mbox series

[v4,0/3] use more system keyrings to verify arm64 kdump kernel image signature

Message ID 20220318094101.274950-1-coxu@redhat.com (mailing list archive)
Headers show
Series use more system keyrings to verify arm64 kdump kernel image signature | expand

Message

Coiby Xu March 18, 2022, 9:40 a.m. UTC
This patch set allows arm64 to use more system keyrings to verify kdump 
kernel image signature by making the existing code in x64 public.

v4:
 - fix commit reference format issue and other checkpatch.pl warnings [Baoquan]

v3:
 - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric]
 - clean up arch_kexec_kernel_verify_sig [Eric]

v2:
 - only x86_64 and arm64 need to enable PE file signature check [Dave]
Coiby Xu (3):
  kexec: clean up arch_kexec_kernel_verify_sig
  kexec, KEYS: make the code in bzImage64_verify_sig generic
  arm64: kexec_file: use more system keyrings to verify kernel image
    signature

 arch/arm64/kernel/kexec_image.c   |  4 +--
 arch/x86/kernel/kexec-bzimage64.c | 13 +-------
 include/linux/kexec.h             |  7 +++--
 kernel/kexec_file.c               | 51 ++++++++++++++++++-------------
 4 files changed, 37 insertions(+), 38 deletions(-)

Comments

Baoquan He March 21, 2022, 4:24 a.m. UTC | #1
Hi Coiby,

On 03/18/22 at 05:40pm, Coiby Xu wrote:
> This patch set allows arm64 to use more system keyrings to verify kdump 
> kernel image signature by making the existing code in x64 public.

Could you tell more about why arm64 need use more system keyrings to
verify kdump kernel iamge signature?

What problem have you encountered to make you want to do this?

Thanks
Baoquan
Coiby Xu March 21, 2022, 8:28 a.m. UTC | #2
Hi Baoquan,

On Mon, Mar 21, 2022 at 12:24:59PM +0800, Baoquan He wrote:
>Hi Coiby,
>
>On 03/18/22 at 05:40pm, Coiby Xu wrote:
>> This patch set allows arm64 to use more system keyrings to verify kdump
>> kernel image signature by making the existing code in x64 public.
>
>Could you tell more about why arm64 need use more system keyrings to
>verify kdump kernel iamge signature?
>
>What problem have you encountered to make you want to do this?

Thanks for raising this question! Currently, a problem faced by arm64 is
if a kernel image is signed by a MOK key, this kernel image would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7". I'll improve the cover letter
and the 3rd commit message to have this info.

>
>Thanks
>Baoquan
>
Baoquan He March 21, 2022, 8:35 a.m. UTC | #3
On 03/21/22 at 04:28pm, Coiby Xu wrote:
> Hi Baoquan,
> 
> On Mon, Mar 21, 2022 at 12:24:59PM +0800, Baoquan He wrote:
> > Hi Coiby,
> > 
> > On 03/18/22 at 05:40pm, Coiby Xu wrote:
> > > This patch set allows arm64 to use more system keyrings to verify kdump
> > > kernel image signature by making the existing code in x64 public.
> > 
> > Could you tell more about why arm64 need use more system keyrings to
> > verify kdump kernel iamge signature?
> > 
> > What problem have you encountered to make you want to do this?
> 
> Thanks for raising this question! Currently, a problem faced by arm64 is
> if a kernel image is signed by a MOK key, this kernel image would be
> rejected with the error "Lockdown: kexec: kexec of unsigned images is
> restricted; see man kernel_lockdown.7". I'll improve the cover letter
> and the 3rd commit message to have this info.

Thanks for the effort, Coiby.

Usually, when we post patch to solve issues, or improve, we had better
tell

1) what problem we encounter;
2) why the problem happened, what is the root cause after investigation and analysis;
3) how you fix it;

The 1) and 2) are very important to help reviewer understand what's
going on, and why this patch is needed. As you can see, in this
patchset, only 3) is presented.

Cheers