| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACPcB9e+TWK7s5ud_yNd4EiuFyM5hctAMqBSnOZzL3g03ryr_g@mail.gmail.com>
Date: Wed, 16 Jan 2019 00:48:46 +0800
From: Kairui Song <kasong@...hat.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
jwboyer@...oraproject.org, keyrings@...r.kernel.org,
jmorris@...ei.org, serge@...lyn.com, bauerman@...ux.ibm.com,
Eric Biggers <ebiggers@...gle.com>, nayna@...ux.ibm.com,
Dave Young <dyoung@...hat.com>,
linux-integrity <linux-integrity@...r.kernel.org>,
kexec@...ts.infradead.org
Subject: Re: [RFC PATCH v2 2/2] kexec, KEYS: Make use of platform keyring for
signature verify
On Tue, Jan 15, 2019 at 11:47 PM Mimi Zohar <zohar@...ux.ibm.com> wrote:
>
> On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
>
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
> > index 7d97e432cbbc..a06b04065bb1 100644
> > --- a/arch/x86/kernel/kexec-bzimage64.c
> > +++ b/arch/x86/kernel/kexec-bzimage64.c
> > @@ -534,9 +534,18 @@ static int bzImage64_cleanup(void *loader_data)
> > #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
> > static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
> > {
> > - return verify_pefile_signature(kernel, kernel_len,
> > - VERIFY_USE_SECONDARY_KEYRING,
> > - VERIFYING_KEXEC_PE_SIGNATURE);
> > + int ret;
> > + ret = verify_pefile_signature(kernel, kernel_len,
> > + VERIFY_USE_SECONDARY_KEYRING,
> > + VERIFYING_KEXEC_PE_SIGNATURE);
> > +#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>
> Consider using IS_ENABLED() or IS_BUILTIN().
>
> Mimi
Thanks for the suggestion, will update the patch later if there are no
other comments.
>
> > + if (ret == -ENOKEY) {
> > + ret = verify_pefile_signature(kernel, kernel_len,
> > + VERIFY_USE_PLATFORM_KEYRING,
> > + VERIFYING_KEXEC_PE_SIGNATURE);
> > + }
> > +#endif
> > + return ret;
> > }
> > #endif
>
--
Best Regards,
Kairui Song
Powered by blists - more mailing lists