Only when kexec_file_load checks the signature and Image is packed into EFI-STUB, the internal Image should be signed. Furthermore, it is signed with the module key. Using the configuration condition to reflect the above dependency. Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx> Cc: Baoquan He <bhe@xxxxxxxxxx> Cc: Dave Young <dyoung@xxxxxxxxxx> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> To: kexec@xxxxxxxxxxxxxxxxxxx --- kernel/Kconfig.kexec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec index 4d111f871951..cb8afe8e17e5 100644 --- a/kernel/Kconfig.kexec +++ b/kernel/Kconfig.kexec @@ -69,6 +69,15 @@ config KEXEC_SIG_FORCE This option makes kernel signature verification mandatory for the kexec_file_load() syscall. +config KEXEC_SIGN_IMAGE + bool "Sign Image before it is packed into EFI stub" + depends on KEXEC_SIG && EFI_STUB && MODULE_SIG + default y + help + This option utilizes the module signing key to sign the kernel + inside EFI stub shell. So the internal kernel can pass through + the signature verification. + config KEXEC_IMAGE_VERIFY_SIG bool "Enable Image signature verification support (ARM)" default ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG -- 2.41.0
