[PATCH 1/2] zboot: Signing the payload
Pingfan Liu
kernelfans at gmail.com
Thu Sep 21 06:37:02 PDT 2023
From: Pingfan Liu <piliu at redhat.com>
Emulate the scheme of module signing to sign the zboot's payload i.e.
Image before it is compressed.
And overall, the signature on vmlinuz.efi will be used by UEFI boot
loader and the signature on Image will be used by kexec file load.
Signed-off-by: Pingfan Liu <piliu at redhat.com>
Cc: "Ard Biesheuvel <ardb at kernel.org>"
Cc: "Jan Hendrik Farr" <kernel at jfarr.cc>
Cc: "Baoquan He" <bhe at redhat.com>
Cc: "Dave Young" <dyoung at redhat.com>
Cc: "Philipp Rudo" <prudo at redhat.com>
Cc: Ard Biesheuvel <ardb at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Catalin Marinas <catalin.marinas at arm.com>
Cc: Will Deacon <will at kernel.org>
To: linux-arm-kernel at lists.infradead.org
To: linux-efi at vger.kernel.org
To: kexec at lists.infradead.org
---
drivers/firmware/efi/libstub/Makefile.zboot | 23 ++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 2c489627a807..fd4305a4ebbd 100644
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -4,13 +4,30 @@
# EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
# EFI_ZBOOT_FORWARD_CFI
-quiet_cmd_copy_and_pad = PAD $@
- cmd_copy_and_pad = cp $< $@ && \
+
+#
+# Signing
+#
+ifeq ($(CONFIG_KEXEC_ZBOOT_SIG),y)
+ifeq ($(filter pkcs11:%, $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),)
+sig-key := $(if $(wildcard $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),,$(srctree)/)$(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+else
+sig-key := $(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+endif
+cmd_sign = scripts/sign-file $(CONFIG_KEXEC_ZBOOT_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@
+else
+ cmd_sign := :
+endif
+
+cmd_copy_and_pad = cp $< $@ && \
truncate -s $(shell hexdump -s16 -n4 -e '"%u"' $<) $@
+quiet_cmd_copy_and_pad_sign = PAD and SIGN $@
+ cmd_copy_and_pad_sign = $(cmd_copy_and_pad) && $(cmd_sign)
+
# Pad the file to the size of the uncompressed image in memory, including BSS
$(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
- $(call if_changed,copy_and_pad)
+ $(call if_changed,copy_and_pad_sign)
comp-type-$(CONFIG_KERNEL_GZIP) := gzip
comp-type-$(CONFIG_KERNEL_LZ4) := lz4
--
2.31.1
More information about the kexec
mailing list