[PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies
Michal Suchánek
msuchanek at suse.de
Sat Sep 24 09:45:21 UTC 2022
On Sat, Sep 24, 2022 at 11:19:19AM +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 23, 2022 at 07:10:28PM +0200, Michal Suchanek wrote:
> > Hello,
> >
> > this is backport of commit 0d519cadf751
> > ("arm64: kexec_file: use more system keyrings to verify kernel image signature")
> > to table 5.15 tree including the preparatory patches.
>
> This feels to me like a new feature for arm64, one that has never worked
> before and you are just making it feature-parity with x86, right?
>
> Or is this a regression fix somewhere? Why is this needed in 5.15.y and
> why can't people who need this new feature just use a newer kernel
> version (5.19?)
It's half-broken implementation of the kexec kernel verification. At the time
it was implemented for arm64 we had the platform and secondary keyrings
and x86 was using them but on arm64 the initial implementation ignores
them.
Thanks
Michal
More information about the Linux-security-module-archive
mailing list