ACK: [SRU Bionic] Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

Seth Forshee seth.forshee at
Thu Oct 25 19:49:18 UTC 2018

On Wed, Oct 17, 2018 at 09:03:05PM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Yannik Sembritzki <yannik at>
> BugLink:
> The split of .system_keyring into .builtin_trusted_keys and
> .secondary_trusted_keys broke kexec, thereby preventing kernels signed by
> keys which are now in the secondary keyring from being kexec'd.
> Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
> verify_pefile_signature().
> Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
> Signed-off-by: Yannik Sembritzki <yannik at>
> Signed-off-by: David Howells <dhowells at>
> Cc: kexec at
> Cc: keyrings at
> Cc: linux-security-module at
> Cc: stable at
> Signed-off-by: Linus Torvalds <torvalds at>
> (backported from commit ea93102f32244e3f45c8b26260be77ed0cc1d16c)
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at>

Acked-by: Seth Forshee <seth.forshee at>

More information about the kernel-team mailing list