Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
From: Yannik Sembritzki
Date: Wed Aug 15 2018 - 13:27:40 EST
Would this be okay?
diff --git a/arch/x86/kernel/kexec-bzimage64.c
b/arch/x86/kernel/kexec-bzimage64.c
index 7326078e..2ba47e24 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -41,6 +41,9 @@
Â#define MIN_KERNEL_LOAD_ADDRÂÂ 0x100000
Â#define MIN_INITRD_LOAD_ADDRÂÂ 0x1000000
Â
+// Allow both builtin trusted keys and secondary trusted keys
+#define TRUST_FULL_KEYRINGÂÂÂÂ (void *)1UL
+
Â/*
 * This is a place holder for all boot loader specific data structure which
 * gets allocated in one call but gets freed much later during cleanup
@@ -532,7 +535,7 @@ static int bzImage64_cleanup(void *loader_data)
Âstatic int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
Â{
ÂÂÂÂÂÂÂ return verify_pefile_signature(kernel, kernel_len,
-ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ NULL,
+ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ TRUST_FULL_KEYRING,
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ VERIFYING_KEXEC_PE_SIGNATURE);
Â}
Â#endif
--
On 15.08.2018 18:54, Linus Torvalds wrote:
> This needs more people involved, and at least a sign-off.
>
> It looks ok, but I think we need a #define for the magical (void *)1UL
> thing. I see the use in verify_pkcs7_signature(), but still.
>
> Linus
>
>
>
> On Wed, Aug 15, 2018 at 3:11 AM Yannik Sembritzki <yannik@xxxxxxxxxxxxx> wrote:
>> ---
>> arch/x86/kernel/kexec-bzimage64.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
>> index 7326078e..eaaa125d 100644
>> --- a/arch/x86/kernel/kexec-bzimage64.c
>> +++ b/arch/x86/kernel/kexec-bzimage64.c
>> @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
>> static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>> {
>> return verify_pefile_signature(kernel, kernel_len,
>> - NULL,
>> + (void *)1UL,
>> VERIFYING_KEXEC_PE_SIGNATURE);
>> }
>> #endif
>> --
>> 2.17.1
>>
>> The exact scenario under which this issue occurs is described here:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1554113
>>