Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 1450772 Details for
Bug 1470995
Can't start Kdump with SecureBoot enabled
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
A patch posted for Fedora kernel
0001-Fix-kexec_file_load-bzImage-signature-verification.patch (text/plain), 2.33 KB, created by
Dave Young
on 2018-06-13 03:22:09 UTC
(
hide
)
Description:
A patch posted for Fedora kernel
Filename:
MIME Type:
Creator:
Dave Young
Created:
2018-06-13 03:22:09 UTC
Size:
2.33 KB
patch
obsolete
>Fix Fedora bug >https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > >With Fedora kernels on Secure Boot enabled machine kexec_file_load >fails because kernel can not use any keys other than kernel builtin >keyring. verify_pefile_signature() requires caller to pass 1UL as >the keyring pointer to use other keyring. > >Posted a fix in upstream, but no response for long time. Thus going >with a Fedora fix same as what the module code does. > >Signed-off-by: Dave Young <dyoung@redhat.com> >--- > kernel.spec | 3 ++ > kexec-bzimage-verify-pe-signature-fix.patch | 32 +++++++++++++++++++++ > 2 files changed, 35 insertions(+) > create mode 100644 kexec-bzimage-verify-pe-signature-fix.patch > >diff --git a/kernel.spec b/kernel.spec >index d5e16d7f..7a20da1e 100644 >--- a/kernel.spec >+++ b/kernel.spec >@@ -608,6 +608,9 @@ Patch501: Fix-for-module-sig-verification.patch > # rhbz 1431375 > Patch502: input-rmi4-remove-the-need-for-artifical-IRQ.patch > >+# rhbz 1470995 >+Patch503: kexec-bzimage-verify-pe-signature-fix.patch >+ > # END OF PATCH DEFINITIONS > > %endif >diff --git a/kexec-bzimage-verify-pe-signature-fix.patch b/kexec-bzimage-verify-pe-signature-fix.patch >new file mode 100644 >index 00000000..866b74b9 >--- /dev/null >+++ b/kexec-bzimage-verify-pe-signature-fix.patch >@@ -0,0 +1,32 @@ >+From: Dave Young <dyoung@redhat.com> >+ >+Fix kexec_file_load pefile signature verification >+ >+Similar with Fix-for-module-sig-verification.patch, kexec_file syscall also >+need pass 1UL to verify_pefile_signature so that secondary keys can be used. >+ >+Fedora bug >+https://bugzilla.redhat.com/show_bug.cgi?id=1470995 >+ >+Latest upstream effort is below: >+https://www.spinics.net/lists/kernel/msg2825184.html >+ >+Ideally this need an upstream fix, but since nobody response we can workaround >+it like the module code did. >+ >+Signed-off-by: Dave Young <dyoung@redhat.com> >+--- >+ arch/x86/kernel/kexec-bzimage64.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+--- linux-x86.orig/arch/x86/kernel/kexec-bzimage64.c >++++ linux-x86/arch/x86/kernel/kexec-bzimage64.c >+@@ -533,7 +533,7 @@ static int bzImage64_cleanup(void *loade >+ static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) >+ { >+ return verify_pefile_signature(kernel, kernel_len, >+- NULL, >++ (void *)1UL, >+ VERIFYING_KEXEC_PE_SIGNATURE); >+ } >+ #endif >-- >2.17.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1450772">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1470995
:
1299781
| 1450772