Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Coiby Xu <coxu@redhat.com>
Cc: bhe@redhat.com, msuchanek@suse.de, will@kernel.org,
	zohar@linux.ibm.com, stable@vger.kernel.org
Subject: Re: FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree
Date: Tue, 16 Aug 2022 09:59:57 +0200	[thread overview]
Message-ID: <YvtOfWDg2SXdcqgL@kroah.com> (raw)
In-Reply-To: <20220816063256.qzc6jh744i2zc6ou@Rk>

On Tue, Aug 16, 2022 at 02:32:56PM +0800, Coiby Xu wrote:
> Hi Greg,
> 
> Good to see you here:)
> 
> On Mon, Aug 15, 2022 at 05:33:03PM +0200, gregkh@linuxfoundation.org wrote:
> > 
> > The patch below does not apply to the 5.19-stable tree.
> > If someone wants it applied there, or to any other stable or longterm
> > tree, then please email the backport, including the original git commit
> > id to <stable@vger.kernel.org>.
> > 
> > thanks,
> > 
> > greg k-h
> > 
> > ------------------ original commit in Linus's tree ------------------
> > 
> > > From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001
> > From: Coiby Xu <coxu@redhat.com>
> > Date: Thu, 14 Jul 2022 21:40:26 +0800
> > Subject: [PATCH] arm64: kexec_file: use more system keyrings to verify kernel
> > image signature
> > 
> > Currently, when loading a kernel image via the kexec_file_load() system
> > call, arm64 can only use the .builtin_trusted_keys keyring to verify
> > a signature whereas x86 can use three more keyrings i.e.
> > .secondary_trusted_keys, .machine and .platform keyrings. For example,
> > one resulting problem is kexec'ing a kernel image  would be rejected
> > with the error "Lockdown: kexec: kexec of unsigned images is restricted;
> > see man kernel_lockdown.7".
> > 
> > This patch set enables arm64 to make use of the same keyrings as x86 to
> > verify the signature kexec'ed kernel image.
> > 
> > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support")
> > Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions

This is not a valid commit id in Linus's tree.

> > Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig

This is not a valid commit id in Linus's tree

> > Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic

And this too is not a valid commit in Linus's tree.

> 
> I've added the above three patch prerequisites following [1]. I assume
> there is a program automatically picking up this patch. But somehow it
> fails to pick up the prerequisites first. Is it because the commit ids
> change when the patches are finally applied to Linus's tree?

Where did you get those commit ids from?

> If it's
> true, how do we make sure the we have the correct commit ids? Note [1]
> strongly recommends "Cc: stable@vger.kernel.org" to submit patches to
> stable tree but it seems there is no way to know beforehand the correct
> commit ids of the prerequisites that are yet to arrive in Linus's tree.

Hopefully the git ids can be stable when they are merged to a
maintainer's tree.  If not, then you can respond to this "failed" email
with the full series of what needs to be done here, as I have no idea :(

thanks,

greg k-h

next prev parent reply	other threads:[~2022-08-16 10:04 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-15 15:33 FAILED: patch "[PATCH] arm64: kexec_file: use more system keyrings to verify kernel" failed to apply to 5.19-stable tree gregkh
2022-08-15 18:11 ` Mimi Zohar
2022-08-17 12:02   ` Greg KH
2022-08-16  6:32 ` Coiby Xu
2022-08-16  7:59   ` Greg KH [this message]
2022-08-16 10:45     ` Coiby Xu
2022-08-16 13:14       ` Mimi Zohar
2022-08-17 10:22         ` Coiby Xu
2022-08-17 12:03       ` Greg KH
2022-08-17 12:11         ` Michal Suchánek
2022-08-17 12:16           ` Greg KH
2022-08-17 12:29             ` Michal Suchánek
2022-08-19 14:45           ` Greg KH
2022-08-18  3:44         ` Coiby Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YvtOfWDg2SXdcqgL@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=bhe@redhat.com \
    --cc=coxu@redhat.com \
    --cc=msuchanek@suse.de \
    --cc=stable@vger.kernel.org \
    --cc=will@kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox