From: Greg Kroah-Hartman Date: Fri, 19 Aug 2022 14:49:18 +0000 (+0200) Subject: drop kexec patches from 5.10 as the build broke X-Git-Tag: v5.10.137~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=73618326a635e9ecc064ce10df3ecdd7f139083b;p=thirdparty%2Fkernel%2Fstable-queue.git drop kexec patches from 5.10 as the build broke --- diff --git a/queue-5.10/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch b/queue-5.10/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch deleted file mode 100644 index 11042431c12..00000000000 --- a/queue-5.10/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001 -From: Coiby Xu -Date: Thu, 14 Jul 2022 21:40:26 +0800 -Subject: arm64: kexec_file: use more system keyrings to verify kernel image signature - -From: Coiby Xu - -commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream. - -Currently, when loading a kernel image via the kexec_file_load() system -call, arm64 can only use the .builtin_trusted_keys keyring to verify -a signature whereas x86 can use three more keyrings i.e. -.secondary_trusted_keys, .machine and .platform keyrings. For example, -one resulting problem is kexec'ing a kernel image would be rejected -with the error "Lockdown: kexec: kexec of unsigned images is restricted; -see man kernel_lockdown.7". - -This patch set enables arm64 to make use of the same keyrings as x86 to -verify the signature kexec'ed kernel image. - -Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") -Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions -Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig -Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic -Acked-by: Baoquan He -Cc: kexec@lists.infradead.org -Cc: keyrings@vger.kernel.org -Cc: linux-security-module@vger.kernel.org -Co-developed-by: Michal Suchanek -Signed-off-by: Michal Suchanek -Acked-by: Will Deacon -Signed-off-by: Coiby Xu -Signed-off-by: Mimi Zohar -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/kernel/kexec_image.c | 11 +---------- - 1 file changed, 1 insertion(+), 10 deletions(-) - ---- a/arch/arm64/kernel/kexec_image.c -+++ b/arch/arm64/kernel/kexec_image.c -@@ -14,7 +14,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -130,18 +129,10 @@ static void *image_load(struct kimage *i - return NULL; - } - --#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG --static int image_verify_sig(const char *kernel, unsigned long kernel_len) --{ -- return verify_pefile_signature(kernel, kernel_len, NULL, -- VERIFYING_KEXEC_PE_SIGNATURE); --} --#endif -- - const struct kexec_file_ops kexec_image_ops = { - .probe = image_probe, - .load = image_load, - #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG -- .verify_sig = image_verify_sig, -+ .verify_sig = kexec_kernel_verify_pe_sig, - #endif - }; diff --git a/queue-5.10/kexec-clean-up-arch_kexec_kernel_verify_sig.patch b/queue-5.10/kexec-clean-up-arch_kexec_kernel_verify_sig.patch deleted file mode 100644 index 858c9a12646..00000000000 --- a/queue-5.10/kexec-clean-up-arch_kexec_kernel_verify_sig.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 689a71493bd2f31c024f8c0395f85a1fd4b2138e Mon Sep 17 00:00:00 2001 -From: Coiby Xu -Date: Thu, 14 Jul 2022 21:40:24 +0800 -Subject: kexec: clean up arch_kexec_kernel_verify_sig - -From: Coiby Xu - -commit 689a71493bd2f31c024f8c0395f85a1fd4b2138e upstream. - -Before commit 105e10e2cf1c ("kexec_file: drop weak attribute from -functions"), there was already no arch-specific implementation -of arch_kexec_kernel_verify_sig. With weak attribute dropped by that -commit, arch_kexec_kernel_verify_sig is completely useless. So clean it -up. - -Note later patches are dependent on this patch so it should be backported -to the stable tree as well. - -Cc: stable@vger.kernel.org -Suggested-by: Eric W. Biederman -Reviewed-by: Michal Suchanek -Acked-by: Baoquan He -Signed-off-by: Coiby Xu -[zohar@linux.ibm.com: reworded patch description "Note"] -Link: https://lore.kernel.org/linux-integrity/20220714134027.394370-1-coxu@redhat.com/ -Signed-off-by: Mimi Zohar -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/kexec.h | 5 ----- - kernel/kexec_file.c | 33 +++++++++++++-------------------- - 2 files changed, 13 insertions(+), 25 deletions(-) - ---- a/include/linux/kexec.h -+++ b/include/linux/kexec.h -@@ -206,11 +206,6 @@ static inline void *arch_kexec_kernel_im - } - #endif - --#ifdef CONFIG_KEXEC_SIG --int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, -- unsigned long buf_len); --#endif -- - extern int kexec_add_buffer(struct kexec_buf *kbuf); - int kexec_locate_mem_hole(struct kexec_buf *kbuf); - ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -81,24 +81,6 @@ int kexec_image_post_load_cleanup_defaul - return image->fops->cleanup(image->image_loader_data); - } - --#ifdef CONFIG_KEXEC_SIG --static int kexec_image_verify_sig_default(struct kimage *image, void *buf, -- unsigned long buf_len) --{ -- if (!image->fops || !image->fops->verify_sig) { -- pr_debug("kernel loader does not support signature verification.\n"); -- return -EKEYREJECTED; -- } -- -- return image->fops->verify_sig(buf, buf_len); --} -- --int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, unsigned long buf_len) --{ -- return kexec_image_verify_sig_default(image, buf, buf_len); --} --#endif -- - /* - * Free up memory used by kernel, initrd, and command line. This is temporary - * memory allocation which is not needed any more after these buffers have -@@ -141,13 +123,24 @@ void kimage_file_post_load_cleanup(struc - } - - #ifdef CONFIG_KEXEC_SIG -+static int kexec_image_verify_sig(struct kimage *image, void *buf, -+ unsigned long buf_len) -+{ -+ if (!image->fops || !image->fops->verify_sig) { -+ pr_debug("kernel loader does not support signature verification.\n"); -+ return -EKEYREJECTED; -+ } -+ -+ return image->fops->verify_sig(buf, buf_len); -+} -+ - static int - kimage_validate_signature(struct kimage *image) - { - int ret; - -- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, -- image->kernel_buf_len); -+ ret = kexec_image_verify_sig(image, image->kernel_buf, -+ image->kernel_buf_len); - if (ret) { - - if (sig_enforce) { diff --git a/queue-5.10/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch b/queue-5.10/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch deleted file mode 100644 index 0ba76fdc0f9..00000000000 --- a/queue-5.10/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch +++ /dev/null @@ -1,120 +0,0 @@ -From c903dae8941deb55043ee46ded29e84e97cd84bb Mon Sep 17 00:00:00 2001 -From: Coiby Xu -Date: Thu, 14 Jul 2022 21:40:25 +0800 -Subject: kexec, KEYS: make the code in bzImage64_verify_sig generic - -From: Coiby Xu - -commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream. - -commit 278311e417be ("kexec, KEYS: Make use of platform keyring for -signature verify") adds platform keyring support on x86 kexec but not -arm64. - -The code in bzImage64_verify_sig uses the keys on the -.builtin_trusted_keys, .machine, if configured and enabled, -.secondary_trusted_keys, also if configured, and .platform keyrings -to verify the signed kernel image as PE file. - -Cc: kexec@lists.infradead.org -Cc: keyrings@vger.kernel.org -Cc: linux-security-module@vger.kernel.org -Reviewed-by: Michal Suchanek -Signed-off-by: Coiby Xu -Signed-off-by: Mimi Zohar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- - include/linux/kexec.h | 7 +++++++ - kernel/kexec_file.c | 17 +++++++++++++++++ - 3 files changed, 25 insertions(+), 19 deletions(-) - ---- a/arch/x86/kernel/kexec-bzimage64.c -+++ b/arch/x86/kernel/kexec-bzimage64.c -@@ -17,7 +17,6 @@ - #include - #include - #include --#include - - #include - #include -@@ -528,28 +527,11 @@ static int bzImage64_cleanup(void *loade - return 