From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0ECC5C433EF for ; Mon, 11 Oct 2021 14:03:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EAC9E61264 for ; Mon, 11 Oct 2021 14:03:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238601AbhJKOFB (ORCPT ); Mon, 11 Oct 2021 10:05:01 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:38908 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237175AbhJKOCQ (ORCPT ); Mon, 11 Oct 2021 10:02:16 -0400 Received: from in01.mta.xmission.com ([166.70.13.51]:32978) by out01.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mZvqh-007fHh-1d; Mon, 11 Oct 2021 08:00:15 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95]:37162 helo=email.xmission.com) by in01.mta.xmission.com with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mZvqf-004EpR-QP; Mon, 11 Oct 2021 08:00:14 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Coiby Xu Cc: kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org, Dave Young , Will Deacon , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org (maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)), "H. Peter Anvin" , linux-kernel@vger.kernel.org (open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)) References: <20211009095458.297191-1-coxu@redhat.com> <20211009095458.297191-2-coxu@redhat.com> Date: Mon, 11 Oct 2021 08:58:36 -0500 In-Reply-To: <20211009095458.297191-2-coxu@redhat.com> (Coiby Xu's message of "Sat, 9 Oct 2021 17:54:57 +0800") Message-ID: <87ily3br3n.fsf@disp2133> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1mZvqf-004EpR-QP;;;mid=<87ily3br3n.fsf@disp2133>;;;hst=in01.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1/o+ODauzQUhwR/xCs9RDYPu7Ki8f9PEWk= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH v2 1/2] kexec, KEYS: make the code in bzImage64_verify_sig generic X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Coiby Xu writes: > The code in bzImage64_verify_sig could make use of system keyrings including > .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to verify > signed kernel image as PE file. Make it generic so both x86_64 and arm64 can > use it. The naming is problematic. At a minimum please name the new function kexec_kernel_verify_pe_sig. AKA what you named it without the "arch_" prefix. A function named with an "arch_" prefix implies that it has an architecture specific implementation. It looks like arch_kexec_kernel_verify_sig should be killed as well as it only has one implementation in the generic code. And the code should always call kexec_image_verify_sig_default. Not that you should do that but I am pointing it out as it seems that is the bad example you are copying. Eric > Signed-off-by: Coiby Xu > --- > arch/x86/kernel/kexec-bzimage64.c | 13 +------------ > include/linux/kexec.h | 3 +++ > kernel/kexec_file.c | 17 +++++++++++++++++ > 3 files changed, 21 insertions(+), 12 deletions(-) > > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c > index 170d0fd68b1f..4136dd3be5a9 100644 > --- a/arch/x86/kernel/kexec-bzimage64.c > +++ b/arch/x86/kernel/kexec-bzimage64.c > @@ -17,7 +17,6 @@ > #include > #include > #include > -#include > > #include > #include > @@ -531,17 +530,7 @@ static int bzImage64_cleanup(void *loader_data) > #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG > static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) > { > - int ret; > - > - ret = verify_pefile_signature(kernel, kernel_len, > - VERIFY_USE_SECONDARY_KEYRING, > - VERIFYING_KEXEC_PE_SIGNATURE); > - if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { > - ret = verify_pefile_signature(kernel, kernel_len, > - VERIFY_USE_PLATFORM_KEYRING, > - VERIFYING_KEXEC_PE_SIGNATURE); > - } > - return ret; > + return arch_kexec_kernel_verify_pe_sig(kernel, kernel_len); > } > #endif > > diff --git a/include/linux/kexec.h b/include/linux/kexec.h > index 0c994ae37729..d45f32336dbe 100644 > --- a/include/linux/kexec.h > +++ b/include/linux/kexec.h > @@ -19,6 +19,7 @@ > #include > > #include > +#include > > #ifdef CONFIG_KEXEC_CORE > #include > @@ -199,6 +200,8 @@ int arch_kimage_file_post_load_cleanup(struct kimage *image); > #ifdef CONFIG_KEXEC_SIG > int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, > unsigned long buf_len); > +int arch_kexec_kernel_verify_pe_sig(const char *kernel, > + unsigned long kernel_len); > #endif > int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 33400ff051a8..0530275b7aa3 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -106,6 +106,23 @@ int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, > { > return kexec_image_verify_sig_default(image, buf, buf_len); > } > + > +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION > +int arch_kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) > +{ > + int ret; > + > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_SECONDARY_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { > + ret = verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_PLATFORM_KEYRING, > + VERIFYING_KEXEC_PE_SIGNATURE); > + } > + return ret; > +} > +#endif > #endif > > /*