimal and unlikely > to conflict much. Ok sounds good thanks. Luis