[PATCH 1/2] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

From: Yannik Sembritzki
Date: Wed Aug 15 2018 - 15:43:19 EST


The split of .system_keyring to .builtin_trusted_keys and .secondary_trusted_keys broke kexec, as kernels signed by keys which are now in the secondary keyring cannot be kexec'd anymore.

Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
CC: stable@xxxxxxxxxxxxxxx
---
arch/x86/kernel/kexec-bzimage64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 7326078e..74628275 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
{
return verify_pefile_signature(kernel, kernel_len,
- NULL,
+ ((struct key *)1UL),
VERIFYING_KEXEC_PE_SIGNATURE);
}
#endif
--
2.17.1