Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1180610pxb; Wed, 6 Apr 2022 10:38:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz4JnpvaTwNz/P1tKF7SKmenswHiaAViLkRM6urkMJwPic9vNM1e67RjmKlREG8iSsTPf9V X-Received: by 2002:a17:90b:1e04:b0:1ca:bc37:d132 with SMTP id pg4-20020a17090b1e0400b001cabc37d132mr11248131pjb.84.1649266685018; Wed, 06 Apr 2022 10:38:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1649266685; cv=pass; d=google.com; s=arc-20160816; b=p8A9iZKtcrCZZ3ITxemoTdPtq5DIFogIJKg6+8pVItW/XeTKIW+yiME9hs3h5zdIzn keEvUQT0V3wkZ6iRLXKgE91gXrsN+4883RKH9ORHZBrGytsF/8p+qEBdj4u4YB873auX 88eNbig3Uf9pcDv8H34L73nXCwZwZ7uQvg3Fbkr8QCmUaaKjeNgQW5UvjImCTEky2pVz HUY+l/yngBCdgpqjrm0w8R3edZ+uaTT/4xsQHOw63cBrh5+ZLEwVQlVXwqIudUQoVK7S oyWAPEvRIbxcCvkrxzxmSm5H8+YjFBFU1BMOf8yjXscIL3ha9Y9IMzdLKKUhlSGWjPbd OZEQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:in-reply-to :content-disposition:references:message-id:subject:cc:to:from:date :dkim-signature; bh=yRoNGebNpG+7JCeHgdPg8u/gYAPkrLtJXRhl4RgFQi8=; b=xqh7gvCQmb0XlD5xxZQX+UmXVfJRkFxlh/C8B5cgnT7ZF/90lTjZIKjg57Xj4byKuP w8AxaTuMXHbn+En6xCGGob4YIYueA+0YmOe74Lci0c+Y5ZaIaDJ4eY3khyB7GW9BzCg/ /j57qgF5Nz3bEKEmAb1Or2+ZjQrO47AkaAPW2RjrBEq9Y1dNvHknNJJdgVA0HX99uDS0 /2Hw9SzN5AU9PmTpvNFNAXZeBxFK8w60AdhWKh8cS7pqINdQwBq3sY9ik3nYkr5k8O/+ KbDcDd4d1j38ap/eYoQt8QW7KdGV8kFPahx9kv/em3RQiQZkUmmE1cp1+eYtz/ETfFD6 O+WQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=HF33rDRg; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id x6-20020a17090ab00600b001beef62c01asi5075713pjq.15.2022.04.06.10.38.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 10:38:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=mimecast20200619 header.b=HF33rDRg; arc=pass (i=1 spf=pass spfdomain=suse.com dkim=pass dkdomain=suse.com dmarc=pass fromdomain=suse.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=suse.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8AB6B18427B; Wed, 6 Apr 2022 10:33:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239281AbiDFRf0 (ORCPT + 99 others); Wed, 6 Apr 2022 13:35:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239282AbiDFRes (ORCPT ); Wed, 6 Apr 2022 13:34:48 -0400 Received: from de-smtp-delivery-102.mimecast.com (de-smtp-delivery-102.mimecast.com [194.104.111.102]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C356527B605 for ; Wed, 6 Apr 2022 08:41:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=mimecast20200619; t=1649259695; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=yRoNGebNpG+7JCeHgdPg8u/gYAPkrLtJXRhl4RgFQi8=; b=HF33rDRg/e848iQNxIU5dQmxHHQjhZRlL51GqXxtZelIKqTMsP/wZ89s+Rtg8xHquNCsbR