From 3399e9d3d3b1ef24af4924b09d090af512509561 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 19 Aug 2022 16:46:11 +0200 Subject: [PATCH] 5.15-stable patches added patches: arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch kexec-clean-up-arch_kexec_kernel_verify_sig.patch kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch kexec_file-drop-weak-attribute-from-functions.patch --- ...ngs-to-verify-kernel-image-signature.patch | 68 +++++ ...lean-up-arch_kexec_kernel_verify_sig.patch | 100 +++++++ ...code-in-bzimage64_verify_sig-generic.patch | 120 +++++++++ ...e-drop-weak-attribute-from-functions.patch | 246 ++++++++++++++++++ queue-5.15/series | 4 + 5 files changed, 538 insertions(+) create mode 100644 queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch create mode 100644 queue-5.15/kexec-clean-up-arch_kexec_kernel_verify_sig.patch create mode 100644 queue-5.15/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch create mode 100644 queue-5.15/kexec_file-drop-weak-attribute-from-functions.patch diff --git a/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch b/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch new file mode 100644 index 00000000000..11042431c12 --- /dev/null +++ b/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch @@ -0,0 +1,68 @@ +From 0d519cadf75184a24313568e7f489a7fc9b1be3b Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Thu, 14 Jul 2022 21:40:26 +0800 +Subject: arm64: kexec_file: use more system keyrings to verify kernel image signature + +From: Coiby Xu + +commit 0d519cadf75184a24313568e7f489a7fc9b1be3b upstream. + +Currently, when loading a kernel image via the kexec_file_load() system +call, arm64 can only use the .builtin_trusted_keys keyring to verify +a signature whereas x86 can use three more keyrings i.e. +.secondary_trusted_keys, .machine and .platform keyrings. For example, +one resulting problem is kexec'ing a kernel image would be rejected +with the error "Lockdown: kexec: kexec of unsigned images is restricted; +see man kernel_lockdown.7". + +This patch set enables arm64 to make use of the same keyrings as x86 to +verify the signature kexec'ed kernel image. + +Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") +Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions +Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig +Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic +Acked-by: Baoquan He +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Co-developed-by: Michal Suchanek +Signed-off-by: Michal Suchanek +Acked-by: Will Deacon +Signed-off-by: Coiby Xu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/kexec_image.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +--- a/arch/arm64/kernel/kexec_image.c ++++ b/arch/arm64/kernel/kexec_image.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -130,18 +129,10 @@ static void *image_load(struct kimage *i + return NULL; + } + +-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +-static int image_verify_sig(const char *kernel, unsigned long kernel_len) +-{ +- return verify_pefile_signature(kernel, kernel_len, NULL, +- VERIFYING_KEXEC_PE_SIGNATURE); +-} +-#endif +- + const struct kexec_file_ops kexec_image_ops = { + .probe = image_probe, + .load = image_load, + #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +- .verify_sig = image_verify_sig, ++ .verify_sig = kexec_kernel_verify_pe_sig, + #endif + }; diff --git a/queue-5.15/kexec-clean-up-arch_kexec_kernel_verify_sig.patch b/queue-5.15/kexec-clean-up-arch_kexec_kernel_verify_sig.patch new file mode 100644 index 00000000000..858c9a12646 --- /dev/null +++ b/queue-5.15/kexec-clean-up-arch_kexec_kernel_verify_sig.patch @@ -0,0 +1,100 @@ +From 689a71493bd2f31c024f8c0395f85a1fd4b2138e Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Thu, 14 Jul 2022 21:40:24 +0800 +Subject: kexec: clean up arch_kexec_kernel_verify_sig + +From: Coiby Xu + +commit 689a71493bd2f31c024f8c0395f85a1fd4b2138e