On Thu, Sep 5, 2013 at 9:19 AM, Josh Boyer <jwboyer@xxxxxxxxx> wrote:
> On Wed, Sep 4, 2013 at 9:57 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>> This is the logic to verify bzImage signature. Signature verification
>> happens only if secureboot is enabled.
>>
>> Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx>
>> ---
>
>> +/*
>> + * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
>> + * signature.
>> + */
>> +static bool is_secureboot_enabled(void) {
>> + int fd, ret;
>> + char value = 0;
>> +
>> + fd = open("/sys/kernel/secureboot_enabled", O_RDONLY);
>> + if (fd == -1) {
>> + /* For backward compatibility with old kernels */
>> + return false;
>> + }
>> +
>> + ret = read(fd, &value, sizeof(value));
>> + if (ret < 0) {
>> + die("Failed to read /sys/kernel/secureboot_enabled");
>> + }
>> +
>> + if (value == '1')
>> + return true;
>> + else
>> + return false;
>> +}
>> +
>> +static bool is_secure_modules_enabled(void) {
>> + int fd, ret;
>> + char value = 0;
>> +
>> + fd = open("/sys/kernel/secure_modules_enabled", O_RDONLY);
>> + if (fd == -1) {
>> + /* For backward compatibility with old kernels */
>> + return false;
>> + }
>> +
>> + ret = read(fd, &value, sizeof(value));
>> + if (ret < 0) {
>> + die("Failed to read /sys/kernel/secure_modules_enabled");
>> + }
>> +
>> + if (value == '1')
>> + return true;
>> + else
>> + return false;
>> +}
>
> Neither one of the secure_modules_enabled or secureboot_enabled files
> exist in /sys/kernel/. As far as I know, they never have. Is there a
> patch missing in the kernel set that adds these?
>
> I'm curious how you tested this.
Nevermind. For some reason I don't have patch 15/19 in my mailbox,
but looking in the archives I see you added them there. My mistake.
josh
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