IrHFIRYGUNT8kyLixUMRGD6L/R/Xjb8C/H7wU1YilrPPyMSBlmOkoXXHZHOQwuRg4Esya2 aNvSB48nzrnZBd87CO5vTO2aDUkSC6U= Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04lp2050.outbound.protection.outlook.com [104.47.12.50]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id de-mta-26-2fhaSZ82PpGnIrYVATNk_g-1; Wed, 06 Apr 2022 17:41:32 +0200 X-MC-Unique: 2fhaSZ82PpGnIrYVATNk_g-1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jh9e6JZUNLR0L+uSMRENPiyiYmJywHQbyQabE8T+gCGx3DHy7XGZiLx6Bc2T0yaWhanyWN0ZCpcaS7suLL90AOFYPpc+9jty7PKwp+tftKYtXQ/ezlxoYpVBaOVTpnCDPYxrHYXAcIQrV0Lug5UDBwSFYjAjixRHAT3K4Hn8kmrBvLhD5QYXmEOGv1b7ZWBEWc3sXP/qMCEQcB5HXiSs2HqJJJDKip/gobcILx8D6buJ72PshllFG0jT7LQl0GbgcPL4u6jYpO+GaMdiWXwiwAVjrE9b2456oAjaBAqTKvALWaheGCslvZjXLQX3+OzF0IwJmgziosgj9DwR5VOWXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yRoNGebNpG+7JCeHgdPg8u/gYAPkrLtJXRhl4RgFQi8=; b=IMU4NQRS9nBN0/RWr4DxhjpK0tos5Pwi3rA873BgcYbaSBSgMbwlv4A+aYnYiVDh6wr0FqEA2nW6cNrFiR/9e2izkgfsZ8HnQzRJmCZWSi1QzpURoRGCVYd1SEBsHOvPNfQHfq31b56S0JE644M7z0B8N/tnzh2aRFpcxq3GRgDpp2omdnXNjzstSNavl2iaaMjbTdhIFeW/J262uXwe7rJR1r0vW1XyjIcG+Z1gErxnCYbwgUtVw3fy2QT8yn7iZNvmrYAh3NSUYVYa4cbg/Tg7+YigoaXSz4sPxveqY22GZND3HulGARh4nxQFVBAZMuv5kaNS/XCR9MhRwfMVAQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from DB8PR04MB7097.eurprd04.prod.outlook.com (2603:10a6:10:12a::11) by AM0PR04MB4243.eurprd04.prod.outlook.com (2603:10a6:208:66::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 15:41:30 +0000 Received: from DB8PR04MB7097.eurprd04.prod.outlook.com ([fe80::8d7a:5d52:e592:9227]) by DB8PR04MB7097.eurprd04.prod.outlook.com ([fe80::8d7a:5d52:e592:9227%9]) with mapi id 15.20.5123.031; Wed, 6 Apr 2022 15:41:29 +0000 Date: Wed, 6 Apr 2022 23:41:16 +0800 From: joeyli To: Michal Suchanek Cc: Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kexec@lists.infradead.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, stable@kernel.org Subject: Re: [PATCH 1/4] Fix arm64 kexec forbidding kernels signed with keys in the secondary keyring to boot Message-ID: <20220406154056.GL11641@linux-l9pv.suse> References: <83b3583f35c50c609739a8d857d14e8410293373.1644953683.git.msuchanek@suse.de> Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <83b3583f35c50c609739a8d857d14e8410293373.1644953683.git.msuchanek@suse.de> User-Agent: Mutt/1.11.4 (2019-03-13) X-ClientProxiedBy: HK2PR02CA0210.apcprd02.prod.outlook.com (2603:1096:201:20::22) To DB8PR04MB7097.eurprd04.prod.outlook.com (2603:10a6:10:12a::11) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e5afd4a4-6989-4fa3-2229-08da17e3eace X-MS-TrafficTypeDiagnostic: AM0PR04MB4243:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: