Fedora bug
https://bugzilla.redhat.com/show_bug.cgi?id=1470995
With Fedora kernels on Secure Boot enabled machine kexec_file_load
fails because kernel can not use any keys other than kernel builtin
keyring. verify_pefile_signature() requires caller to pass 1UL as
the keyring pointer to use other keyring.
Posted a fix in upstream, but no response for long time. Thus going
with a Fedora fix same as what the module code does.
Latest upstream effort:
https://www.spinics.net/lists/kernel/msg2825184.html
Signed-off-by: Dave Young <dyoung(a)redhat.com>
---
kernel.spec | 3 ++
kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch
diff --git a/kernel.spec b/kernel.spec
index d5e16d7f..7a20da1e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch
# rhbz 1431375
Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch
+# rhbz 1470995
+Patch503: kexec-bzimage-verify-pe-signature-fix.patch
+
# END OF PATCH DEFINITIONS
%endif
diff --git a/kexec-bzimage-verify-pe-signature-fix.patch
b/kexec-bzimage-verify-pe-signature-fix.patch
new file mode 100644
index 00000000..866b74b9
--- /dev/null
+++ b/kexec-bzimage-verify-pe-signature-fix.patch
@@ -0,0 +1,32 @@
+From: Dave Young <dyoung(a)redhat.com>
+
+Fix kexec_file_load pefile signature verification
+
+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also
+need pass 1UL to verify_pefile_signature so that secondary keys can be used.
+
+Fedora bug
+https://bugzilla.redhat.com/show_bug.cgi?id=1470995
+
+Latest upstream effort is below:
+https://www.spinics.net/lists/kernel/msg2825184.html
+
+Ideally this need an upstream fix, but since nobody response we can workaround
+it like the module code did.
+
+Signed-off-by: Dave Young <dyoung(a)redhat.com>
+---
+ arch/x86/kernel/kexec-bzimage64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c
++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c
+@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade
+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+ {
+ return verify_pefile_signature(kernel, kernel_len,
+- NULL,
++ (void *)1UL,
+ VERIFYING_KEXEC_PE_SIGNATURE);
+ }
+ #endif
--
2.17.0