From: Coiby Xu coxu@redhat.com
redhat/configs: enable KEXEC_SIG for aarch64 RHEL
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994858
KEXEC_SIG needs to enabled for aarch64 so the kernel image's signature can be verified when loading a kernel image via kexec with secureboot enabled. Note this option has already been enabled for aarch64 Fedora.
CONFIG_KEXEC_IMAGE_VERIFY_SIG is enabled as well so kernel image signature verification support could be enabled for aarch64.
Signed-off-by: Coiby Xu coxu@redhat.com
diff --git a/redhat/configs/fedora/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG b/redhat/configs/common/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG rename from redhat/configs/fedora/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG rename to redhat/configs/common/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG index blahblah..blahblah 100644 --- a/redhat/configs/fedora/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG +++ b/redhat/configs/common/generic/CONFIG_KEXEC_IMAGE_VERIFY_SIG diff --git a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG b/redhat/configs/common/generic/arm/aarch64/CONFIG_KEXEC_SIG rename from redhat/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG rename to redhat/configs/common/generic/arm/aarch64/CONFIG_KEXEC_SIG index blahblah..blahblah 100644 --- a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_KEXEC_SIG +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_KEXEC_SIG
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442
From: Mark Salter on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7173236...
Acked-by: Mark Salter msalter@redhat.com (via approve button)
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7189311...
@prarit @darcari apparently this impacts x86 now too.
From: pbrobinson on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7191177...
Is there any reason not to unify the configs across all architectures, the only arch that doesn't currently have this enabled is POWER and it doesn't actually currently support it (which I'm actually surprised by) so it's a NO- OP there anyway.
From: Coiby Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7194584...
Could you explain how it impacts x86? For CONFIG_KEXEC_SIG, I simply enable it for both aarch64 RHEL and it has already been enabled for x86 and aarch64 Fedora. For CONFIG_KEXEC_IMAGE_VERIFY_SIG, it's only used by aarch64.
From: Coiby Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7194598...
It's not a NO-OP for POWER. With KEXEC_SIG enabled, some code in kernel/kexec_file.c would be invoked. For example, kimage_validate_signature would be called and this may lead to the failure of validating POWER kernel image's signature since POWER doesn't have image->fops->verify_sig.
From: Coiby Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_7199065...
Oh, I make a mistake. KEXEC_SIG doesn't exist for POWER. So it's indeed an NO- OP.
Btw, POWER uses IMA appraise to verify the signature appended to the kernel image. So it doesn't need it.
kernel@lists.fedoraproject.org