BzVz3DttFi1aUoKgY/oMT/vkk6zmv1301xgdAsUoYN/diSD+D59HpIoF2jh2cU0EX4xDyiAlht1CGrtVCyj9ZiQV/dT0ZDU25p7cDTcp3O1aCQYvBvR/e/8C5XB3UDobpkAXUNMRFJ9n1b+bRjo5o+itCMqQHZNYhEMcjska6qsTmfxWZBSDq3CKgYHxspzLElJb+o0hn7MXOlabd5FRcBi+Zp4qc2mVXwfPKQkx/L4GzKEB1fIb6n7PaTlLrw+KGcKa/NPipMICaucDH4V428YkWK8BPP+l1+bDS5X65X/FNky2H+3sJziqOjC91GEoYqBA/sUcXRbZiTAP04ZtqHIHCdHozQoOFopvPbPe7MkyJEip9eXdP53Nih5NUJuMGEDA/cdZtn7x1ThW81pyc7gVP5zqCqccTlTq0AngnbQfN2/t0eoVEwPHtchC02wfT/nnE+c+hBuPn5h/iVUYhxRvuZ/genDAARhmO4Y/RIFPEbnOlDeJtKpYlb3qIE4cE5xRkAyfVyYVmXsO8ycBMBgbLEZh9HSgFne2ju/KJj8VncQFxF2FkYDyklSey+kEkHGyMOvH4dDe+ID6KDhJuXdONU9lts8vcc5NTQN/igbV3iZksGt/HOo4EfGJd/JN3m3y0uhdlEJTizpYPnzHp5c63qs9BDDuaLZDSvbmDin3Tc4IJKuEKrKMX4FhBcACYM6G/9285Hn33/1/15w0jQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR04MB7097.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(366004)(7416002)(5660300002)(26005)(186003)(66946007)(4326008)(6486002)(38100700002)(1076003)(508600001)(8936002)(66476007)(8676002)(66556008)(83380400001)(86362001)(6512007)(33656002)(6506007)(9686003)(6666004)(2906002)(316002)(54906003)(36756003)(6916009)(43062005);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?wf985CF6ryCrnDXwjZqmB60ylTzJbxNXAZ+4I+FLnIaK5CmhUYxVLxPHJrWY?= =?us-ascii?Q?GdgNhQOBfj9AbUSndc/A4O/rIYkMOej7EJFenZMRRB4DLiN/SsPaRFJhHdUD?= =?us-ascii?Q?oEP2qSRaQINXl1nPr2cg/ZkGbcnhXAOgjGePkkYFZYlOKe0G6C71GytnwtX8?= =?us-ascii?Q?6PgDnnDw3rRWe9MMLrFH1DQgOwYDeIwwKwlKahu+uTYpAdjeTmW2SnOOO2UP?= =?us-ascii?Q?mmVeug9g+ScovVZK78pNl/r5e8GTzKss3QCtaSYVs+Id1rUW515bDs7FoVhD?= =?us-ascii?Q?Vx/UIP6nFIAry4Mc1tn6aCf73BOX8EWiXrAMoOlC3Xc+M2q8WyqHAkUtNvd2?= =?us-ascii?Q?Z1StpBPzGdjqbQTcHZbst1GnR0LqEj2kgODWTeWUqlv5iPBzqrv5pwVmurFW?= =?us-ascii?Q?Wi9p1ywuHfpQgdVdcBeGzn++l9D3qz+ZvE9ytxMbwMswEKHwgywl2tlwW0qN?= =?us-ascii?Q?HxuAA/fTVIGL/fltalm6r4IijDsKP7/E3SoP0wpjYFkhc5SUK8wh5U0TOK3Y?= =?us-ascii?Q?lLuZB7uMwuUwbOl/eXpcWZoq8+BoJAd0LDY3dgeD027lwXNTnuEVyc10MhCM?= =?us-ascii?Q?6GTcTTI7h0JC6UyAmsDceXiP2adHU/sDabzU3FyDfIgaP2p2qjCXehnvNIUF?= =?us-ascii?Q?/FQw9nIwFUhpBtgPwjuIaytQ+K+S3/g6/BtS1Mz9A0OCMq5Q5CAI73HuhX+k?= =?us-ascii?Q?PJvf3d9X1MrPWbEQOR/La5bqJ2pwKNxBWeZ6m3t86G3T+whvdRyeaBQTI9Zk?= =?us-ascii?Q?/wREaM/C/PDptocp50RozvPKVji4L93rBhUb5pkRj0C++mjFcIF0H0Yrf79p?= =?us-ascii?Q?vCv28EPvOxnsWsDVm4nbhpIdD7caucOmqshXbL10U9jdJxwSM5PgkR7jNY6Z?= =?us-ascii?Q?E3bWAc4QiflPYMyjUEp9YvGPNb4qfoBZjeZbXUolHtQM99VRDQJY95wuwiwr?= =?us-ascii?Q?FCUzaeOW78twmoaAgVZOkIRJhmasGn7lTabpTtCinpT1lJf5DhFAj6IH7X1L?= =?us-ascii?Q?pvqNyGHLSKGJ4c02N+AfsItS8jGHCdnA33343DhsAN1mOGGB4E/WWAVCLAb3?= =?us-ascii?Q?ZFcAAy2o/LSV3fle5nwcnmIUkEj74SiynSySo+rDKO6nU6Hc6peReR7E6ahP?