upstream. + +Before commit 105e10e2cf1c ("kexec_file: drop weak attribute from +functions"), there was already no arch-specific implementation +of arch_kexec_kernel_verify_sig. With weak attribute dropped by that +commit, arch_kexec_kernel_verify_sig is completely useless. So clean it +up. + +Note later patches are dependent on this patch so it should be backported +to the stable tree as well. + +Cc: stable@vger.kernel.org +Suggested-by: Eric W. Biederman +Reviewed-by: Michal Suchanek +Acked-by: Baoquan He +Signed-off-by: Coiby Xu +[zohar@linux.ibm.com: reworded patch description "Note"] +Link: https://lore.kernel.org/linux-integrity/20220714134027.394370-1-coxu@redhat.com/ +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kexec.h | 5 ----- + kernel/kexec_file.c | 33 +++++++++++++-------------------- + 2 files changed, 13 insertions(+), 25 deletions(-) + +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -206,11 +206,6 @@ static inline void *arch_kexec_kernel_im + } + #endif + +-#ifdef CONFIG_KEXEC_SIG +-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, +- unsigned long buf_len); +-#endif +- + extern int kexec_add_buffer(struct kexec_buf *kbuf); + int kexec_locate_mem_hole(struct kexec_buf *kbuf); + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -81,24 +81,6 @@ int kexec_image_post_load_cleanup_defaul + return image->fops->cleanup(image->image_loader_data); + } + +-#ifdef CONFIG_KEXEC_SIG +-static int kexec_image_verify_sig_default(struct kimage *image, void *buf, +- unsigned long buf_len) +-{ +- if (!image->fops || !image->fops->verify_sig) { +- pr_debug("kernel loader does not support signature verification.\n"); +- return -EKEYREJECTED; +- } +- +- return image->fops->verify_sig(buf, buf_len); +-} +- +-int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, unsigned long buf_len) +-{ +- return kexec_image_verify_sig_default(image, buf, buf_len); +-} +-#endif +- + /* + * Free up memory used by kernel, initrd, and command line. This is temporary + * memory allocation which is not needed any more after these buffers have +@@ -141,13 +123,24 @@ void kimage_file_post_load_cleanup(struc + } + + #ifdef CONFIG_KEXEC_SIG ++static int kexec_image_verify_sig(struct kimage *image, void *buf, ++ unsigned long buf_len) ++{ ++ if (!image->fops || !image->fops->verify_sig) { ++ pr_debug("kernel loader does not support signature verification.\n"); ++ return -EKEYREJECTED; ++ } ++ ++ return image->fops->verify_sig(buf, buf_len); ++} ++ + static int + kimage_validate_signature(struct kimage *image) + { + int ret; + +- ret = arch_kexec_kernel_verify_sig(image, image->kernel_buf, +- image->kernel_buf_len); ++ ret = kexec_image_verify_sig(image, image->kernel_buf, ++ image->kernel_buf_len); + if (ret) { + + if (sig_enforce) { diff --git a/queue-5.15/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch b/queue-5.15/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch new file mode 100644 index 00000000000..0ba76fdc0f9 --- /dev/null +++ b/queue-5.15/kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch @@ -0,0 +1,120 @@ +From c903dae8941deb55043ee46ded29e84e97cd84bb Mon Sep 17 00:00:00 2001 +From: Coiby Xu +Date: Thu, 14 Jul 2022 21:40:25 +0800 +Subject: kexec, KEYS: make the code in bzImage64_verify_sig generic + +From: Coiby Xu + +commit c903dae8941deb55043ee46ded29e84e97cd84bb upstream. + +commit 278311e417be ("kexec, KEYS: Make use of platform keyring for +signature verify") adds platform keyring support on x86 kexec but not +arm64. + +The code in bzImage64_verify_sig uses the keys on the +.builtin_trusted_keys, .machine, if configured and enabled, +.secondary_trusted_keys, also if configured, and .platform keyrings +to verify the signed kernel image as PE file. + +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Reviewed-by: Michal Suchanek +Signed-off-by: Coiby Xu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kexec-bzimage64.c | 20 +------------------- + include/linux/kexec.h | 7 +++++++ + kernel/kexec_file.c | 17 +++++++++++++++++ + 3 files changed, 25 insertions(+), 19 deletions(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -17,7 +17,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -528,28 +527,11 @@ static int bzImage64_cleanup(void *loade + return 0; + } + +-#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG +-static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) +-{ +- int ret; +- +- ret = verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_SECONDARY_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); +- if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { +- ret = verify_pefile_signature(kernel, kernel_len, +- VERIFY_USE_PLATFORM_KEYRING, +- VERIFYING_KEXEC_PE_SIGNATURE); +- } +- return ret; +-} +-#endif +- + const struct kexec_file_ops kexec_bzImage64_ops = { + .probe = bzImage64_probe, + .load = bzImage64_load, + .cleanup = bzImage64_cleanup, + #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG +- .verify_sig = bzImage64_verify_sig, ++ .verify_sig = kexec_kernel_verify_pe_sig, + #endif + }; +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -19,6 +19,7 @@ + #include + + #include ++#include + + #ifdef CONFIG_KEXEC_CORE + #include +@@ -206,6 +207,12 @@ static inline void *arch_kexec_kernel_im + } + #endif + ++#ifdef CONFIG_KEXEC_SIG ++#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION ++int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len); ++#endif ++#endif ++ + extern int kexec_add_buffer(struct kexec_buf *kbuf); + int kexec_locate_mem_hole(struct kexec_buf *kbuf); + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -123,6 +123,23 @@ void kimage_file_post_load_cleanup(struc + } + + #ifdef CONFIG_KEXEC_SIG ++#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION ++int kexec_kernel_verify_pe_sig(const char *kernel, unsigned long kernel_len) ++{ ++ int ret; ++ ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_SECONDARY_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) { ++ ret = verify_pefile_signature(kernel, kernel_len, ++ VERIFY_USE_PLATFORM_KEYRING, ++ VERIFYING_KEXEC_PE_SIGNATURE); ++ } ++ return ret; ++} ++#endif ++ + static int kexec_image_verify_sig(struct kimage *image, void *buf, + unsigned long buf_len) + { diff --git a/queue-5.15/kexec_file-drop-weak-attribute-from-functions.patch b/queue-5.15/kexec_file-drop-weak-attribute-from-functions.patch new file mode 100644 index 00000000000..5ab4d26bb6a --- /dev/null +++ b/queue-5.15/kexec_file-drop-weak-attribute-from-functions.patch @@ -0,0 +1,246 @@ +From 65d9a9a60fd71be964effb2e94747a6acb6e7015 Mon Sep 17 00:00:00 2001 +From: "Naveen N. Rao" +Date: Fri, 1 Jul 2022 13:04:04 +0530 +Subject: kexec_file: drop weak attribute from functions + +From: Naveen N. Rao + +commit 65d9a9a60fd71be964effb2e94747a6acb6e7015 upstream. + +As requested +(http://lkml.kernel.org/r/87ee0q7b92.fsf@email.froward.int.ebiederm.org), +this series converts weak functions in kexec to use the #ifdef approach. + +Quoting the 3e35142ef99fe ("kexec_file: drop weak attribute from +arch_kexec_apply_relocations[_add]") changelog: + +: Since commit d1bcae833b32f1 ("ELF: Don't generate unused section symbols") +: [1], binutils (v2.36+) started dropping section symbols that it thought +: were unused. This isn't an issue in general, but with kexec_file.c, gcc +: is placing kexec_arch_apply_relocations[_add] into a separate +: .text.unlikely section and the section symbol ".text.unlikely" is being +: dropped. Due to this, recordmcount is unable to find a non-weak symbol in +: .text.unlikely to generate a relocation record against. + +This patch (of 2); + +Drop __weak attribute from functions in kexec_file.c: +- arch_kexec_kernel_image_probe() +- arch_kimage_file_post_load_cleanup() +- arch_kexec_kernel_image_load() +- arch_kexec_locate_mem_hole() +- arch_kexec_kernel_verify_sig() + +arch_kexec_kernel_image_load() calls into kexec_image_load_default(), so +drop the