Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel: enable CONFIG_KEXEC_SIG* #9306

Closed
wants to merge 1 commit into from
Closed

kernel: enable CONFIG_KEXEC_SIG* #9306

wants to merge 1 commit into from

Conversation

pprindeville
Copy link
Member

Failing to build because of missing symbols related to provisioning
CONFIG_KEXEC.

Signed-off-by: Philip Prindeville philipp@redfish-solutions.com

@pprindeville
Copy link
Member Author

Requesting reviews from @aparcar @rsalvaterra @bobafetthotmail

@mans0n
Copy link
Member

mans0n commented Feb 22, 2022

The commit title should be something like x86: enable CONFIG_KEXEC_SIG*.

@mans0n mans0n added the target/x86 pull request/issue for x86 target label Feb 22, 2022
@pprindeville
Copy link
Member Author

The commit title should be something like x86: enable CONFIG_KEXEC_SIG*.

Done.

@mans0n
Copy link
Member

mans0n commented Feb 22, 2022

Er, I mean the prefix should be x86:...

@aparcar aparcar changed the title kernel: CONFIG_KEXEC* is incomplete for x86 x86: enable CONFIG_KEXEC_SIG* Feb 22, 2022
@aparcar
Copy link
Member

aparcar commented Feb 22, 2022

Er, I mean the prefix should be x86:...

It's already renamed, just the commit kept the old name

@pprindeville
Copy link
Member Author

Er, I mean the prefix should be x86:...

It's already renamed, just the commit kept the old name

So... good to go?

@aparcar
Copy link
Member

aparcar commented Feb 24, 2022

How is this failing? I'm trying to build x86/64 and it works just fine?

@chunkeey
Copy link
Member

CONFIG_KEXEC_SIG symbols showed up in 5.4. But from what I know, openwrt doesn't sign kernel modules (CONFIG_MODULE_SIG is disabled in the generic/config-5.10) or kernels yet. So, If this gets enabled and if the KConfig help text for CONFIG_KEXEC_SIG holds true: "If configured, any attempt of loading a image without valid signature will fail." this would just break?

I would suggest to put # CONFIG_KEXEC_SIG is not set into the target/generic/config-5.10 for now.

@pprindeville
Copy link
Member Author

x86 has EFI. EFI potentially supports secure boot, which would require signed images.

@chunkeey
Copy link
Member

chunkeey commented Feb 26, 2022
edited

Do you want to add support for grub+kernel+module signing on x86 (and possibly arm) for this?

EDIT: (just remembered about grub, it needs to be signed too.)

@pprindeville
Copy link
Member Author

Do you want to add support for grub+kernel+module signing on x86 (and possibly arm) for this?

EDIT: (just remembered about grub, it needs to be signed too.)

I don't plan on doing it any time soon, but don't want to add any obstacles to someone taking it on, either.

@pprindeville pprindeville force-pushed the x86-kexec-sig branch 2 times, most recently from 80857ec to 247c0f6 Compare March 1, 2022 00:37
@pprindeville pprindeville changed the title x86: enable CONFIG_KEXEC_SIG* kernel: enable CONFIG_KEXEC_SIG* Mar 1, 2022
@pprindeville
Copy link
Member Author

I would suggest to put # CONFIG_KEXEC_SIG is not set into the target/generic/config-5.10 for now.

Done.

@mans0n mans0n added kernel pull request/issue with Linux kernel related changes and removed target/x86 pull request/issue for x86 target labels Mar 1, 2022
@pprindeville
Copy link
Member Author

@aparcar @chunkeey Can someone assign reviewers please?

@ynezz
Copy link
Member

ynezz commented Mar 8, 2022
edited

Failing to build because of missing symbols related to provisioning CONFIG_KEXEC and signed images.

Can you please make it clear (in the commit message) for us mere mortals what is failing now? What needs to be done in order to see the failure?

@pprindeville
Copy link
Member Author

pprindeville commented Mar 8, 2022
edited

Failing to build because of missing symbols related to provisioning CONFIG_KEXEC and signed images.

Can you please make it clear (in the commit message) for us mere mortals what is failing now? What needs to be done in order to see the failure?

I'm building x86_64/generic with CONFIG_KERNEL_KEXEC=y set, and I'm seeing the target/linux build hang with:

kexec system call (KEXEC) [Y/n/?] y
kexec file based system call (KEXEC_FILE) [Y/n/?] y
Verify kernel signature during kexec_file_load() syscall (KEXEC_SIG) [N/y/?] (NEW)

So in short, if CONFIG_KEXEC is set, then 5.10 requires settings for CONFIG_KEXEC_SIG.

@pprindeville
kernel: include CONFIG_KEXEC_SIG in configs
c83e18c 
Seeing failure to build because of missing symbols related to provisioning
CONFIG_KEXEC and signed images.  Without this, if you set
CONFIG_KERNEL_KEXEC=y and try to build, target/linux will hang at:

scripts/kconfig/conf  --syncconfig Kconfig
...
kexec system call (KEXEC) [Y/n/?] y
kexec file based system call (KEXEC_FILE) [Y/n/?] y
Verify kernel signature during kexec_file_load() syscall (KEXEC_SIG) [N/y/?] (NEW)

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
@ynezz ynezz self-assigned this Mar 8, 2022
@ynezz ynezz added the ready for merge pull request reviewed and prepared for merge label Mar 8, 2022
@ynezz
Copy link
Member

ynezz commented Mar 15, 2022

Thanks! Pulled into my staging tree at https://git.openwrt.org/openwrt/staging/ynezz.git

@ynezz ynezz closed this Mar 15, 2022
@pprindeville pprindeville deleted the x86-kexec-sig branch March 15, 2022 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ynezz ynezz

Labels
kernel pull request/issue with Linux kernel related changes ready for merge pull request reviewed and prepared for merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@pprindeville @mans0n @aparcar @chunkeey @ynezz