Hi Alexandre, Nick:
On Wed, Oct 6, 2021 at 11:15 AM Alexandre Ghiti
wrote:
>
> Hi Nick,
>
> On Tue, Oct 5, 2021 at 4:07 PM Alexandre Ghiti
> wrote:
> >
> > On Tue, Oct 5, 2021 at 2:15 PM Nick Kossifidis wrote:
> > >
> > > Hello all,
> > >
> > > I've uploaded my kexec-tools patches for riscv on
From: Michal Suchanek
[ Upstream commit 0828c4a39be57768b8788e8cbd0d84683ea757e5 ]
commit e23a8020ce4e ("s390/kexec_file: Signature verification prototype")
adds support for KEXEC_SIG verification with keys from platform keyring
but the built-in keys and secondary keyring are not used.
Add supp
From: Coiby Xu
commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream.
Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys,
From: Coiby Xu
commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream.
Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys,
From: Coiby Xu
commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream.
commit 278311e417be ("kexec, KEYS: Make use of platform keyring for
signature verify") adds platform keyring support on x86 kexec but not
arm64.
The code in bzImage64_verify_sig uses the keys on the
.builtin_trusted_keys,
From: Coiby Xu
commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream.
commit 278311e417be ("kexec, KEYS: Make use of platform keyring for
signature verify") adds platform keyring support on x86 kexec but not
arm64.
The code in bzImage64_verify_sig uses the keys on the
.builtin_trusted_keys,
From: Coiby Xu
commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream.
Currently, when loading a kernel image via the kexec_file_load() system
call, arm64 can only use the .builtin_trusted_keys keyring to verify
a signature whereas x86 can use three more keyrings i.e.
.secondary_trusted_keys,
From: Coiby Xu
commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream.
commit 278311e417be ("kexec, KEYS: Make use of platform keyring for
signature verify") adds platform keyring support on x86 kexec but not
arm64.
The code in bzImage64_verify_sig uses the keys on the
.builtin_trusted_keys,
This is a note to let you know that I've just added the patch titled
kexec, KEYS: make the code in bzImage64_verify_sig generic
to the 5.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
This is a note to let you know that I've just added the patch titled
arm64: kexec_file: use more system keyrings to verify kernel image signature
to the 5.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename
This is a note to let you know that I've just added the patch titled
kexec, KEYS: make the code in bzImage64_verify_sig generic
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
This is a note to let you know that I've just added the patch titled
arm64: kexec_file: use more system keyrings to verify kernel image signature
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename
This is a note to let you know that I've just added the patch titled
kexec, KEYS: make the code in bzImage64_verify_sig generic
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
This is a note to let you know that I've just added the patch titled
arm64: kexec_file: use more system keyrings to verify kernel image signature
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename
This is a note to let you know that I've just added the patch titled
kexec, KEYS: make the code in bzImage64_verify_sig generic
to the 5.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
This is a note to let you know that I've just added the patch titled
arm64: kexec_file: use more system keyrings to verify kernel image signature
to the 5.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename
On 17/08/2022 19:19, Borislav Petkov wrote:
> On Wed, Aug 17, 2022 at 07:09:26PM -0300, Guilherme G. Piccoli wrote:
>> Again - a matter of a trade-off, a good compromise must be agreed by all
>> parties (kdump maintainers are usually extremely afraid of taking risks
>> to not break kdump).
>
> Rig
On 17/08/2022 14:31, Borislav Petkov wrote:
> [...]
>
> How does the fact that kdump is loaded, obviate the need to print
> information about the errors?
>
> Are you suggesting that people who have the whole vmcore would be able
> to piece together the error information?
>
Hi Boris, thanks for
On 17/08/2022 19:00, Borislav Petkov wrote:
> On Wed, Aug 17, 2022 at 06:56:11PM -0300, Guilherme G. Piccoli wrote:
>> But do you agree that currently, in case of a kdump, that information
>> *is not collected*, with our without my patch?
>
> If for some reason that panic notifier does not get run
On 17/08/2022 18:46, Borislav Petkov wrote:
> On Wed, Aug 17, 2022 at 06:39:07PM -0300, Guilherme G. Piccoli wrote:
>> Sorry for the confusion, let me try to be a bit more clear:
>
> I think you're missing the point. Lemme try again:
>
> You *absolutely* must log those errors because they're impo
On 17/08/2022 18:02, Borislav Petkov wrote:
> On Wed, Aug 17, 2022 at 05:28:34PM -0300, Guilherme G. Piccoli wrote:
>> My understanding is the same as yours, i.e., this is not possible to
>> collect from vmcore, it requires register reading. But again: if you
>> kdump your machine today, you won't
On 17/08/2022 16:34, Borislav Petkov wrote:
> [...]
>
> What is "the failure risk for kdump"?
>
> Some of the notifiers which run before kdump might fail and thus prevent
> the machine from kdumping?
>
Exactly; some notifiers could break the machine and prevent a successful
kdump. The EDAC one i
22 matches
Mail list logo