New kexec syscall (kexec_file_load()) can perform bzimage signature verification. This will re-enable kexec/kdump on secureboot systems using new syscall. Currently kexec/kdump is disabled on secureboot systems. User space (kexec-tools) will be modifed to automatically detect that running system has secureboot enabled and use new syscall instead of old one. Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> --- config-x86-generic | 3 ++- config-x86_64-generic | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) Index: fedora-linux/config-x86-generic =================================================================== --- fedora-linux.orig/config-x86-generic 2014-09-03 15:14:22.657901263 -0400 +++ fedora-linux/config-x86-generic 2014-09-03 15:14:26.654924830 -0400 @@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m CONFIG_XZ_DEC_X86=y CONFIG_MPILIB=y -CONFIG_PKCS7_MESSAGE_PARSER=m +CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set +CONFIG_SIGNED_PE_FILE_VERIFICATION=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_MODULE_SIG=y Index: fedora-linux/config-x86_64-generic =================================================================== --- fedora-linux.orig/config-x86_64-generic 2014-09-03 15:14:22.658901268 -0400 +++ fedora-linux/config-x86_64-generic 2014-09-03 15:23:53.655268010 -0400 @@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y CONFIG_MEM_SOFT_DIRTY=y CONFIG_KEXEC_JUMP=y +CONFIG_KEXEC_FILE=y +CONFIG_KEXEC_VERIFY_SIG=y +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_ACPI_HOTPLUG_MEMORY=y _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
