Merge remote-tracking branch 'integrity/next-integrity'

[linux] / arch / x86 / kernel / kexec-bzimage64.c

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 53917a3..2a723fd 100644 (file)
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -536,9 +536,17 @@ static int bzImage64_cleanup(void *loader_data)
 #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
 static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
 {
-       return verify_pefile_signature(kernel, kernel_len,
-                                      VERIFY_USE_SECONDARY_KEYRING,
-                                      VERIFYING_KEXEC_PE_SIGNATURE);
+       int ret;
+
+       ret = verify_pefile_signature(kernel, kernel_len,
+                                     VERIFY_USE_SECONDARY_KEYRING,
+                                     VERIFYING_KEXEC_PE_SIGNATURE);
+       if (ret == -ENOKEY && IS_ENABLED(CONFIG_INTEGRITY_PLATFORM_KEYRING)) {
+               ret = verify_pefile_signature(kernel, kernel_len,
+                                             VERIFY_USE_PLATFORM_KEYRING,
+                                             VERIFYING_KEXEC_PE_SIGNATURE);
+       }
+       return ret;
 }
 #endif