Re: [PATCH 2/2] [FIXED v2] Replace magic for trusting the secondary keyring with #define
From: Vivek Goyal
Date: Thu Aug 16 2018 - 08:46:42 EST
On Thu, Aug 16, 2018 at 09:11:06AM +0800, Dave Young wrote:
> On 08/16/18 at 12:07am, Yannik Sembritzki wrote:
> > Signed-off-by: Yannik Sembritzki <yannik@xxxxxxxxxxxxx>
> > ---
> > arch/x86/kernel/kexec-bzimage64.c | 2 +-
> > certs/system_keyring.c | 3 ++-
> > crypto/asymmetric_keys/pkcs7_key_type.c | 2 +-
> > include/linux/verification.h | 3 +++
> > 4 files changed, 7 insertions(+), 3 deletions(-)
> >
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c
> > b/arch/x86/kernel/kexec-bzimage64.c
> > index 74628275..97d199a3 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data)
> > static int bzImage64_verify_sig(const char *kernel, unsigned long
> > kernel_len)
> > {
> > return verify_pefile_signature(kernel, kernel_len,
> > - ((struct key *)1UL),
> > + TRUST_SECONDARY_KEYRING,
>
> Instead of fix your 1st patch in 2nd patch, I would suggest to
> switch the patch order. In 1st patch change the common code to use
> the new macro and in 2nd patch you can directly fix the kexec code
> with TRUST_SECONDARY_KEYRING.
I agree. It looks cleaner that first patch change the common code and
introduce the macro to replace 1UL. And second patch makes use of that
macro in kexec bzImage64 verification.
Thanks
Vivek