Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c439bc2 authored by Yannik Sembritzki's avatar Yannik Sembritzki Committed by Greg Kroah-Hartman
Browse files

Fix kexec forbidding kernels signed with keys in the secondary keyring to boot 



commit ea93102f32244e3f45c8b26260be77ed0cc1d16c upstream.

The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe841 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: default avatarYannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 40b08cda
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment