Received: by 2002:a05:6a10:144:0:0:0:0 with SMTP id 4csp76085pxw; Fri, 8 Apr 2022 01:15:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjk4P6KJBGGQS1oTA6SfUeF1O7VDofhMHUSfg3tFWWDwQnBwAWks0QZwMFQ4iROuNuqw6E X-Received: by 2002:a17:903:1247:b0:156:25b4:4206 with SMTP id u7-20020a170903124700b0015625b44206mr18244115plh.146.1649405709169; Fri, 08 Apr 2022 01:15:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649405709; cv=none; d=google.com; s=arc-20160816; b=SAK+/FX6bRpjQj32eJcIx8vMEzklWrIVedDbWyLXZF6iLazhMZ54Jkq2DUV+NLPGRh 3kStu84LFKszptIEZUfPcRfDBiJd0PH2a49eryZCGZpXyv1ZQkpNmItPB1I8kGBlOKQa yRvEm3s3P0IRa84iE7h/6QvUwmYW2zyITOXJUDsiZ2GiBlHcu7uUWoFED6oP2ojkDhxu woBizKOx3h90D4lSH39nRm5eBxe6WSxTYRGSPXhH6yAoj9nPAPDjKSWYyuRSixjdiodI If/2rKpTTYUf8XNXk3IBoTHA9p2BX3C+z/i5Aoe0FzFHXj+U8+I5iN2eItZBC3RzkMRz r6cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=g9nCNxmKb6VL/bN0CRtBOBvo2QBXMAIr2GAVqDlq1GI=; b=TwTjXO8OxupnhHBa5Tpr/PwfaDEk59PglChMUaWUn5QgrEzISFBnubjWlcFNSTnuGl 1dSTXD+9NDQr3zC4nPxceKQm65dDFItnraKO0jeHFIo5NnCT5bDI982KZwk+kz+EoiFp m/yAP5ezXInjoG5ZH8KsUKGW5IJhqjP31DSJvb58k09qYHK48/5lSUPiI/UM8ZkizNAZ TwKxnrBKwq41L3YzVyIaoV0bHW7yGqY4YxCh1b5NAZn6Nm6dZR6wIeZJtF26VTWxcVgu sj3UaN720ZLjTj3ESirCBcdBSzF6MEwdvoPubwNDT2zgTfgRWKvHRIQPauA6kOgLcAF5 0YXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Sh6cd9vs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n4-20020a170902d2c400b001568bc04b41si262936plc.147.2022.04.08.01.15.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Apr 2022 01:15:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Sh6cd9vs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E9F2F1A773C; Fri, 8 Apr 2022 00:47:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229925AbiDHHt1 (ORCPT + 99 others); Fri, 8 Apr 2022 03:49:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229471AbiDHHt0 (ORCPT ); Fri, 8 Apr 2022 03:49:26 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7316865E8 for ; Fri, 8 Apr 2022 00:47:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1649404042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=g9nCNxmKb6VL/bN0CRtBOBvo2QBXMAIr2GAVqDlq1GI=; b=Sh6cd9vscKhn0fr0FSPoz7X7Iy4TK41fkpDZ0Jsfi6XZhY9Z+SOclU/qSj0SVZwiYbflsJ rAjdmlIiyXfddBDJEfgFSuu2/ZOZtEFyD8ywf7J6RjonrB/ygydwEFNDgGxSqiL+NOjI1G vsT87zPYFVHQmegLZmwgvKgndiuCLs4= Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-606-9I08KkKXPtSEGKqS4M2WtA-1; Fri, 08 Apr 2022 03:47:21 -0400 X-MC-Unique: 9I08KkKXPtSEGKqS4M2WtA-1 Received: by mail-pj1-f72.google.com with SMTP id v9-20020a17090a7c0900b001cb45f88cdcso505257pjf.0 for ; Fri, 08 Apr 2022 00:47:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=g9nCNxmKb6VL/bN0CRtBOBvo2QBXMAIr2GAVqDlq1GI=; b=nJ5lgj9IazA0umQt2OFHCaXB2fK4dnwsTItFB6QSqkoI7MJdBOsNDS00UNUnxFeA2T /gkUeoQ2dynJroOmrT3UbbX3R9XwfCPxXJhthY0ifcBXywyumrPEeDNFQBwSrc5A89+2 OXjmkOmoepDg+UILRNT72dihJVFfBVKW8ouaVJRNc30wfmgcrLVEFKj5r5FRuBjzIZjN jTXgGUiS+WsclUP4yeZFA4cEF12lFfb9zJcEKiy+mWThdNGu1aYg4YLJ1aKY7nal2KsS tCx0q2cYIcNpTNvIwVn/5Qvce8UYRx58Q4Zg+KWF30A/R6HMROq3HbGCxsAgmeFC6Agn eO6Q== X-Gm-Message-State: AOAM533iq4KqelZHCeHZwchdLFySPyrAuSWGHjO4upU2MAm2Jo1xusUY 46o9xjTiihDWBHCNXkgkiiIE8XM5w8UqNcKiHJQHCYxQAqjuCJ4YLtKBpdi1hO1dSbbigBUaKVg