0; - } - --#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG --static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) --{ -- int ret; -- -- ret = verify_pefile_signature(kernel, kernel_len, -- VERIFY_USE_SECONDARY_KEYRING, -- VERIFYING_KEXEC_PE_SIGNATURE); -- if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { -- ret = verify_pefile_signature(kernel, kernel_len, -- VERIFY_USE_PLATFORM_KEYRING, -- VERIFYING_KEXEC_PE_SIGNATURE); -- } -- return ret; --} --#endif -- - const struct kexec_file_ops kexec_bzImage64_ops = { - .probe = bzImage64_probe, - .load = bzImage64_load, - .cleanup = bzImage64_cleanup, - #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG -- .verify_sig = bzImage64_verify_sig, -+ .verify_sig = kexec_kernel_verify_pe_sig, - #endif - }; ---- a/include/linux/kexec.h -+++ b/include/linux/kexec.h -@@ -19,6 +19,7 @@ - #include - - #include -+#include - - #ifdef CONFIG_KEXEC_CORE - #include -@@ -206,6 +207,12 @@ static inline void *arch_kexec_kernel_im - } - #endif - -+#ifdef CONFIG_KEXEC_SIG -+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION -+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len); -+#endif -+#endif -+ - extern int kexec_add_buffer(struct kexec_buf *kbuf); - int kexec_locate_mem_hole(struct kexec_buf *kbuf); - ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -123,6 +123,23 @@ void kimage_file_post_load_cleanup(struc - } - - #ifdef CONFIG_KEXEC_SIG -+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION -+int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) -+{ -+ int ret; -+ -+ ret = verify_pefile_signature(kernel, kernel_len, -+ VERIFY_USE_SECONDARY_KEYRING, -+ VERIFYING_KEXEC_PE_SIGNATURE); -+ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { -+ ret = verify_pefile_signature(kernel, kernel_len, -+ VERIFY_USE_PLATFORM_KEYRING, -+ VERIFYING_KEXEC_PE_SIGNATURE); -+ } -+ return ret; -+} -+#endif -+ - static int kexec_image_verify_sig(struct kimage *image, void *buf, - unsigned long buf_len) - { diff --git a/queue-5.10/kexec_file-drop-weak-attribute-from-functions.patch b/queue-5.10/kexec_file-drop-weak-attribute-from-functions.patch deleted file mode 100644 index ca3694a899b..00000000000 --- a/queue-5.10/kexec_file-drop-weak-attribute-from-functions.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 65d9a9a60fd71be964effb2e94747a6acb6e7015 Mon Sep 17 00:00:00 2001 -From: "Naveen N. Rao" -Date: Fri, 1 Jul 2022 13:04:04 +0530 -Subject: kexec_file: drop weak attribute from functions - -From: Naveen N. Rao - -commit 65d9a9a60fd71be964effb2e94747a6acb6e7015 upstream. - -As requested -(http://lkml.kernel.org/r/87ee0q7b92.fsf@email.froward.int.ebiederm.org), -this series converts weak functions in kexec to use the #ifdef approach. - -Quoting the 3e35142ef99fe ("kexec_file: drop weak attribute from -arch_kexec_apply_relocations[_add]") changelog: - -: Since commit d1bcae833b32f1 ("ELF: Don't generate unused section symbols") -: [1], binutils (v2.36+) started dropping section symbols that it thought -: were unused. This isn't an issue in general, but with kexec_file.c, gcc -: is placing kexec_arch_apply_relocations[_add] into a separate -: .text.unlikely section and the section symbol ".text.unlikely" is being -: dropped. Due to this, recordmcount is unable to find a non-weak symbol in -: .text.unlikely to generate a relocation record against. - -This patch (of 2); - -Drop __weak attribute from functions in kexec_file.c: -- arch_kexec_kernel_image_probe() -- arch_kimage_file_post_load_cleanup() -- arch_kexec_kernel_image_load() -- arch_kexec_locate_mem_hole() -- arch_kexec_kernel_verify_sig() - -arch_kexec_kernel_image_load() calls into kexec_image_load_default(), so -drop the static attribute for the latter. - -arch_kexec_kernel_verify_sig() is not overridden by any architecture, so -drop the __weak attribute. - -Link: