[PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Pingfan Liu <piliu@xxxxxxxxxx>

Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.

Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx>
Cc: "Ard Biesheuvel <ardb@xxxxxxxxxx>"
Cc: "Jan Hendrik Farr" <kernel@xxxxxxxx>
Cc: "Baoquan He" <bhe@xxxxxxxxxx>
Cc: "Dave Young" <dyoung@xxxxxxxxxx>
Cc: "Philipp Rudo" <prudo@xxxxxxxxxx>
Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
Cc: Mark Rutland <mark.rutland@xxxxxxx>
Cc: Catalin Marinas <catalin.marinas@xxxxxxx>
Cc: Will Deacon <will@xxxxxxxxxx>
To: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
To: linux-efi@xxxxxxxxxxxxxxx
To: kexec@xxxxxxxxxxxxxxxxxxx
---
 arch/arm64/Kconfig        |  2 ++
 kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 kernel/Kconfig.kexec_sign

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+source "kernel/Kconfig.kexec_sign"
+
 config KEXEC_IMAGE_VERIFY_SIG
 	bool "Enable Image signature verification support"
 	default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+	depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+	string "File name or PKCS#11 URI of Image signing key"
+	default "certs/signing_key.pem"
+	help
+         Provide the file name of a private key/certificate in PEM format,
+         or a PKCS#11 URI according to RFC7512. The file should contain, or
+         the URI should identify, both the certificate and its corresponding
+         private key.
+
+         If this option is unchanged from its default "certs/signing_key.pem",
+         then the kernel will automatically generate the private key and
+         certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+	prompt "Which hash algorithm should Image be signed with?"
+	help
+	  This determines which sort of hashing algorithm will be used during
+	  signature generation.
+
+config IMAGE_SIG_SHA1
+	bool "Sign Image with SHA-1"
+	select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+	bool "Sign Image with SHA-224"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+	bool "Sign Image with SHA-256"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+	bool "Sign Image with SHA-384"
+	select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+	bool "Sign Image with SHA-512"
+	select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+	string
+	default "sha1" if IMAGE_SIG_SHA1
+	default "sha224" if IMAGE_SIG_SHA224
+	default "sha256" if IMAGE_SIG_SHA256
+	default "sha384" if IMAGE_SIG_SHA384
+	default "sha512" if IMAGE_SIG_SHA512
+endmenu
-- 
2.31.1




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux