[PATCH 1/2] zboot: Signing the payload

Pingfan Liu <kernelfans@xxxxxxxxx> · Thu, 21 Sep 2023 21:37:02 +0800

From: Pingfan Liu <piliu@xxxxxxxxxx>

Emulate the scheme of module signing to sign the zboot's payload i.e.
Image before it is compressed.

And overall, the signature on vmlinuz.efi will be used by UEFI boot
loader and the signature on Image will be used by kexec file load.

Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx>
Cc: "Ard Biesheuvel <ardb@xxxxxxxxxx>"
Cc: "Jan Hendrik Farr" <kernel@xxxxxxxx>
Cc: "Baoquan He" <bhe@xxxxxxxxxx>
Cc: "Dave Young" <dyoung@xxxxxxxxxx>
Cc: "Philipp Rudo" <prudo@xxxxxxxxxx>
Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
Cc: Mark Rutland <mark.rutland@xxxxxxx>
Cc: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Will Deacon <will@xxxxxxxxxx>
To: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
To: linux-efi@xxxxxxxxxxxxxxx
To: kexec@xxxxxxxxxxxxxxxxxxx

---
 drivers/firmware/efi/libstub/Makefile.zboot | 23 ++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 2c489627a807..fd4305a4ebbd 100644
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -4,13 +4,30 @@
 # EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
 # EFI_ZBOOT_FORWARD_CFI
 
-quiet_cmd_copy_and_pad = PAD     $@
-      cmd_copy_and_pad = cp $< $@ && \
+
+#
+# Signing
+#
+ifeq ($(CONFIG_KEXEC_ZBOOT_SIG),y)
+ifeq ($(filter pkcs11:%, $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),)
+sig-key := $(if $(wildcard $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),,$(srctree)/)$(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+else
+sig-key := $(CONFIG_KEXEC_ZBOOT_SIG_KEY)
+endif
+cmd_sign = scripts/sign-file $(CONFIG_KEXEC_ZBOOT_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@
+else
+      cmd_sign := :
+endif
+
+cmd_copy_and_pad = cp $< $@ && \
 			 truncate -s $(shell hexdump -s16 -n4 -e '"%u"' $<) $@
 
+quiet_cmd_copy_and_pad_sign = PAD and SIGN     $@
+      cmd_copy_and_pad_sign = $(cmd_copy_and_pad) && $(cmd_sign)
+
 # Pad the file to the size of the uncompressed image in memory, including BSS
 $(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
-	$(call if_changed,copy_and_pad)
+	$(call if_changed,copy_and_pad_sign)
 
 comp-type-$(CONFIG_KERNEL_GZIP)		:= gzip
 comp-type-$(CONFIG_KERNEL_LZ4)		:= lz4
-- 
2.31.1


_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec






