| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1547567218.4156.289.camel@linux.ibm.com>
Date: Tue, 15 Jan 2019 10:46:58 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Kairui Song <kasong@...hat.com>, linux-kernel@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org,
jwboyer@...oraproject.org, keyrings@...r.kernel.org,
jmorris@...ei.org, serge@...lyn.com, bauerman@...ux.ibm.com,
ebiggers@...gle.com, nayna@...ux.ibm.com, dyoung@...hat.com,
linux-integrity@...r.kernel.org, kexec@...ts.infradead.org
Subject: Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring
for signature verify
On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
> diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> index 7d97e432cbbc..a06b04065bb1 100644
> --- a/arch/x86/kernel/kexec-bzimage64.c
> +++ b/arch/x86/kernel/kexec-bzimage64.c
> @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data)
> #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> {
> - return verify_pefile_signature(kernel, kernel_len,
> - VERIFY_USE_SECONDARY_KEYRING,
> - VERIFYING_KEXEC_PE_SIGNATURE);
> + int ret;
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_SECONDARY_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
Consider using IS_ENABLED() or IS_BUILTIN().
Mimi
> + if (ret == -ENOKEY) {
> + ret = verify_pefile_signature(kernel, kernel_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_KEXEC_PE_SIGNATURE);
> + }
> +#endif
> + return ret;
> }
> #endif
Powered by blists - more mailing lists