static attribute for the latter. + +arch_kexec_kernel_verify_sig() is not overridden by any architecture, so +drop the __weak attribute. + +Link: https://lkml.kernel.org/r/cover.1656659357.git.naveen.n.rao@linux.vnet.ibm.com +Link: https://lkml.kernel.org/r/2cd7ca1fe4d6bb6ca38e3283c717878388ed6788.1656659357.git.naveen.n.rao@linux.vnet.ibm.com +Signed-off-by: Naveen N. Rao +Suggested-by: Eric Biederman +Signed-off-by: Andrew Morton +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/kexec.h | 4 ++- + arch/powerpc/include/asm/kexec.h | 9 +++++++ + arch/s390/include/asm/kexec.h | 3 ++ + arch/x86/include/asm/kexec.h | 6 +++++ + include/linux/kexec.h | 44 +++++++++++++++++++++++++++++++++------ + kernel/kexec_file.c | 35 +------------------------------ + 6 files changed, 61 insertions(+), 40 deletions(-) + +--- a/arch/arm64/include/asm/kexec.h ++++ b/arch/arm64/include/asm/kexec.h +@@ -103,7 +103,9 @@ extern const struct kexec_file_ops kexec + + struct kimage; + +-extern int arch_kimage_file_post_load_cleanup(struct kimage *image); ++int arch_kimage_file_post_load_cleanup(struct kimage *image); ++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup ++ + extern int load_other_segments(struct kimage *image, + unsigned long kernel_load_addr, unsigned long kernel_size, + char *initrd, unsigned long initrd_len, +--- a/arch/powerpc/include/asm/kexec.h ++++ b/arch/powerpc/include/asm/kexec.h +@@ -119,6 +119,15 @@ int setup_purgatory(struct kimage *image + #ifdef CONFIG_PPC64 + struct kexec_buf; + ++int arch_kexec_kernel_image_probe(struct kimage *image, void *buf, unsigned long buf_len); ++#define arch_kexec_kernel_image_probe arch_kexec_kernel_image_probe ++ ++int arch_kimage_file_post_load_cleanup(struct kimage *image); ++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup ++ ++int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); ++#define arch_kexec_locate_mem_hole arch_kexec_locate_mem_hole ++ + int load_crashdump_segments_ppc64(struct kimage *image, + struct kexec_buf *kbuf); + int setup_purgatory_ppc64(struct kimage *image, const void *slave_code, +--- a/arch/s390/include/asm/kexec.h ++++ b/arch/s390/include/asm/kexec.h +@@ -92,5 +92,8 @@ int arch_kexec_apply_relocations_add(str + const Elf_Shdr *relsec, + const Elf_Shdr *symtab); + #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add ++ ++int arch_kimage_file_post_load_cleanup(struct kimage *image); ++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup + #endif + #endif /*_S390_KEXEC_H */ +--- a/arch/x86/include/asm/kexec.h ++++ b/arch/x86/include/asm/kexec.h +@@ -193,6 +193,12 @@ int arch_kexec_apply_relocations_add(str + const Elf_Shdr *relsec, + const Elf_Shdr *symtab); + #define arch_kexec_apply_relocations_add arch_kexec_apply_relocations_add ++ ++void *arch_kexec_kernel_image_load(struct kimage *image); ++#define arch_kexec_kernel_image_load arch_kexec_kernel_image_load ++ ++int arch_kimage_file_post_load_cleanup(struct kimage *image); ++#define arch_kimage_file_post_load_cleanup arch_kimage_file_post_load_cleanup + #endif + #endif + +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -182,21 +182,53 @@ int kexec_purgatory_get_set_symbol(struc + void *buf, unsigned int size, + bool get_value); + void *kexec_purgatory_get_symbol_addr(struct kimage *image, const char *name); ++void *kexec_image_load_default(struct kimage *image); ++ ++#ifndef arch_kexec_kernel_image_probe ++static inline int ++arch_kexec_kernel_image_probe(struct kimage *image, void *buf, unsigned long buf_len) ++{ ++ return kexec_image_probe_default(image, buf, buf_len); ++} ++#endif ++ ++#ifndef arch_kimage_file_post_load_cleanup ++static inline int arch_kimage_file_post_load_cleanup(struct kimage *image) ++{ ++ return kexec_image_post_load_cleanup_default(image); ++} ++#endif ++ ++#ifndef arch_kexec_kernel_image_load ++static inline void *arch_kexec_kernel_image_load(struct kimage *image) ++{ ++ return kexec_image_load_default(image); ++} ++#endif + +-/* Architectures may override the below functions */ +-int arch_kexec_kernel_image_probe(struct kimage *image, void *buf, +- unsigned long buf_len); +-void *arch_kexec_kernel_image_load(struct kimage *image); +-int arch_kimage_file_post_load_cleanup(struct kimage *image); + #ifdef CONFIG_KEXEC_SIG + int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, + unsigned long buf_len); + #endif +-int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf); + + extern int kexec_add_buffer(struct kexec_buf *kbuf); + int kexec_locate_mem_hole(struct kexec_buf *kbuf); + ++#ifndef arch_kexec_locate_mem_hole ++/** ++ * arch_kexec_locate_mem_hole - Find free memory to place the segments. ++ * @kbuf: Parameters for the memory search. ++ * ++ * On success, kbuf->mem will have the start address of the memory region found. ++ * ++ * Return: 0 on success, negative errno on error. ++ */ ++static inline int arch_kexec_locate_mem_hole(struct kexec_buf *kbuf) ++{ ++ return kexec_locate_mem_hole(kbuf); ++} ++#endif ++ + /* Alignment required for elf header segment */ + #define ELF_CORE_HEADER_ALIGN 4096 + +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -62,14 +62,7 @@ int kexec_image_probe_default(struct kim + return ret; + } + +-/* Architectures can provide this probe function */ +-int __weak arch_kexec_kernel_image_probe(struct kimage *image, void *buf, +- unsigned long buf_len) +-{ +- return kexec_image_probe_default(image, buf, buf_len); +-} +- +-static void *kexec_image_load_default(struct kimage *image) ++void *kexec_image_load_default(struct kimage *image) + { + if (!image->fops || !image->fops->load) + return ERR_PTR(-ENOEXEC); +@@ -80,11 +73,6 @@ static void *kexec_image_load_default(st + image->cmdline_buf_len); + } + +-void * __weak arch_kexec_kernel_image_load(struct kimage *image) +-{ +- return kexec_image_load_default(image); +-} +- + int kexec_image_post_load_cleanup_default(struct kimage *image) + { + if (!image->fops || !image->fops->cleanup) +@@ -93,11 +81,6 @@ int kexec_image_post_load_cleanup_defaul + return image->fops->cleanup(image->image_loader_data); + } + +-int __weak arch_kimage_file_post_load_cleanup(struct kimage *image) +-{ +- return kexec_image_post_load_cleanup_default(image); +-} +- + #ifdef CONFIG_KEXEC_SIG + static int kexec_image_verify_sig_default(struct kimage *image, void *buf, + unsigned long buf_len) +@@ -110,8 +93,7 @@ static int kexec_image_verify_sig_defaul + return image->fops->verify_sig(buf, buf_len); + } + +-int __weak arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, +- unsigned long buf_len) ++int arch_kexec_kernel_verify_sig(struct kimage *image, void *buf, unsigned long buf_len) + { + return kexec_image_verify_sig_default(image, buf, buf_len); + } +@@ -617,19 +599,6 @@ int kexec_locate_mem_hole(struct kexec_b + } + + /** +- * arch_kexec_locate_mem_hole - Find free memory to place the segments. +- * @kbuf: Parameters for the memory search. +- * +- * On success, kbuf->mem will have the start address of the memory region found. +- * +- * Return: 0 on success, negative errno on error. +- */ +-int __weak arch_kexec_locate_mem_hole(struct kexec_buf *kbuf) +-{ +- return kexec_locate_mem_hole(kbuf); +-} +- +-/** + * kexec_add_buffer - place a buffer in a kexec segment + * @kbuf: Buffer contents and memory parameters. + * diff --git a/queue-5.15/series b/queue-5.15/series index 15eb293d70a..18da0251bef 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -8,3 +8,7 @@ x86-ibt-ftrace-make-function-graph-play-nice.patch x86-ftrace-use-alternative-ret-encoding.patch btrfs-only-write-the-sectors-in-the-vertical-stripe-which-has-data-stripes.patch btrfs-raid56-don-t-trust-any-cached-sector-in-__raid56_parity_recover.patch +kexec_file-drop-weak-attribute-from-functions.patch +kexec-clean-up-arch_kexec_kernel_verify_sig.patch +kexec-keys-make-the-code-in-bzimage64_verify_sig-generic.patch +arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch -- 2.47.3