Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c439bc2 authored by Yannik Sembritzki's avatar Yannik Sembritzki Committed by Greg Kroah-Hartman
Browse files

Fix kexec forbidding kernels signed with keys in the secondary keyring to boot 



commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream.

The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe841 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: default avatarYannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 40b08cda

arch/x86/kernel/kexec-bzimage64.c

+1 −1
Original line number Diff line number Diff line
@@ -529,7 +529,7 @@ static int bzImage64_cleanup(void *loader_data) 
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)

{

	return verify_pefile_signature(kernel, kernel_len,

				       NULL,

				       VERIFY_USE_SECONDARY_KEYRING,

				       VERIFYING_KEXEC_PE_SIGNATURE);

}

#endif