Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1443924rwb; Fri, 23 Sep 2022 12:45:40 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4yfsR5siYInMcaVmLGPidwsNZxsqpAvug2knnuXIeIC+Q4kZ7JWeEYD4C9YY9tlvuis70r X-Received: by 2002:a17:902:d552:b0:178:5b6d:629 with SMTP id z18-20020a170902d55200b001785b6d0629mr10178265plf.17.1663962340192; Fri, 23 Sep 2022 12:45:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663962340; cv=none; d=google.com; s=arc-20160816; b=OIdDdyZVAKW9e64Oexs1dGCqMN7SyDKImc4LeTHS8R62dfPNsp82NZKMTdsBe03jKF HCIsopC3KyL/Wjdxvza9lWklXWOdlyxRn4/Osf2EMlAmzk7tyUKjcvDuVLhHEWYraGkX hs7VJmjvR9Pkq3P/HCBhdWRmEqtrmwbXseMFRwenTWQDu07OcuoOH7VtXhBpFpm23q9L i7+hW80D9gBb+Z7UC4V8BCC8NyxwM6cmkggoekDNgoJcLM1D9BpH4WGbZETidVakw0SH ihfJntlT6Z0+eSl1pqo+b7nWRyMvaElQciRbSIwV2ic/cItb0oZGvbfMFq4OzNHJ5Sht oYbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=M7ZPOnaCl1bvAhxAcIcfHQhBd3XlM8j/v3z+xwYqH9Y=; b=C/ZLmrqpH7/wtJtC8BxDvlIdZM5nW9ICivKJUFkJBuWLo83rYbDo4rfFowKBk9bRff efQdom1ITd2j5BfAgbukdwZD3zh3c0Ewr66XCMHLonhJlmjAkVuIl4NY8Ik7b9Vbvstf vr3Avctupvs2bBqLvsaOVZVY3tmrb1QeoIHmoxci0s8VFvdr+N+pLIUX4hLU9t8U5Vj3 Dmhk1y64+ViA8W/tHvS916MmI82NECKBO1ZeF+BhY16NuSjRHB3fK9apT5GvjjbZEkX/ Ny+7qwf6FIdj62X1BxEtC/nOwkEfhdiCoXYv28kqE/eti2rWPNBetsz+jLvnK8WIkbvc nacQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=RxICWe9S; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pj8-20020a17090b4f4800b002005e1169d6si3768555pjb.51.2022.09.23.12.45.28; Fri, 23 Sep 2022 12:45:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=RxICWe9S; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232239AbiIWTQ5 (ORCPT + 99 others); Fri, 23 Sep 2022 15:16:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229520AbiIWTQz (ORCPT ); Fri, 23 Sep 2022 15:16:55 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A1C412C687; Fri, 23 Sep 2022 12:16:54 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id D7BDD1F88F; Fri, 23 Sep 2022 19:16:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1663960612; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=M7ZPOnaCl1bvAhxAcIcfHQhBd3XlM8j/v3z+xwYqH9Y=; b=RxICWe9ShUOJ30yrxK1Sg337ibKGDWiBuCCfxe3PxnQDXehTnWoUAxFGm5efJJElnCRWYC T/EEFnwjXDbp1a3EUY+qRjBlZgJmh01Kq/w3WmKQrPle99zuvPSp1ZWQvpmJBRW3Md/Gh+ hUMW16JhjAIT9slsMZQE8GgUslBWn+U= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1663960612; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=M7ZPOnaCl1bvAhxAcIcfHQhBd3XlM8j/v3z+xwYqH9Y=; b=3o5yz8IUMFuZYyHXKnE++yxz0+3AfWIuGDj2UVpRZKJG7D+gcy2qYgZToe/bEoYUVe37Df Pa8q+QubOpYRpICg== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 841FF2C15C; Fri, 23 Sep 2022 19:16:51 +0000 (UTC) Date: Fri, 23 Sep 2022 21:16:50 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Mimi Zohar Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Alexander Gordeev , Sven Schnelle , Philipp Rudo , Sasha Levin , Baoquan He , Alexander Egorenkov , "open list:S390" , Catalin Marinas , Will Deacon , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , "H. Peter Anvin" , Eric Biederman , "Naveen N. Rao" , Andrew Morton , Greg Kroah-Hartman , "moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" , "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" , "open list:KEXEC" , Coiby Xu , keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, James Morse , AKASHI Takahiro Subject: Re: [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Message-ID: <20220923191650.GX28810@kitsune.suse.cz> References: <67337b60a4d3cae00794d3cfd0e5add9899f18b7.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67337b60a4d3cae00794d3cfd0e5add9899f18b7.camel@linux.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Fri, Sep 23, 2022 at 03:03:36PM -0400, Mimi Zohar wrote: > On Fri, 2022-09-23 at 19:10 +0200, Michal Suchanek wrote: > > Hello, > > > > this is backport of commit 0d519cadf751 > > ("arm64: kexec_file: use more system keyrings to verify kernel image signature") > > to table 5.15 tree including the preparatory patches. > > > > Some patches needed minor adjustment for context. > > In general when backporting this patch set, there should be a > dependency on backporting these commits as well. In this instance for > linux-5.15.y, they've already been backported. > > 543ce63b664e ("lockdown: Fix kexec lockdown bypass with ima policy") > af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") Thanks for bringing these up. It might be in general useful to backport these fixes as well. However, this patchset does one very specific thing: it lifts the x86 kexec_file signature verification to arch-independent and uses it on arm64 to unify all features (and any existing warts) between EFI architectures. So unless I am missing something the fixes you pointed out are completely independent of this. Thanks Michal