I've written two patches for (a) the logical change of allowing kernels signed with keys in the secondary keyring to be kexec'd (b) the refactoring of the magic 1UL Linus requested.
Yannik Sembritzki (2): Fix kexec forbidding kernels signed with keys in the secondary keyring to boot Replace magic for trusting the secondary keyring with #define arch/x86/kernel/kexec-bzimage64.c | 2 +- certs/system_keyring.c | 3 ++- crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- include/linux/verification.h | 4 ++++ 4 files changed, 8 insertions(+), 3 deletions(-) -- 2.17.1