| Message ID | 20220318094101.274950-1-coxu@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | use more system keyrings to verify arm64 kdump kernel image signature | expand |
Hi Coiby, On 03/18/22 at 05:40pm, Coiby Xu wrote: > This patch set allows arm64 to use more system keyrings to verify kdump > kernel image signature by making the existing code in x64 public. Could you tell more about why arm64 need use more system keyrings to verify kdump kernel iamge signature? What problem have you encountered to make you want to do this? Thanks Baoquan
Hi Baoquan, On Mon, Mar 21, 2022 at 12:24:59PM +0800, Baoquan He wrote: >Hi Coiby, > >On 03/18/22 at 05:40pm, Coiby Xu wrote: >> This patch set allows arm64 to use more system keyrings to verify kdump >> kernel image signature by making the existing code in x64 public. > >Could you tell more about why arm64 need use more system keyrings to >verify kdump kernel iamge signature? > >What problem have you encountered to make you want to do this? Thanks for raising this question! Currently, a problem faced by arm64 is if a kernel image is signed by a MOK key, this kernel image would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7". I'll improve the cover letter and the 3rd commit message to have this info. > >Thanks >Baoquan >
On 03/21/22 at 04:28pm, Coiby Xu wrote: > Hi Baoquan, > > On Mon, Mar 21, 2022 at 12:24:59PM +0800, Baoquan He wrote: > > Hi Coiby, > > > > On 03/18/22 at 05:40pm, Coiby Xu wrote: > > > This patch set allows arm64 to use more system keyrings to verify kdump > > > kernel image signature by making the existing code in x64 public. > > > > Could you tell more about why arm64 need use more system keyrings to > > verify kdump kernel iamge signature? > > > > What problem have you encountered to make you want to do this? > > Thanks for raising this question! Currently, a problem faced by arm64 is > if a kernel image is signed by a MOK key, this kernel image would be > rejected with the error "Lockdown: kexec: kexec of unsigned images is > restricted; see man kernel_lockdown.7". I'll improve the cover letter > and the 3rd commit message to have this info. Thanks for the effort, Coiby. Usually, when we post patch to solve issues, or improve, we had better tell 1) what problem we encounter; 2) why the problem happened, what is the root cause after investigation and analysis; 3) how you fix it; The 1) and 2) are very important to help reviewer understand what's going on, and why this patch is needed. As you can see, in this patchset, only 3) is presented. Cheers
This patch set allows arm64 to use more system keyrings to verify kdump kernel image signature by making the existing code in x64 public. v4: - fix commit reference format issue and other checkpatch.pl warnings [Baoquan] v3: - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric] - clean up arch_kexec_kernel_verify_sig [Eric] v2: - only x86_64 and arm64 need to enable PE file signature check [Dave] Coiby Xu (3): kexec: clean up arch_kexec_kernel_verify_sig kexec, KEYS: make the code in bzImage64_verify_sig generic arm64: kexec_file: use more system keyrings to verify kernel image signature arch/arm64/kernel/kexec_image.c | 4 +-- arch/x86/kernel/kexec-bzimage64.c | 13 +------- include/linux/kexec.h | 7 +++-- kernel/kexec_file.c | 51 ++++++++++++++++++------------- 4 files changed, 37 insertions(+), 38 deletions(-)