| Message ID | 20211018083137.338757-2-coxu@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | use more system keyrings to verify arm64 kdump kernel image signature | expand |
Hi Eric, Does this patch and "[PATCH v3 2/3] kexec, KEYS: make the code in bzImage64_verify_sig generic" look good you? On Mon, Oct 18, 2021 at 04:31:35PM +0800, Coiby Xu wrote: >commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86, >powerpc: factor out kexec_file_ops functions" allows implementing >the arch-specific implementation of kernel image verification >in kexec_file_ops->verify_sig. Currently, there is no arch-specific >implementation of arch_kexec_kernel_verify_sig. So clean it up. > >Suggested-by: Eric W. Biederman <ebiederm@xmission.com> >Signed-off-by: Coiby Xu <coxu@redhat.com> >--- > include/linux/kexec.h | 4 ---- > kernel/kexec_file.c | 34 +++++++++++++--------------------- > 2 files changed, 13 insertions(+), 25 deletions(-) > >diff --git a/include/linux/kexec.h b/include/linux/kexec.h >index 0c994ae37729..755fed183224 100644 >--- a/include/linux/kexec.h >+++ b/include/linux/kexec.h >@@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi, > const Elf_Shdr *relsec, > const Elf_Shdr *symtab); > int arch_kimage_file_post_load_cleanup(struct kimage *image); >-#ifdef CONFIG_KEXEC_SIG >-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, >- unsigned long buf_len); >-#endif > int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); > > extern int kexec_add_buffer(struct kexec_buf *kbuf); >diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >index 33400ff051a8..42b3ac34e4ee 100644 >--- a/kernel/kexec_file.c >+++ b/kernel/kexec_file.c >@@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) > return kexec_image_post_load_cleanup_default(image); > } > >-#ifdef CONFIG_KEXEC_SIG >-static int kexec_image_verify_sig_default(struct kimage *image, void *buf, >- unsigned long buf_len) >-{ >- if (!image->fops || !image->fops->verify_sig) { >- pr_debug("kernel loader does not support signature verification.\n"); >- return -EKEYREJECTED; >- } >- >- return image->fops->verify_sig(buf, buf_len); >-} >- >-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, >- unsigned long buf_len) >-{ >- return kexec_image_verify_sig_default(image, buf, buf_len); >-} >-#endif >- > /* > * arch_kexec_apply_relocations_add - apply relocations of type RELA > * @pi: Purgatory to be relocated. >@@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image) > } > > #ifdef CONFIG_KEXEC_SIG >+static int kexec_image_verify_sig(struct kimage *image, void *buf, >+ unsigned long buf_len) >+{ >+ if (!image->fops || !image->fops->verify_sig) { >+ pr_debug("kernel loader does not support signature verification.\n"); >+ return -EKEYREJECTED; >+ } >+ >+ return image->fops->verify_sig(buf, buf_len); >+} >+ > static int > kimage_validate_signature(struct kimage *image) > { > int ret; > >- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, >- image->kernel_buf_len); >+ ret = kexec_image_verify_sig(image, image->kernel_buf, >+ image->kernel_buf_len); > if (ret) { > > if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { >-- >2.31.1 >
diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 0c994ae37729..755fed183224 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -196,10 +196,6 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi, const Elf_Shdr *relsec, const Elf_Shdr *symtab); int arch_kimage_file_post_load_cleanup(struct kimage *image); -#ifdef CONFIG_KEXEC_SIG -int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, - unsigned long buf_len); -#endif int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); extern int kexec_add_buffer(struct kexec_buf *kbuf); diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 33400ff051a8..42b3ac34e4ee 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -89,25 +89,6 @@ int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) return kexec_image_post_load_cleanup_default(image); } -#ifdef CONFIG_KEXEC_SIG -static int kexec_image_verify_sig_default(struct kimage *image, void *buf, - unsigned long buf_len) -{ - if (!image->fops || !image->fops->verify_sig) { - pr_debug("kernel loader does not support signature verification.\n"); - return -EKEYREJECTED; - } - - return image->fops->verify_sig(buf, buf_len); -} - -int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, - unsigned long buf_len) -{ - return kexec_image_verify_sig_default(image, buf, buf_len); -} -#endif - /* * arch_kexec_apply_relocations_add - apply relocations of type RELA * @pi: Purgatory to be relocated. @@ -184,13 +165,24 @@ void kimage_file_post_load_cleanup(struct kimage *image) } #ifdef CONFIG_KEXEC_SIG +static int kexec_image_verify_sig(struct kimage *image, void *buf, + unsigned long buf_len) +{ + if (!image->fops || !image->fops->verify_sig) { + pr_debug("kernel loader does not support signature verification.\n"); + return -EKEYREJECTED; + } + + return image->fops->verify_sig(buf, buf_len); +} + static int kimage_validate_signature(struct kimage *image) { int ret; - ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, - image->kernel_buf_len); + ret = kexec_image_verify_sig(image, image->kernel_buf, + image->kernel_buf_len); if (ret) { if (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) {
commit 9ec4ecef0af7790551109283ca039a7c52de343c ("kexec_file,x86, powerpc: factor out kexec_file_ops functions" allows implementing the arch-specific implementation of kernel image verification in kexec_file_ops->verify_sig. Currently, there is no arch-specific implementation of arch_kexec_kernel_verify_sig. So clean it up. Suggested-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Coiby Xu <coxu@redhat.com> --- include/linux/kexec.h | 4 ---- kernel/kexec_file.c | 34 +++++++++++++--------------------- 2 files changed, 13 insertions(+), 25 deletions(-)