Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring for signature verify
From: Mimi Zohar
Date: Tue Jan 15 2019 - 10:47:23 EST
On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7d97e432cbbc..a06b04065bb1 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data)
> #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len,
> - VERIFY_USE_SECONDARY_KEYRING,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + int ret;
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_SECONDARY_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
Consider using IS_ENABLED() or IS_BUILTIN().
Mimi
> + if (ret == -ENOKEY) {
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> + }
> +#endif
> + return ret;
> }
> #endif