At present, the kexec_file_load of either zboot or UKI kernel relies on the user space to parse and extract the Image, and then pass the Image through that syscall. During this process, the outmost signature on zboot or UKI kernel is stripped and discarded. On the other hand, a secure boot platform enforces the signature verfiication on the kernel image passed through the kexec_file_load syscall. To cater to this requirement, this patch applies signature on the PE format 'Image' before padding. The key used to sign is the same as module sign key, and the signing tool is sbsign. Cc: Ard Biesheuvel <ardb@xxxxxxxxxx> Cc: Will Deacon <will@xxxxxxxxxx> Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx> Cc: Baoquan He <bhe@xxxxxxxxxx> Cc: Dave Young <dyoung@xxxxxxxxxx> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> To: kexec@xxxxxxxxxxxxxxxxxxx To: linux-efi@xxxxxxxxxxxxxxx Pingfan Liu (2): Makefile.zboot: Sign Image before packing into EFI-STUB shell kexec: Introduce KEXEC_SIGN_IMAGE config option drivers/firmware/efi/libstub/Makefile.zboot | 13 +++++++++++++ kernel/Kconfig.kexec | 9 +++++++++ 2 files changed, 22 insertions(+) -- 2.41.0
