Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp978005pxb;
        Fri, 15 Apr 2022 17:13:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyzoR1kil07+fwe/NKahkLhdaCi7e2wrkI1aB5vSzrtvyo8GlBtdmv0ScKbYemEugmP1mkI
X-Received: by 2002:a17:90b:374d:b0:1d0:3c19:e1d4 with SMTP id ne13-20020a17090b374d00b001d03c19e1d4mr6676795pjb.123.1650067997556;
        Fri, 15 Apr 2022 17:13:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1650067997; cv=none;
        d=google.com; s=arc-20160816;
        b=o/JV62rKayKQ112gM5xYv3Kp8dldzL4KY4pLYduqt9ifL/DLtjnIcs5h2DHY1+rYQ6
         FV9qsHAqAMiodNqUJPQPB7oeRI16V8m4hsIfInQGbreKbpXwMUkZao8vbdwdgIHtPBVk
         ZZA4SmIt0bYPUREb58cnP/me8dVdGNrXPH/b6/XlOYV03+XTEBSvjpQulWotx8l+M8V0
         no1uK7xmLOAZ3uV6Ks+mHm9vVZaM3oYWrn+bLKs7AJO9Rt82zOP7Z4Zq+7Z+n1Y5GHfy
         39nqFQ1U3jM+/WC0kQXpEpUKWyWkUiqQKNq/aslzZuYSbDZx7kL6vh5iAow1uEefcLyw
         a2Ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:content-disposition:mime-version
         :message-id:subject:to:from:date:dkim-signature:dkim-signature;
        bh=iOwerLt2xkw4bR3mFy/maLe3ZNe3PCPZ0yj28asR8ck=;
        b=xzVy3ROGYRFm6QLuGjiqwyRF13MYZzXmB6B2WrbjzHZHm0Wn8EQ1pfiJlm9/SQq9mF
         UDhDCELezmhG7iiC4giiwRouZTB72GQNf8wF+tOm1s9cOpq/UmGuuAUNrG4cO+1ppA0b
         bU/gGr4VupFP8MpgcMu5vWRiibttW9zkcUMUcITmc/goxmNf2U6w6WPYdfvOi1Fqhgp9
         frWICGsJW+eyfPP+7QFNJtWjnJlUUnQkWYJT34Slp8QqsT714BGYmPC7lMnsUKUncj+Q
         3J8DZeJGsz2kZp0aadTDJBn+g8uNE2nDlRXqFOznyYVT2Wdcm5rzVO51VhTmsZH+fMRX
         CxHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=dXN73kAP;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id c1-20020a6566c1000000b0039da4facab0si2902073pgw.215.2022.04.15.17.13.17
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Apr 2022 17:13:17 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=dXN73kAP;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3BB045DA6C;
	Fri, 15 Apr 2022 17:13:10 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344273AbiDNSCC (ORCPT <rfc822;48199929arowggi@gmail.com>
        + 99 others); Thu, 14 Apr 2022 14:02:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54946 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S243465AbiDNSB7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Apr 2022 14:01:59 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 56A0BBC87;
        Thu, 14 Apr 2022 10:59:33 -0700 (PDT)
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
        by smtp-out2.suse.de (Postfix) with ESMTP id D3FFD1F74A;
        Thu, 14 Apr 2022 17:59:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1649959171; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
         mime-version:mime-version:content-type:content-type;
        bh=iOwerLt2xkw4bR3mFy/maLe3ZNe3PCPZ0yj28asR8ck=;
        b=dXN73kAPjwVJCJEGguwlif2M78TYrzjjppHjSdJLIU1DRNsVZBnM7rvUXRkVorIKUCtRJ4
        Wu3qOGmQDT3XnbopejO26Y6A1nWYEH9PWI0gM/rhvivN23h4K5BlCwosH+ba9F5De7bH57
        KWoQ8mFRe53ubWKgDBzrjHxW1kWsEO4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1649959171;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:
         mime-version:mime-version:content-type:content-type;
        bh=iOwerLt2xkw4bR3mFy/maLe3ZNe3PCPZ0yj28asR8ck=;
        b=NFPCZjIo1ywXX3HsTYg30RAfOJFvBox2SnC9uTa43hl8vb27bvXQrQ8I6Jfii6kx89YHb1
        TpbPeWdgw9ilT9Aw==
Received: from kunlun.suse.cz (unknown [10.100.128.76])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by relay2.suse.de (Postfix) with ESMTPS id BA700A3B89;
        Thu, 14 Apr 2022 17:59:31 +0000 (UTC)
Date:   Thu, 14 Apr 2022 19:59:30 +0200
From:   Michal =?iso-8859-1?Q?Such=E1nek?= <msuchanek@suse.de>
To:     "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
        "linux-security-module@vger.kernel.org" 
        <linux-security-module@vger.kernel.org>
Subject: How to list keys used for kexec
Message-ID: <20220414175930.GM163591@kunlun.suse.cz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

apparently modules are verified by keys from 'secondary' keyring on all
platforms.

If you happen to know that it's this particular keyring, and know how
to list keyrings recursively you can find the keys that are used for
verifying modules.

However, for kexec we have

 - primary keyring on aarch64
 - platform keyring on s390
 - secondary AND platform keyring on x86

How is a user supposed to know which keys are used for kexec image
verification?

There is an implicit keyring that is ad-hoc constructed by the code that
does the kexec verification but there is no key list observable from
userspace that corresponds to this ad-hoc keyring only known to the kexec
code.

Can the kernel make the information which keys are used for what purpose
available to the user?

Thanks

Michal