ACK/Cmnt: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Stefan Bader stefan.bader at canonical.com
Tue Nov 6 10:35:36 UTC 2018 

On 18.10.18 02:03, Thadeu Lima de Souza Cascardo wrote:
> From: Yannik Sembritzki <yannik at sembritzki.me>
> 
> BugLink: https://bugs.launchpad.net/bugs/1798441
> 
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
> 
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
> 
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <yannik at sembritzki.me>
> Signed-off-by: David Howells <dhowells at redhat.com>
> Cc: kexec at lists.infradead.org
> Cc: keyrings at vger.kernel.org
> Cc: linux-security-module at vger.kernel.org
> Cc: stable at kernel.org
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
> ---

Verified that the used pointer is indeed the definition of
VERIFY_USE_SECONDARY_KEYRING in Cosmic (changed state of the bug report to fix
released for devel as this had been applied to Cosmic before release) and also
verified that the verification counter-part has a check for (void *)1UL to match.

-Stefan
>  arch/x86/kernel/kexec-bzimage64.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7722b08db6a4..57abde6e3475 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loader_data)
>  static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
>  {
>  	return verify_pefile_signature(kernel, kernel_len,
> -				       NULL,
> +				       ((struct key *)1UL),
>  				       VERIFYING_KEXEC_PE_SIGNATURE);
>  }
>  #endif
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20181106/38b08056/attachment.sig>

More information about the kernel-team mailing list