On Thu, Aug 16, 2018 at 09:11:06AM +0800, Dave Young wrote: > On 08/16/18 at 12:07am, Yannik Sembritzki wrote: > > Signed-off-by: Yannik Sembritzki <yan...@sembritzki.me> > > --- > > arch/x86/kernel/kexec-bzimage64.c | 2 +- > > certs/system_keyring.c | 3 ++- > > crypto/asymmetric_keys/pkcs7_key_type.c | 2 +- > > include/linux/verification.h | 3 +++ > > 4 files changed, 7 insertions(+), 3 deletions(-) > > > > diff --git a/arch/x86/kernel/kexec-bzimage64.c > > b/arch/x86/kernel/kexec-bzimage64.c > > index 74628275..97d199a3 100644 > > --- a/arch/x86/kernel/kexec-bzimage64.c > > +++ b/arch/x86/kernel/kexec-bzimage64.c > > @@ -532,7 +532,7 @@ static int bzImage64_cleanup(void *loader_data) > > static int bzImage64_verify_sig(const char *kernel, unsigned long > > kernel_len) > > { > > return verify_pefile_signature(kernel, kernel_len, > > - ((struct key *)1UL), > > + TRUST_SECONDARY_KEYRING, > > Instead of fix your 1st patch in 2nd patch, I would suggest to > switch the patch order. In 1st patch change the common code to use > the new macro and in 2nd patch you can directly fix the kexec code > with TRUST_SECONDARY_KEYRING.
I agree. It looks cleaner that first patch change the common code and introduce the macro to replace 1UL. And second patch makes use of that macro in kexec bzImage64 verification. Thanks Vivek