On Wed, Sep 03, 2014 at 03:46:01PM -0400, Vivek Goyal wrote:
New kexec syscall (kexec_file_load()) can perform bzimage signature
verification.
This will re-enable kexec/kdump on secureboot systems using new syscall.
Currently kexec/kdump is disabled on secureboot systems.
User space (kexec-tools) will be modifed to automatically detect that
running system has secureboot enabled and use new syscall instead of
old one.
Nice. This should work out well. Thanks for getting this upstream.
To be extra clear, the Fedora kernel builds should already be getting
the proper signature at build time via pesign, correct?
josh
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
config-x86-generic | 3 ++-
config-x86_64-generic | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
Index: fedora-linux/config-x86-generic
===================================================================
--- fedora-linux.orig/config-x86-generic 2014-09-03 15:14:22.657901263 -0400
+++ fedora-linux/config-x86-generic 2014-09-03 15:14:26.654924830 -0400
@@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=m
+CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_MODULE_SIG=y
Index: fedora-linux/config-x86_64-generic
===================================================================
--- fedora-linux.orig/config-x86_64-generic 2014-09-03 15:14:22.658901268 -0400
+++ fedora-linux/config-x86_64-generic 2014-09-03 15:23:53.655268010 -0400
@@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y
CONFIG_MEM_SOFT_DIRTY=y
CONFIG_KEXEC_JUMP=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_ACPI_HOTPLUG_MEMORY=y