Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot

From: Linus Torvalds
Date: Wed Aug 15 2018 - 16:47:44 EST

Next message: Bryan.Whitehead: "RE: [PATCH] net: lan743x_ptp: convert to ktime_get_clocktai_ts64"
Previous message: Rob Herring: "Re: [RFC PATCH v1 1/3] dt-bindings: net: Add 'mac-address-lookup' property"
In reply to: Vivek Goyal: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Next in thread: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>
> I see that module signing code trusts only builtin keys and
> not the keys in secondary_trusted_keys keyring.

This, I think, makes sense.

It basically says: we don't allow modules that weren't built with the
kernel. Adding a new key later and signing a module with it violates
that premise.

Linus

Next message: Bryan.Whitehead: "RE: [PATCH] net: lan743x_ptp: convert to ktime_get_clocktai_ts64"
Previous message: Rob Herring: "Re: [RFC PATCH v1 1/3] dt-bindings: net: Add 'mac-address-lookup' property"
In reply to: Vivek Goyal: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Next in thread: James Bottomley: "Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]