HcjInczTnmvD/wZUXb/htB4Lp X-Received: by 2002:a17:903:124a:b0:154:c7a4:9375 with SMTP id u10-20020a170903124a00b00154c7a49375mr17953386plh.0.1649404039947; Fri, 08 Apr 2022 00:47:19 -0700 (PDT) X-Received: by 2002:a17:903:124a:b0:154:c7a4:9375 with SMTP id u10-20020a170903124a00b00154c7a49375mr17953360plh.0.1649404039614; Fri, 08 Apr 2022 00:47:19 -0700 (PDT) Received: from localhost ([240e:3a1:31c:360:52fc:c968:cb41:efbc]) by smtp.gmail.com with ESMTPSA id x38-20020a056a0018a600b004fafd05ac3fsm25584490pfh.37.2022.04.08.00.47.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 Apr 2022 00:47:19 -0700 (PDT) Date: Fri, 8 Apr 2022 15:47:04 +0800 From: Coiby Xu To: Michal Suchanek Cc: Catalin Marinas , Will Deacon , Heiko Carstens , Vasily Gorbik , "Lee, Chun-Yi" , Alexander Gordeev , Christian Borntraeger , Sven Schnelle , Philipp Rudo , Baoquan He , Alexander Egorenkov , AKASHI Takahiro , James Morse , Dave Young , Mimi Zohar , Kairui Song , Martin Schwidefsky , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [PATCH 0/4] Unifrom keyring support across architectures and functions Message-ID: <20220408074704.wkyyv2qnx66iinzo@Rk> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Michal, As mentioned by Baoquan, I have a patch set "[PATCH v5 0/3] use more system keyrings to verify arm64 kdump kernel image signature" [1]. The differences between your patch set and mine are as follows, - my patch set only adds support for arm64 while yours also extends to s390 - I made the code for verifying signed kernel image as PE file in x86 public so arm64 can reuse the code as well which seems to be better approach - I also cleaned up clean up arch_kexec_kernel_verify_sig Would you mind if I integrate your first 3 patches with mine as follows - for arm64, I'll use my version - for s390, I'll use your version For your last patch which allows to use of platform keyring for signature verification of kernel module, I'll leave it to yourself. How do you think about it? [1] https://lore.kernel.org/all/20220401013118.348084-1-coxu@redhat.com/ On Tue, Feb 15, 2022 at 08:39:37PM +0100, Michal Suchanek wrote: >While testing KEXEC_SIG on powerpc I noticed discrepancy in support for >different keyrings across architectures and between KEXEC_SIG and >MODULE_SIG. Fix this by enabling suport for the missing keyrings. > >The latter two patches obviously conflict with the ongoing module code >cleanup. If they turn out desirable I will add them to the other series >dealing with KEXEC_SIG. > >The arm patches can be merged independently. > >Thanks > >Michal > >Michal Suchanek (4): > Fix arm64 kexec forbidding kernels signed with keys in the secondary > keyring to boot > kexec, KEYS, arm64: Make use of platform keyring for signature > verification > kexec, KEYS, s390: Make use of built-in and secondary keyring for > signature verification > module, KEYS: Make use of platform keyring for signature verification > > arch/arm64/kernel/kexec_image.c | 13 +++++++++++-- > arch/s390/kernel/machine_kexec_file.c | 18 +++++++++++++----- > kernel/module_signing.c | 14 ++++++++++---- > 3 files changed, 34 insertions(+), 11 deletions(-) > >-- >2.31.1 > -- Best regards, Coiby