Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2400768rwb; Sat, 24 Sep 2022 07:46:59 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5dz2VJxFChMLkhRRzaD+Bn+lK/O+gYTL7cLp0/pjai8fmRhQmC0cx8BgDMFPkh0qPH10GD X-Received: by 2002:a17:906:5a71:b0:770:8625:489e with SMTP id my49-20020a1709065a7100b007708625489emr11441774ejc.405.1664030818975; Sat, 24 Sep 2022 07:46:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664030818; cv=none; d=google.com; s=arc-20160816; b=YE1ajb3bxv3n/ld8VRcFNDARk80J+Mh5zrsArDZYC/sOL6L1H1FgeAEE/KgDJSh9ni eoi1bOZhLM43ibPZdBkBIWXZ6bYxqT/UEQwBqhNaNAvCuj1ltq4rJYBZKjLnA1DpC2Ga rwx6BqKCYFrQg+5u96MrsL42kbyxEXfrcr/F1AXYUYM/rsDMhXaz6XwJ2weu/Y0CmQ8R TXUWL+TBZHrzZQHP5zlgJaW46+GugKYDj6SVRD4RF4XOYSDNQ/B/1Q7nR3fi5cNLQOdZ NB8tpkVjdsqaEwCLhN4K88h1kbuTmnVYeAuliE9NBvcp4f6Gnko7AmYmLMXQaFc2WAAK EFGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=ldCH7q8JyvLEKaktegyDOVQARi1eF2vv5KGzrW1iCKE=; b=yFxsIEBs5ETpz+if2QrjcvermCMTlM3Akjo0842Pwz8EahcP+ieCn3PcBbeY8h6x6V /0hc20VLYG9+3KDWbC3oLTDywueVD1ZYW1K0TGaK4L+Wfwt71cLCyuazMnDMkm2TNNa4 d1sbrskVsKh33cmxLRKCqEs8KG57rQvbLC1u0qJ/wfazntTXinGlMZTyVJoPjg9GSKsg 9ofxqBC+lw9CyI4Prge5wCA//PbXOQhD9uWcvQDa9h7E94+EFd0TutWH4Hxqnux7IVet +m+tk5YBDQous4TLXnjmPF+buAvsSq98GsuiWn3YXagKvqks6WsllIxVWxmHJcBhG6Wr 7Kjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ZYYExhvh; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=LwyQx+Mw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a056402249100b004571d72417fsi113884eda.308.2022.09.24.07.46.33; Sat, 24 Sep 2022 07:46:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=ZYYExhvh; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=LwyQx+Mw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233437AbiIXOoP (ORCPT + 99 others); Sat, 24 Sep 2022 10:44:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229515AbiIXOoN (ORCPT ); Sat, 24 Sep 2022 10:44:13 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E8E3B31DFE; Sat, 24 Sep 2022 07:44:08 -0700 (PDT) Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 854FE21880; Sat, 24 Sep 2022 14:44:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1664030646; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ldCH7q8JyvLEKaktegyDOVQARi1eF2vv5KGzrW1iCKE=; b=ZYYExhvhe3hvVYy4oVk/eFH8gYNpGCko5Ihe7Zb9d4XHzj0gN+cbmJ5znD+HxwJBv4rbaf xOAiTy+7OSutCerOOUzrNf7vSiurU7B6noAUxrtuNDY8e/xv8++TCq4sPot33lF0rn5bY3 j5D7iIgKtKQkzwHDFuKS1s7nX1iR+bg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1664030646; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ldCH7q8JyvLEKaktegyDOVQARi1eF2vv5KGzrW1iCKE=; b=LwyQx+Mw9MIzMldTchSCV/M9BlwXBCMS+77FXL0rg1zfTVtmjUy+KUTCczSeB7Oi5a4eGF DV0wxb7/VTheveCg== Received: from kitsune.suse.cz (kitsune.suse.cz [10.100.12.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by relay2.suse.de (Postfix) with ESMTPS id 2218E2C172; Sat, 24 Sep 2022 14:44:05 +0000 (UTC) Date: Sat, 24 Sep 2022 16:44:03 +0200 From: Michal =?iso-8859-1?Q?Such=E1nek?= To: Mimi Zohar Cc: Dave Hansen , Alexander Egorenkov , keyrings@vger.kernel.org, Paul Mackerras , "H. Peter Anvin" , Alexander Gordeev , Will Deacon , Sasha Levin , "open list:S390" , Coiby Xu , Baoquan He , AKASHI Takahiro , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Christian Borntraeger , Ingo Molnar , Catalin Marinas , "Naveen N. Rao" , Eric Biederman , Vasily Gorbik , Heiko Carstens , Borislav Petkov , Thomas Gleixner , "moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" , Philipp Rudo , " open list:KEXEC" , linux-kernel@vger.kernel.org, stable@vger.kernel.org, linux-security-module@vger.kernel.org, James Morse , Sven Schnelle , Greg Kroah-Hartman , Andrew Morton , "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" Subject: Re: [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Message-ID: <20220924144403.GA28810@kitsune.suse.cz> References: <67337b60a4d3cae00794d3cfd0e5add9899f18b7.camel@linux.ibm.com> <20220923191650.GX28810@kitsune.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20220923191650.GX28810@kitsune.suse.cz> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 23, 2022 at 09:16:50PM +0200, Michal Such?nek wrote: > Hello, > > On Fri, Sep 23, 2022 at 03:03:36PM -0400, Mimi Zohar wrote: > > On Fri, 2022-09-23 at 19:10 +0200, Michal Suchanek wrote: > > > Hello, > > > > > > this is backport of commit 0d519cadf751 > > > ("arm64: kexec_file: use more system keyrings to verify kernel image signature") > > > to table 5.15 tree including the preparatory patches. > > > > > > Some patches needed minor adjustment for context. > > > > In general when backporting this patch set, there should be a > > dependency on backporting these commits as well. In this instance for > > linux-5.15.y, they've already been backported. > > > > 543ce63b664e ("lockdown: Fix kexec lockdown bypass with ima policy") AFAICT this is everywhere relevant, likely because it's considered a CVE fix. > > af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") This is missing in 5.4, and 5.4 is missing this prerequisite: fd7af71be542 ("kexec: do not verify the signature without the lockdown or mandatory signature") > > Thanks for bringing these up. It might be in general useful to backport > these fixes as well. > > However, this patchset does one very specific thing: it lifts the x86 > kexec_file signature verification to arch-independent and uses it on > arm64 to unify all features (and any existing warts) between EFI > architectures. > > So unless I am missing something the fixes you pointed out are > completely independent of this. > > Thanks > > Michal