[PATCH v8 2/4] kexec, KEYS: make the code in bzImage64_verify_sig generic
Coiby Xu
coxu at redhat.com
Thu Jun 16 01:47:48 UTC 2022
Hi Mimi,
On Thu, Jun 09, 2022 at 06:18:44PM -0400, Mimi Zohar wrote:
>Hi Coiby,
>
>On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote:
>> commit 278311e417be ("kexec, KEYS: Make use of platform keyring for
>> signature verify") adds platform keyring support on x86 kexec but not
>> arm64.
>>
>> The code in bzImage64_verify_sig makes use of system keyrings including
>> .buitin_trusted_keys, .secondary_trusted_keys and .platform keyring to
>> verify signed kernel image as PE file. Make it generic so both x86_64
>> and arm64 can use it.
>
>^uses the keys on the .builtin_trusted_keys, .machine, if configured
>and enabled, .secondary_trusted_keys, also if configured, and .platform
>keyrings to verify the signed kernel image as PE file.
>
>>
>> @@ -202,6 +203,12 @@ int arch_kexec_apply_relocations(struct purgatory_info *pi,
>> const Elf_Shdr *relsec,
>> const Elf_Shdr *symtab);
>> int arch_kimage_file_post_load_cleanup(struct kimage *image);
>> +#ifdef CONFIG_KEXEC_SIG
>> +#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
>> +int kexec_kernel_verify_pe_sig(const char *kernel,
>> + unsigned long kernel_len);
>
>Please join this line with the previous one.
>
>> +#endif
>> +#endif
>> int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf);
>>
>> extern int kexec_add_buffer(struct kexec_buf *kbuf);
I've applied the two suggestions, thanks!
>
>thanks,
>
>Mimi
>
--
Best regards,
Coiby
More information about the Linux-security-module-archive
mailing list