From patchwork Thu Apr 14 01:43:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Coiby Xu X-Patchwork-Id: 12812825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 90AD8C433EF for ; Thu, 14 Apr 2022 01:45:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=5KQ+rHCZ+5e0b5rfzg0VBgPtuX98Ks3m/8vjmsNnbvQ=; b=i43nIFN0wSfEz9 zcCxsD9/UiTA2d71NRxNM3JsZ8fCGR591n45xET/HMrztp1WvAi8Fb2Ge9YsgjIsLy+pcD6bv4h1y Ne67djY42Z0dpWrC/CBH9Ags0CVAUDIrIc7e45R8EXM1rRMaMcV71DYghEbG55PrSqUCLc+pKDkY6 tF//hsrgvPbyXDgfkH/gIUL/TYqk59cGhZ1H9FHiBxpdo+0wVCfjU/HtzS/gxUwlb0RSwHLSowEja xrnXG40tqecETJhtoNvyH4mcX5y8YH2sGNi8gXzF1Pfm11iwMOzeTE3kEPrTkdSRhl9KV1jk/MIoo 3JdJ37KyMS7Y6Pc2XoRw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1neoWf-003Ino-Nx; Thu, 14 Apr 2022 01:44:01 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1neoWc-003Ikd-HD for linux-arm-kernel@lists.infradead.org; Thu, 14 Apr 2022 01:44:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1649900637; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WvkKo+ce2Lii0tN+eFq9XmH7HpuMd9jJ26QPy2A4tqA=; b=J7WNuljXQrt0dlH4g0elSb0z31mBj4Sxnw1L2QKjniSeSaQ9KRZKCmaITCx/4kN3Z/JiKc O6HE2X3hCy+xufEZLUWLpUVtlVcRo/TndD8DdlApwssDoOfU5muWPivcdkz6SubDXFVJq0 UGoUqs4dYgaXbSotU1xp+kLtzgbOJc8= Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-670-yKYqaZmLOtGW6PT4xTEWdA-1; Wed, 13 Apr 2022 21:43:55 -0400 X-MC-Unique: yKYqaZmLOtGW6PT4xTEWdA-1 Received: by mail-pj1-f72.google.com with SMTP id w3-20020a17090ac98300b001b8b914e91aso2268259pjt.0 for ; Wed, 13 Apr 2022 18:43:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=WvkKo+ce2Lii0tN+eFq9XmH7HpuMd9jJ26QPy2A4tqA=; b=BIyxhXZSRXPHZa7Dv/Gnm5MKOgTdwfH0cT2TzFKeWa5obR7Jj+U7E2wXS9+Aq/V2ib CwosgIZXHLRnUduXu10tP0gM6GdavO/+EBym5hH0T1Q8nqVyewqQU1RNp7/74F7Zy8v6 XRhr6JcV1DmIWHUX/YtSctkjZ4cpC/YRJpVootCZItsn7k7Ud7bCXqqY1BYB8uneNrSX 2scpjaLxqPAIMfSI3T1STXHPbF62YCHSiizsYI6iIVNxsqo2gF3sKCpZw3LZ3c5nMFVK In62rIi/KtJoYh8An4muJkJZ/xb359t1WxwQC4K/m5uGhyxG6ms0LZCfu/GjCgHMN9LJ PDTA== X-Gm-Message-State: AOAM533IvmfdaFIaX0t7uKZHw5Bqr4Hky2XOOEcjO75Jgp6x/YkW8DnU 1j97ZVmczuJSYfZzT9GBEUrcTMCqHIN2BMK3wIS8r/VFT8H19y2hENHXYHLoPmB1TTYvtjXyZXw aWqq5qAUwJIM/A3cJ5Bvpkixu4KLOew8StCY= X-Received: by 2002:a05:6a00:21c8:b0:4fd:f89f:ec0e with SMTP id t8-20020a056a0021c800b004fdf89fec0emr12568245pfj.83.1649900634248; Wed, 13 Apr 2022 18:43:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx3Kag/wJvPutzIC/NmBSjajUQCq/yzxVp4+cZIOc53LqBif0F3/rqzBzHa9/BdZVCom+K5Rw== X-Received: by 2002:a05:6a00:21c8:b0:4fd:f89f:ec0e with SMTP id t8-20020a056a0021c800b004fdf89fec0emr12568226pfj.83.1649900633945; Wed, 13 Apr 2022 18:43:53 -0700 (PDT) Received: from localhost ([240e:3a1:31c:360:52fc:c968:cb41:efbc]) by smtp.gmail.com with ESMTPSA id z10-20020a17090a8b8a00b001ca7bafba51sm5299740pjn.0.2022.04.13.18.43.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Apr 2022 18:43:53 -0700 (PDT) From: Coiby Xu To: kexec@lists.infradead.org Cc: linux-arm-kernel@lists.infradead.org, Michal Suchanek , Baoquan He , Dave Young , Will Deacon , "Eric W . Biederman" , Mimi Zohar , Chun-Yi Lee Subject: [PATCH v6 0/4] use more system keyrings to verify arm64 and s390 kexec kernel image signature Date: Thu, 14 Apr 2022 09:43:40 +0800 Message-Id: <20220414014344.228523-1-coxu@redhat.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=coxu@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220413_184358_679583_0194DE01 X-CRM114-Status: GOOD ( 11.29 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Currently, a problem faced by arm64 is if a kernel image is signed by a MOK key, loading it via the kexec_file_load() system call would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7". This happens because arm64 uses only the primary keyring that contains only kernel built-in keys to verify the kexec image. Similarly, s390 only uses platform keyring for kernel image signature verification and built-in keys and secondary keyring are not used. This patch set allows arm64 and s390 to use more system keyrings to verify kexec kernel image signature as x86 does. v6: - integrate the first three patches of "[PATCH 0/4] Unifrom keyring support across architectures and functions" from Michal [1] - improve commit message [Baoquan, Michal] - directly assign kexec_kernel_verify_pe_sig to kexec_file_ops->verify_sig [Michal] v5: - improve commit message [Baoquan] v4: - fix commit reference format issue and other checkpatch.pl warnings [Baoquan] v3: - s/arch_kexec_kernel_verify_pe_sig/kexec_kernel_verify_pe_sig [Eric] - clean up arch_kexec_kernel_verify_sig [Eric] v2: - only x86_64 and arm64 need to enable PE file signature check [Dave] [1] https://lore.kernel.org/lkml/cover.1644953683.git.msuchanek@suse.de/ Coiby Xu (3): kexec: clean up arch_kexec_kernel_verify_sig kexec, KEYS: make the code in bzImage64_verify_sig generic arm64: kexec_file: use more system keyrings to verify kernel image signature Michal Suchanek (1): kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification arch/arm64/kernel/kexec_image.c | 11 +----- arch/s390/kernel/machine_kexec_file.c | 18 +++++++--- arch/x86/kernel/kexec-bzimage64.c | 20 +---------- include/linux/kexec.h | 7 ++-- kernel/kexec_file.c | 51 ++++++++++++++++----------- 5 files changed, 50 insertions(+), 57 deletions(-) Acked-by: Baoquan He