Re: [PATCH 2/2] [FIXED v2] Replace magic for trusting the secondary keyring with #define

From: Vivek Goyal
Date: Thu Aug 16 2018 - 08:46:42 EST


On Thu, Aug 16, 2018 at 09:11:06AM +0800, Dave Young wrote:
> On 08/16/18 at 12:07am, Yannik Sembritzki wrote:
> > Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
> > ---
> >  arch/x86/kernel/kexec-bzimage64.c       | 2 +-
> >  certs/system_keyring.c                  | 3 ++-
> >  crypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
> >  include/linux/verification.h            | 3 +++
> >  4 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c
> > b/arch/x86/kernel/kexec-bzimage64.c
> > index 74628275..97d199a3 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
> >  static int bzImage64_verify_sig(const char *kernel, unsigned long
> > kernel_len)
> >  {
> >      return verify_pefile_signature(kernel, kernel_len,
> > -                       ((struct key *)1UL),
> > +                       TRUST_SECONDARY_KEYRING,
>
> Instead of fix your 1st patch in 2nd patch, I would suggest to
> switch the patch order. In 1st patch change the common code to use
> the new macro and in 2nd patch you can directly fix the kexec code
> with TRUST_SECONDARY_KEYRING.

I agree. It looks cleaner that first patch change the common code and
introduce the macro to replace 1UL. And second patch makes use of that
macro in kexec bzImage64 verification.

Thanks
Vivek