https://lkml.kernel.org/r/cover.1656659357.git.naveen.n.rao@linux.vnet.ibm.com -Link: https://lkml.kernel.org/r/2cd7ca1fe4d6bb6ca38e3283c717878388ed6788.1656659357.git.naveen.n.rao@linux.vnet.ibm.com -Signed-off-by: Naveen N. Rao -Suggested-by: Eric Biederman -Signed-off-by: Andrew Morton -Signed-off-by: Mimi Zohar -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/kexec.h | 4 ++- - arch/powerpc/include/asm/kexec.h | 9 +++++++ - arch/s390/include/asm/kexec.h | 3 ++ - arch/x86/include/asm/kexec.h | 6 +++++ - include/linux/kexec.h | 44 +++++++++++++++++++++++++++++++++------ - kernel/kexec_file.c | 35 +------------------------------ - 6 files changed, 61 insertions(+), 40 deletions(-) - ---- a/arch/arm64/include/asm/kexec.h -+++ b/arch/arm64/include/asm/kexec.h -@@ -106,7 +106,9 @@ extern const struct kexec_file_ops kexec - - struct kimage; - --extern int arch_kimage_file_post_load_cleanup(struct kimage *image); -+int arch_kimage_file_post_load_cleanup(struct kimage *image); -+#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup -+ - extern int load_other_segments(struct kimage *image, - unsigned long kernel_load_addr, unsigned long kernel_size, - char *initrd, unsigned long initrd_len, ---- a/arch/powerpc/include/asm/kexec.h -+++ b/arch/powerpc/include/asm/kexec.h -@@ -131,6 +131,15 @@ int delete_fdt_mem_rsv(void *fdt, unsign - #ifdef CONFIG_PPC64 - struct kexec_buf; - -+int arch_kexec_kernel_image_probe(struct kimage *image, void *buf, unsigned long buf_len); -+#define arch_kexec_kernel_image_probe arch_kexec_kernel_image_probe -+ -+int arch_kimage_file_post_load_cleanup(struct kimage *image); -+#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup -+ -+int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); -+#define arch_kexec_locate_mem_hole arch_kexec_locate_mem_hole -+ - int load_crashdump_segments_ppc64(struct kimage *image, - struct kexec_buf *kbuf); - int setup_purgatory_ppc64(struct kimage *image, const void *slave_code, ---- a/arch/s390/include/asm/kexec.h -+++ b/arch/s390/include/asm/kexec.h -@@ -92,5 +92,8 @@ int arch_kexec_apply_relocations_add(str - const Elf_Shdr *relsec, - const Elf_Shdr *symtab); - #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add -+ -+int arch_kimage_file_post_load_cleanup(struct kimage *image); -+#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup - #endif - #endif /*_S390_KEXEC_H */ ---- a/arch/x86/include/asm/kexec.h -+++ b/arch/x86/include/asm/kexec.h -@@ -198,6 +198,12 @@ int arch_kexec_apply_relocations_add(str - const Elf_Shdr *relsec, - const Elf_Shdr *symtab); - #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add -+ -+void *arch_kexec_kernel_image_load(struct kimage *image); -+#define arch_kexec_kernel_image_load arch_kexec_kernel_image_load -+ -+int arch_kimage_file_post_load_cleanup(struct kimage *image); -+#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup - #endif - #endif - ---- a/include/linux/kexec.h -+++ b/include/linux/kexec.h -@@ -182,21 +182,53 @@ int kexec_purgatory_get_set_symbol(struc - void *buf, unsigned int size, - bool get_value); - void *kexec_purgatory_get_symbol_addr(struct kimage *image, const char *name); -+void *kexec_image_load_default(struct kimage *image); -+ -+#ifndef arch_kexec_kernel_image_probe -+static inline int -+arch_kexec_kernel_image_probe(struct kimage *image, void *buf, unsigned long buf_len) -+{ -+ return kexec_image_probe_default(image, buf, buf_len); -+} -+#endif -+ -+#ifndef arch_kimage_file_post_load_cleanup -+static inline int arch_kimage_file_post_load_cleanup(struct kimage *image) -+{ -+ return kexec_image_post_load_cleanup_default(image); -+} -+#endif -+ -+#ifndef arch_kexec_kernel_image_load -+static inline void *arch_kexec_kernel_image_load(struct kimage *image) -+{ -+ return kexec_image_load_default(image); -+} -+#endif - --/* Architectures may override the below functions */ --int arch_kexec_kernel_image_probe(struct kimage *image, void *buf, -- unsigned long buf_len); --void *arch_kexec_kernel_image_load(struct kimage *image); --int arch_kimage_file_post_load_cleanup(struct kimage *image); - #ifdef CONFIG_KEXEC_SIG - int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, - unsigned long buf_len); - #endif --int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); - - extern int kexec_add_buffer(struct kexec_buf *kbuf); - int kexec_locate_mem_hole(struct kexec_buf *kbuf); - -+#ifndef arch_kexec_locate_mem_hole -+/** -+ * arch_kexec_locate_mem_hole - Find free memory to place the segments. -+ * @kbuf: Parameters for the memory search. -+ * -+ * On success, kbuf->mem will have the start address of the memory region found. -+ * -+ * Return: 0 on success, negative errno on error. -+ */ -+static inline int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf) -+{ -+ return kexec_locate_mem_hole(kbuf); -+} -+#endif -+ - /* Alignment required for elf header segment */ - #define ELF_CORE_HEADER_ALIGN 4096 - ---- a/kernel/kexec_file.c -+++ b/kernel/kexec_file.c -@@ -62,14 +62,7 @@ int kexec_image_probe_default(struct kim - return ret; - } - --/* Architectures can provide this probe function */ --int __weak arch_kexec_kernel_image_probe(struct kimage *image, void *buf, -- unsigned long buf_len) --{ -- return kexec_image_probe_default(image, buf, buf_len); --} -- --static void *kexec_image_load_default(struct kimage *image) -+void *kexec_image_load_default(struct kimage *image) - { - if (!image->fops || !image->fops->load) - return ERR_PTR(-ENOEXEC); -@@ -80,11 +73,6 @@ static void *kexec_image_load_default(st - image->cmdline_buf_len); - } - --void * __weak arch_kexec_kernel_image_load(struct kimage *image) --{ -- return kexec_image_load_default(image); --} -- - int kexec_image_post_load_cleanup_default(struct kimage *image) - { - if (!image->fops || !image->fops->cleanup) -@@ -93,11 +81,6 @@ int kexec_image_post_load_cleanup_defaul - return image->fops->cleanup(image->image_loader_data); - } - --int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) --{ -- return kexec_image_post_load_cleanup_default(image); --} -- - #ifdef CONFIG_KEXEC_SIG - static int kexec_image_verify_sig_default(struct kimage *image, void *buf, - unsigned long buf_len) -@@ -110,8 +93,7 @@ static int kexec_image_verify_sig_defaul - return image->fops->verify_sig(buf, buf_len); - } - --int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, -- unsigned long buf_len) -+int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, unsigned long buf_len) - { - return kexec_image_verify_sig_default(image, buf, buf_len); - } -@@ -617,19 +599,6 @@ int kexec_locate_mem_hole(struct kexec_b - } - - /** -- * arch_kexec_locate_mem_hole - Find free memory to place the segments. -- * @kbuf: Parameters for the memory search. -- * -- * On success, kbuf->mem will have the start address of the memory region found. -- * -- * Return: 0 on success, negative errno on error. -- */ --int __weak arch_kexec_locate_mem_hole(struct kexec_buf *kbuf) --{ -- return kexec_locate_mem_hole(kbuf); --} -- --/** - * kexec_add_buffer - place a buffer in a kexec segment - * @kbuf: Buffer contents and memory parameters. - * diff --git a/queue-5.10/series b/queue-5.10/series index 7c21b17f35c..1d856276f4c 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -543,7 +543,3 @@ net_sched-cls_route-disallow-handle-of-0.patch sched-fair-fix-fault-in-reweight_entity.patch btrfs-only-write-the-sectors-in-the-vertical-stripe-which-has-data-stripes.patch btrfs-raid56-don-t-trust-any-cached-sector-in-__raid56_parity_recover.patch -kexec_file-drop-weak-attribute-from-functions.patch -kexec-clean-up-arch_kexec_kernel_verify_sig.patch -kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch -arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch