[PATCH 2/2] kexec: Introduce KEXEC_SIGN_IMAGE config option
Pingfan Liu
piliu at redhat.com
Thu Dec 5 18:09:57 PST 2024
Only when kexec_file_load checks the signature and Image is packed into
EFI-STUB, the internal Image should be signed. Furthermore, it is
signed with the module key.
Using the configuration condition to reflect the above dependency.
Signed-off-by: Pingfan Liu <piliu at redhat.com>
Cc: Baoquan He <bhe at redhat.com>
Cc: Dave Young <dyoung at redhat.com>
Cc: Eric Biederman <ebiederm at xmission.com>
To: kexec at lists.infradead.org
---
kernel/Kconfig.kexec | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec
index 4d111f871951..cb8afe8e17e5 100644
--- a/kernel/Kconfig.kexec
+++ b/kernel/Kconfig.kexec
@@ -69,6 +69,15 @@ config KEXEC_SIG_FORCE
This option makes kernel signature verification mandatory for
the kexec_file_load() syscall.
+config KEXEC_SIGN_IMAGE
+ bool "Sign Image before it is packed into EFI stub"
+ depends on KEXEC_SIG && EFI_STUB && MODULE_SIG
+ default y
+ help
+ This option utilizes the module signing key to sign the kernel
+ inside EFI stub shell. So the internal kernel can pass through
+ the signature verification.
+
config KEXEC_IMAGE_VERIFY_SIG
bool "Enable Image signature verification support (ARM)"
default ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG
--
2.41.0
More information about the kexec
mailing list