Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp98091imu; Tue, 15 Jan 2019 17:26:45 -0800 (PST) X-Google-Smtp-Source: ALg8bN4kiUNXHJoX5aQVkhNd3a0l/ZWJxQpxVcOaQD6lPQOo+W/B1j0TXxm+65jQ0/vU9C85fL5s X-Received: by 2002:a62:1d4c:: with SMTP id d73mr7091914pfd.90.1547602005640; Tue, 15 Jan 2019 17:26:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547602005; cv=none; d=google.com; s=arc-20160816; b=hEOx68WXh+1jJqPs7SDl7S6bblr217w8efo7uz8hnUC6NaXS7NN2JrsWmcEJpngPWr OBRjMRwjccZuczPNYzIoSPT2yw2K9S8t1nrmgiVhLC5pozMy65OylOxTVSdhNjFjArxj V40AUcIn1SpKMXXaoQXM/k+9p98I0lm85dEQfjvKds3a9cpxe5mgrzyGogrk2ZocosRX MHr7qXVrMnxzJ1UTm1l8sG5mVgmA7j3XjVEgdfOkbgV9sDZGB2jIYNl2pGd7Ph5vyGgo bDFSCSaPB7KpUNWIm5sh8zZszeGRBjNvtbr7oGtNOJ9LWcCQHKKQGclmc4v/t5xeupx7 Sqig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version; bh=J8rfWcdvr079HZHBIQ3i3xZOXJNScrqx/omQCyL2Acc=; b=SujNcOgbKZLUAugxPX4iBZ895SnLdjGB3QLnC82Y/4sXBEV7zNasZh0tqHRbqP5019 t49RwpmPYTrCFJJDrgsy9fxYHik9vGqOKsKL5QYfYqPL76ckmr+iPTXBZEAIpZIDtKPw MbvPHypdA2ZMV6jyiOSmc6XA86cwHnEXSlIOaRRZQspIdgIsQdif6hHFsntb+lACcL0o trYW3XkUKaguxjOFmrGZQBm4eym5Zl6Bcl3h08aAlyHRlDVTOACdOz9xI02J5AlsPDmm EoqRobhRAGSLokAgupKhIDCVNK5JPdkjxo/6vmPes6s6FWsG+cRUcZ7WcxGrUhKZDsIz jnxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 37si5103330plq.210.2019.01.15.17.26.26; Tue, 15 Jan 2019 17:26:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388103AbfAOQzv (ORCPT + 99 others); Tue, 15 Jan 2019 11:55:51 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:53318 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729160AbfAOQzu (ORCPT ); Tue, 15 Jan 2019 11:55:50 -0500 Received: by mail-it1-f196.google.com with SMTP id g85so6093809ita.3 for ; Tue, 15 Jan 2019 08:55:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J8rfWcdvr079HZHBIQ3i3xZOXJNScrqx/omQCyL2Acc=; b=HwA/K3ixeAcCS6vccrnNvoQ8qqvOIhqFVXILMXOhzVOsvng+ZXb/XSFXYb/urLmb0M cLkBXYwptAXPb8EU0rwVme4WBXokSZNMDN4hvnVvCyDrnfqRFWWD4NhFJsyTqj1Otd5N FFjX03YKH1yBXd6qZtU39Ve9U4r/9NrOmScD7lUizeEsr2Skn7XruH1JrWG5BHuGVsLb BBITJvNm9VwOZ7TqkTjQHNThWmaNhQE/Y6QaO08zn9059ZEA7VEk9bJJ6UsX2vpoGhDK HrAcIwAI+M4XukZ+/CL+Enb0hO978p+NmvbFfchdhsxuno7b08NCGltls6B6IH/JaiLl ghxw== X-Gm-Message-State: AJcUukc9h1pLbCteyA6lNAYLGalpYWNr7SS5tdD8+PmM/eAwKRGsjDlp 5mKqucdD9ZPJS+/XQ6TqlmOTCn6c6ernbHQafRwx0A== X-Received: by 2002:a02:95e4:: with SMTP id b91mr2458946jai.15.1547570937144; Tue, 15 Jan 2019 08:48:57 -0800 (PST) MIME-Version: 1.0 References: <20190115094542.17129-1-kasong@redhat.com> <20190115094542.17129-3-kasong@redhat.com> <1547567218.4156.289.camel@linux.ibm.com> In-Reply-To: <1547567218.4156.289.camel@linux.ibm.com> From: Kairui Song Date: Wed, 16 Jan 2019 00:48:46 +0800 Message-ID: Subject: Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring for signature verify To: Mimi Zohar Cc: linux-kernel@vger.kernel.org, David Howells , David Woodhouse , jwboyer@fedoraproject.org, keyrings@vger.kernel.org, jmorris@namei.org, serge@hallyn.com, bauerman@linux.ibm.com, Eric Biggers , nayna@linux.ibm.com, Dave Young , linux-integrity , kexec@lists.infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 15, 2019 at 11:47 PM Mimi Zohar wrote: > > On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote: > > > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c > > index 7d97e432cbbc..a06b04065bb1 100644 > > --- a/arch/x86/kernel/kexec-bzimage64.c > > +++ b/arch/x86/kernel/kexec-bzimage64.c > > @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data) > > #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG > > static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) > > { > > - return verify_pefile_signature(kernel, kernel_len, > > - VERIFY_USE_SECONDARY_KEYRING, > > - VERIFYING_KEXEC_PE_SIGNATURE); > > + int ret; > > + ret = verify_pefile_signature(kernel, kernel_len, > > + VERIFY_USE_SECONDARY_KEYRING, > > + VERIFYING_KEXEC_PE_SIGNATURE); > > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING > > Consider using IS_ENABLED() or IS_BUILTIN(). > > Mimi Thanks for the suggestion, will update the patch later if there are no other comments. > > > + if (ret == -ENOKEY) { > > + ret = verify_pefile_signature(kernel, kernel_len, > > + VERIFY_USE_PLATFORM_KEYRING, > > + VERIFYING_KEXEC_PE_SIGNATURE); > > + } > > +#endif > > + return ret; > > } > > #endif > -- Best Regards, Kairui Song