On Tue, Jun 12, 2018 at 5:03 AM, Dave Young dyoung@redhat.com wrote:
Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load fails because kernel can not use any keys other than kernel builtin keyring. verify_pefile_signature() requires caller to pass 1UL as the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going with a Fedora fix same as what the module code does.
Latest upstream effort: https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young dyoung@redhat.com
I would really like to hear David Howell's opinion on this before we consider carrying it. I have CCed him.
Thanks, Justin
kernel.spec | 3 ++ kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec index d5e16d7f..7a20da1e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch # rhbz 1431375 Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995 +Patch503: kexec-bzimage-verify-pe-signature-fix.patch
# END OF PATCH DEFINITIONS
%endif diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch new file mode 100644 index 00000000..866b74b9 --- /dev/null +++ b/kexec-bzimage-verify-pe-signature-fix.patch @@ -0,0 +1,32 @@ +From: Dave Young dyoung@redhat.com
+Fix kexec_file_load pefile signature verification
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also +need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+Fedora bug +https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+Latest upstream effort is below: +https://www.spinics.net/lists/kernel/msg2825184.html
+Ideally this need an upstream fix, but since nobody response we can workaround +it like the module code did.
+Signed-off-by: Dave Young dyoung@redhat.com +---
- arch/x86/kernel/kexec-bzimage64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c ++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c +@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
- static int bzImage64_verify_sig(const char *kernel, unsigned long
kernel_len)
- {
return verify_pefile_signature(kernel, kernel_len,
+- NULL, ++ (void *)1UL,
VERIFYING_KEXEC_PE_SIGNATURE);
- }
- #endif
-- 2.17.0 _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@ lists.fedoraproject.org/message/RYRV32S4Z6F7WGR3BEIXVWOGX6XV3JSQ/