Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring for signature verify
From: Kairui Song
Date: Tue Jan 15 2019 - 11:55:54 EST
On Tue, Jan 15, 2019 at 11:47 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
>
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 7d97e432cbbc..a06b04065bb1 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data)
> > #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> > static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> > {
> > - return verify_pefile_signature(kernel, kernel_len,
> > - VERIFY_USE_SECONDARY_KEYRING,
> > - VERIFYING_KEXEC_PE_SIGNATURE);
> > + int ret;
> > + ret = verify_pefile_signature(kernel, kernel_len,
> > + VERIFY_USE_SECONDARY_KEYRING,
> > + VERIFYING_KEXEC_PE_SIGNATURE);
> > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>
> Consider using IS_ENABLED() or IS_BUILTIN().
>
> Mimi
Thanks for the suggestion, will update the patch later if there are no
other comments.
>
> > + if (ret == -ENOKEY) {
> > + ret = verify_pefile_signature(kernel, kernel_len,
> > + VERIFY_USE_PLATFORM_KEYRING,
> > + VERIFYING_KEXEC_PE_SIGNATURE);
> > + }
> > +#endif
> > + return ret;
> > }
> > #endif
>
--
Best Regards,
Kairui Song