lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Sep 2022 21:16:50 +0200 From: Michal Suchánek <msuchanek@...e.de> To: Mimi Zohar <zohar@...ux.ibm.com> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Heiko Carstens <hca@...ux.ibm.com>, Vasily Gorbik <gor@...ux.ibm.com>, Christian Borntraeger <borntraeger@...ibm.com>, Alexander Gordeev <agordeev@...ux.ibm.com>, Sven Schnelle <svens@...ux.ibm.com>, Philipp Rudo <prudo@...hat.com>, Sasha Levin <sashal@...nel.org>, Baoquan He <bhe@...hat.com>, Alexander Egorenkov <egorenar@...ux.ibm.com>, "open list:S390" <linux-s390@...r.kernel.org>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Michael Ellerman <mpe@...erman.id.au>, Benjamin Herrenschmidt <benh@...nel.crashing.org>, Paul Mackerras <paulus@...ba.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>, "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Eric Biederman <ebiederm@...ssion.com>, "Naveen N. Rao" <naveen.n.rao@...ux.vnet.ibm.com>, Andrew Morton <akpm@...ux-foundation.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "moderated list:ARM64 PORT (AARCH64 ARCHITECTURE)" <linux-arm-kernel@...ts.infradead.org>, "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" <linuxppc-dev@...ts.ozlabs.org>, "open list:KEXEC" <kexec@...ts.infradead.org>, Coiby Xu <coxu@...hat.com>, keyrings@...r.kernel.org, linux-security-module@...r.kernel.org, James Morse <james.morse@....com>, AKASHI Takahiro <takahiro.akashi@...aro.org> Subject: Re: [PATCH 5.15 0/6] arm64: kexec_file: use more system keyrings to verify kernel image signature + dependencies Hello, On Fri, Sep 23, 2022 at 03:03:36PM -0400, Mimi Zohar wrote: > On Fri, 2022-09-23 at 19:10 +0200, Michal Suchanek wrote: > > Hello, > > > > this is backport of commit 0d519cadf751 > > ("arm64: kexec_file: use more system keyrings to verify kernel image signature") > > to table 5.15 tree including the preparatory patches. > > > > Some patches needed minor adjustment for context. > > In general when backporting this patch set, there should be a > dependency on backporting these commits as well. In this instance for > linux-5.15.y, they've already been backported. > > 543ce63b664e ("lockdown: Fix kexec lockdown bypass with ima policy") > af16df54b89d ("ima: force signature verification when CONFIG_KEXEC_SIG is configured") Thanks for bringing these up. It might be in general useful to backport these fixes as well. However, this patchset does one very specific thing: it lifts the x86 kexec_file signature verification to arch-independent and uses it on arm64 to unify all features (and any existing warts) between EFI architectures. So unless I am missing something the fixes you pointed out are completely independent of this. Thanks Michal
Powered by blists - more mailing lists