Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea93102f authored by Yannik Sembritzki's avatar Yannik Sembritzki Committed by Linus Torvalds
Browse files

Fix kexec forbidding kernels signed with keys in the secondary keyring to boot 



The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe841 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: default avatarYannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 817aef26

arch/x86/kernel/kexec-bzimage64.c

+1 −1
Original line number Diff line number Diff line
@@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data) 
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)

{

	return verify_pefile_signature(kernel, kernel_len,

				       NULL,

				       VERIFY_USE_SECONDARY_KEYRING,

				       VERIFYING_KEXEC_PE_SIGNATURE);

}

#endif