On Mon, Jun 16, 2014 at 11:13:28PM +0200, Borislav Petkov wrote: > On Tue, Jun 03, 2014 at 09:06:49AM -0400, Vivek Goyal wrote: > > This patch series does not do kernel signature verification yet. I > > plan to post another patch series for that. Now bzImage is already > > signed with PKCS7 signature I plan to parse and verify those > > signatures. > > Btw, do you have a brief outline on how you are going to do the > extension to signature verification? Nothing formal, just enough of an > outline that I can see where in the flow it will be plugged in. > > I was wondering how the whole signature signing and verification will > be done, i.e., where do I get the signature, how and who will verify it > (I'm guessing the purgatory code), etc, etc. Hi Boris, I am still working on signing patches. I have uploaded them here for you to have a look. http://people.redhat.com/vgoyal/kdump-secureboot/in-kernel-kexec/bzimage-sig-verification/ Last patch should give you a good idea how signature verification hooks into kexec. Signature verification patches are based on David Howell's work. There is no purgatory involved here. Once we have copied kernel image into kernel space, first thing we do is call into arch image loader and ask it to verify signature of image. And bzImage loader in turn calls into helper functions which can parse a PE signed file and verify image signature. I have yet to cleanup the code, implement a config option which enforces signature verification. Automatic enforncement of signature verification if secureboot is enabled will happen once matthew's secureboot patches are merged into mainline. Thanks Vivek
