[PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load

Thu Sep 21 06:37:03 PDT 2023

From: Pingfan Liu <piliu at redhat.com>

Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.

Signed-off-by: Pingfan Liu <piliu at redhat.com>
Cc: "Ard Biesheuvel <ardb at kernel.org>"
Cc: "Jan Hendrik Farr" <kernel at jfarr.cc>
Cc: "Baoquan He" <bhe at redhat.com>
Cc: "Dave Young" <dyoung at redhat.com>
Cc: "Philipp Rudo" <prudo at redhat.com>
Cc: Ard Biesheuvel <ardb at kernel.org>
Cc: Mark Rutland <mark.rutland at arm.com>
Cc: Catalin Marinas <catalin.marinas at arm.com>
Cc: Will Deacon <will at kernel.org>
To: linux-arm-kernel at lists.infradead.org
To: linux-efi at vger.kernel.org
To: kexec at lists.infradead.org
---
 arch/arm64/Kconfig        |  2 ++
 kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 kernel/Kconfig.kexec_sign

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+source "kernel/Kconfig.kexec_sign"
+
 config KEXEC_IMAGE_VERIFY_SIG
 	bool "Enable Image signature verification support"
 	default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+	depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+	string "File name or PKCS#11 URI of Image signing key"
+	default "certs/signing_key.pem"
+	help
+         Provide the file name of a private key/certificate in PEM format,
+         or a PKCS#11 URI according to RFC7512. The file should contain, or
+         the URI should identify, both the certificate and its corresponding
+         private key.
+
+         If this option is unchanged from its default "certs/signing_key.pem",
+         then the kernel will automatically generate the private key and
+         certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+	prompt "Which hash algorithm should Image be signed with?"
+	help
+	  This determines which sort of hashing algorithm will be used during
+	  signature generation.
+
+config IMAGE_SIG_SHA1
+	bool "Sign Image with SHA-1"
+	select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+	bool "Sign Image with SHA-224"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+	bool "Sign Image with SHA-256"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+	bool "Sign Image with SHA-384"
+	select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+	bool "Sign Image with SHA-512"
+	select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+	string
+	default "sha1" if IMAGE_SIG_SHA1
+	default "sha224" if IMAGE_SIG_SHA224
+	default "sha256" if IMAGE_SIG_SHA256
+	default "sha384" if IMAGE_SIG_SHA384
+	default "sha512" if IMAGE_SIG_SHA512
+endmenu
-- 
2.31.1