= =?us-ascii?Q?YcgxuQtAx35lGxw13FTUE9W4fS301jRn1/gnh9RIazaElS9ZRFLKjAvyZNfP?= =?us-ascii?Q?YarE+2klvEtOqxIbQcChAiMkfb3WUonpuwkQx/YdTmKXPaS9UhjPb9NZm36E?= =?us-ascii?Q?9lEv5EG4ego968aHQk7PbV7+hoXAiuSedVFCbQkfQC2al1KfzhNqEZjAyfm/?= =?us-ascii?Q?o9gjoHYsHWgxS+fp4qqX6AWwXAVfydW7KVwzL/5LzhU4KKtEp6brJ52KD7H0?= =?us-ascii?Q?k+PbsPKhwghpbRydAJaXiQMH+c13q7ogu03XKINgqPJRIUheqv70xbxhftL5?= =?us-ascii?Q?Mtw36BKshG+/A8jcIMgy7rKkIns/DaGzxLcCD+FLpKzV4a87Bxqb7x4tf/qX?= =?us-ascii?Q?9Oteyh7tpy79GlSVE9XOsr6/pB46cEAYATY2SNe9mZ5erpqrKVapYan+hQxJ?= =?us-ascii?Q?uHIFWU8mT1MgguLaM1OIT7WPdSd4QGSXnIXIam4nJfxK3KzMpN9Rv8zjJ9BZ?= =?us-ascii?Q?eqzjaWVrEJJ6evxTBUXB0sMNYpdujpEVqIU5HXeObURfhQ+uzHU4nGKtXw/5?= =?us-ascii?Q?hjNZK7UTIWCJ6kg1By1CvT5VyqNNmImXWsZUT6tyLjvbAVEUqXsInj4MLW0F?= =?us-ascii?Q?FTqlFGSFeQ=3D=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: e5afd4a4-6989-4fa3-2229-08da17e3eace X-MS-Exchange-CrossTenant-AuthSource: DB8PR04MB7097.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 15:41:29.8550 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fmKKKphQucC3nS9hVpqyEbuEJuCDNLGAuJfVmvlh4vf0O/g8U3Cxn65N9GkuK8F6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR04MB4243 X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 08:39:38PM +0100, Michal Suchanek wrote: > commit d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically") > split of .system_keyring into .builtin_trusted_keys and > .secondary_trusted_keys broke kexec, thereby preventing kernels signed by > keys which are now in the secondary keyring from being kexec'd. > > Fix this by passing VERIFY_USE_SECONDARY_KEYRING to > verify_pefile_signature(). > > Cherry-picked from > commit ea93102f3224 ("Fix kexec forbidding kernels signed with keys in the secondary keyring to boot") > > Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") > Cc: kexec@lists.infradead.org > Cc: keyrings@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: stable@kernel.org > Signed-off-by: Michal Suchanek Reviewed-by: "Lee, Chun-Yi" > --- > arch/arm64/kernel/kexec_image.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c > index 9ec34690e255..1fbf2ee7c005 100644 > --- a/arch/arm64/kernel/kexec_image.c > +++ b/arch/arm64/kernel/kexec_image.c > @@ -133,7 +133,8 @@ static void *image_load(struct kimage *image, > #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG > static int image_verify_sig(const char *kernel, unsigned long kernel_len) > { > - return verify_pefile_signature(kernel, kernel_len, NULL, > + return verify_pefile_signature(kernel, kernel_len, > + VERIFY_USE_SECONDARY_KEYRING, > VERIFYING_KEXEC_PE_SIGNATURE); > } > #endif > -- > 2.31.1