[PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec

Vivek Goyal vgoyal at redhat.com
Thu Nov 21 14:13:05 EST 2013

On Thu, Nov 21, 2013 at 07:06:20PM +0000, Matthew Garrett wrote:
> On Thu, Nov 21, 2013 at 11:03:50AM -0800, Greg KH wrote:
> > This could be done as we do with modules, and just tack the signature
> > onto the end of the 'blob' of the image.  That way we could use the same
> > tool to sign the binary as we do for modules, and save the need for
> > extra parameters in the syscall.
> That would require a certain degree of massaging from userspace if we 
> want to be able to use the existing Authenticode signatures. Otherwise 
> we need to sign kernels twice.

I was thinking oof signing the same kernel twice. Can I sign authenticode
signed kernel again (using RSA signature as we do for modules) and append
the signature to bzImage. 

I am wondering if authenticode signature verification will fail due
to this extra signature at the end of bzImage. pjones thought that it
will break authenticode signature verification. CCing him.


More information about the kexec mailing list