[PATCH 0/2] Kexec: Sign Image before packing into EFI STUB
Pingfan Liu
piliu at redhat.com
Thu Dec 5 18:09:55 PST 2024
At present, the kexec_file_load of either zboot or UKI kernel relies on
the user space to parse and extract the Image, and then pass the Image
through that syscall. During this process, the outmost signature on
zboot or UKI kernel is stripped and discarded.
On the other hand, a secure boot platform enforces the signature
verfiication on the kernel image passed through the kexec_file_load
syscall. To cater to this requirement, this patch applies signature on
the PE format 'Image' before padding.
The key used to sign is the same as module sign key, and the signing
tool is sbsign.
Cc: Ard Biesheuvel <ardb at kernel.org>
Cc: Will Deacon <will at kernel.org>
Cc: Masahiro Yamada <masahiroy at kernel.org>
Cc: Baoquan He <bhe at redhat.com>
Cc: Dave Young <dyoung at redhat.com>
Cc: Eric Biederman <ebiederm at xmission.com>
To: kexec at lists.infradead.org
To: linux-efi at vger.kernel.org
Pingfan Liu (2):
Makefile.zboot: Sign Image before packing into EFI-STUB shell
kexec: Introduce KEXEC_SIGN_IMAGE config option
drivers/firmware/efi/libstub/Makefile.zboot | 13 +++++++++++++
kernel/Kconfig.kexec | 9 +++++++++
2 files changed, 22 insertions(+)
--
2.41.0
More information about the kexec
mailing list