Google Git
Sign in
kernel / pub / scm / linux / kernel / git / groeck / linux-staging / ea93102f32244e3f45c8b26260be77ed0cc1d16c
commitea93102f32244e3f45c8b26260be77ed0cc1d16c[log] [tgz]
authorYannik Sembritzki <yannik@sembritzki.me>Thu Aug 16 14:05:23 2018 +0100
committerLinus Torvalds <torvalds@linux-foundation.org>Thu Aug 16 09:57:20 2018 -0700
tree75ccf6885543ec7b84a142ce8e209c0f62ff7fd6
parent817aef260037f33ee0f44c17fe341323d3aebd6d [diff]
Fix kexec forbidding kernels signed with keys in the secondary keyring to boot

The split of .system_keyring into .builtin_trusted_keys and
.secondary_trusted_keys broke kexec, thereby preventing kernels signed by
keys which are now in the secondary keyring from being kexec'd.

Fix this by passing VERIFY_USE_SECONDARY_KEYRING to
verify_pefile_signature().

Fixes: d3bfe84129f6 ("certs: Add a secondary system keyring that can be added to dynamically")
Signed-off-by: Yannik Sembritzki <yannik@sembritzki.me>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: kexec@lists.infradead.org
Cc: keyrings@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 file changed
tree: 75ccf6885543ec7b84a142ce8e209c0f62ff7fd6
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .clang-format
  25. .cocciconfig
  26. .get_maintainer.ignore
  27. .gitattributes
  28. .gitignore
  29. .mailmap
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README