Re: [PATCH v8 3/4] arm64: kexec_file: use more system keyrings to verify kernel image signature

2022-06-09 Thread Mimi Zohar
On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote: > Currently, a problem faced by arm64 is if a kernel image is signed by a > MOK key, loading it via the kexec_file_load() system call would be > rejected with the error "Lockdown: kexec: kexec of unsigned images is > restricted; see man

Re: [PATCH v8 2/4] kexec, KEYS: make the code in bzImage64_verify_sig generic

2022-06-09 Thread Mimi Zohar
Hi Coiby, On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote: > commit 278311e417be ("kexec, KEYS: Make use of platform keyring for > signature verify") adds platform keyring support on x86 kexec but not > arm64. > > The code in bzImage64_verify_sig makes use of system keyrings including >

Re: [PATCH v8 1/4] kexec: clean up arch_kexec_kernel_verify_sig

2022-06-09 Thread Mimi Zohar
On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote: > kimage_validate_signature(struct kimage *image) > { > int ret; > > - ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, > - image->kernel_buf_len); > + ret =

Re: [PATCH v8 0/4] use more system keyrings to verify arm64 and s390 kexec kernel image signature

2022-06-09 Thread Mimi Zohar
Hi Coiby, On Fri, 2022-05-27 at 21:43 +0800, Coiby Xu wrote: > It seems I need to only change cover letter and commit message i.e. > there is no concern about the code. So it's better to provide a > new cover letter here to collect new feedback from you thus we > can avoid unnecessary rounds of