On Wed, Sep 03, 2014 at 03:46:01PM -0400, Vivek Goyal wrote: > New kexec syscall (kexec_file_load()) can perform bzimage signature > verification. > > This will re-enable kexec/kdump on secureboot systems using new syscall. > Currently kexec/kdump is disabled on secureboot systems. > > User space (kexec-tools) will be modifed to automatically detect that > running system has secureboot enabled and use new syscall instead of > old one. Nice. This should work out well. Thanks for getting this upstream. To be extra clear, the Fedora kernel builds should already be getting the proper signature at build time via pesign, correct? josh > > Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> > --- > config-x86-generic | 3 ++- > config-x86_64-generic | 3 +++ > 2 files changed, 5 insertions(+), 1 deletion(-) > > Index: fedora-linux/config-x86-generic > =================================================================== > --- fedora-linux.orig/config-x86-generic 2014-09-03 15:14:22.657901263 -0400 > +++ fedora-linux/config-x86-generic 2014-09-03 15:14:26.654924830 -0400 > @@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m > CONFIG_XZ_DEC_X86=y > > CONFIG_MPILIB=y > -CONFIG_PKCS7_MESSAGE_PARSER=m > +CONFIG_PKCS7_MESSAGE_PARSER=y > # CONFIG_PKCS7_TEST_KEY is not set > +CONFIG_SIGNED_PE_FILE_VERIFICATION=y > CONFIG_SYSTEM_TRUSTED_KEYRING=y > CONFIG_SYSTEM_BLACKLIST_KEYRING=y > CONFIG_MODULE_SIG=y > Index: fedora-linux/config-x86_64-generic > =================================================================== > --- fedora-linux.orig/config-x86_64-generic 2014-09-03 15:14:22.658901268 -0400 > +++ fedora-linux/config-x86_64-generic 2014-09-03 15:23:53.655268010 -0400 > @@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y > CONFIG_MEM_SOFT_DIRTY=y > > CONFIG_KEXEC_JUMP=y > +CONFIG_KEXEC_FILE=y > +CONFIG_KEXEC_VERIFY_SIG=y > +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y > > CONFIG_ACPI_HOTPLUG_MEMORY=y > _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
