ACK: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot
Seth Forshee
seth.forshee at canonical.com
Thu Oct 25 19:49:18 UTC 2018
On Wed, Oct 17, 2018 at 09:03:05PM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Yannik Sembritzki <yannik at sembritzki.me>
>
> BugLink: https://bugs.launchpad.net/bugs/1798441
>
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
>
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
>
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <yannik at sembritzki.me>
> Signed-off-by: David Howells <dhowells at redhat.com>
> Cc: kexec at lists.infradead.org
> Cc: keyrings at vger.kernel.org
> Cc: linux-security-module at vger.kernel.org
> Cc: stable at kernel.org
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
Acked-by: Seth Forshee <seth.forshee at canonical.com>
More information about the kernel-team
mailing list