• Kairui Song's avatar
    kexec, KEYS: Make use of platform keyring for signature verify · 278311e4
    Kairui Song authored
    This patch allows the kexec_file_load syscall to verify the PE signed
    kernel image signature based on the preboot keys stored in the .platform
    keyring, as fall back, if the signature verification failed due to not
    finding the public key in the secondary or builtin keyrings.
    
    This commit adds a VERIFY_USE_PLATFORM_KEYRING similar to previous
    VERIFY_USE_SECONDARY_KEYRING indicating that verify_pkcs7_signature
    should verify the signature using platform keyring.  Also, decrease
    the error message log level when verification failed with -ENOKEY,
    so that if called tried multiple time with different keyring it
    won't generate extra noises.
    Signed-off-by: default avatarKairui Song <kasong@redhat.com>
    Cc: David Howells <dhowells@redhat.com>
    Acked-by: Dave Young <dyoung@redhat.com> (for kexec_file_load part)
    [zohar@linux.ibm.com: tweaked the first paragraph of the patch description,
     and fixed checkpatch warning.]
    Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
    278311e4
system_keyring.c 8.02 KB