From: Pingfan Liu <piliu@xxxxxxxxxx> Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT are configured. Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx> Cc: "Ard Biesheuvel <ardb@xxxxxxxxxx>" Cc: "Jan Hendrik Farr" <kernel@xxxxxxxx> Cc: "Baoquan He" <bhe@xxxxxxxxxx> Cc: "Dave Young" <dyoung@xxxxxxxxxx> Cc: "Philipp Rudo" <prudo@xxxxxxxxxx> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx> Cc: Mark Rutland <mark.rutland@xxxxxxx> Cc: Catalin Marinas <catalin.marinas@xxxxxxx> Cc: Will Deacon <will@xxxxxxxxxx> To: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx To: linux-efi@xxxxxxxxxxxxxxx To: kexec@xxxxxxxxxxxxxxxxxxx --- arch/arm64/Kconfig | 2 ++ kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 kernel/Kconfig.kexec_sign diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index a2511b30d0f6..e067864d7ea1 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1493,6 +1493,8 @@ config KEXEC_SIG verification for the corresponding kernel image type being loaded in order for this to work. +source "kernel/Kconfig.kexec_sign" + config KEXEC_IMAGE_VERIFY_SIG bool "Enable Image signature verification support" default y diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign new file mode 100644 index 000000000000..880aa9aed9a8 --- /dev/null +++ b/kernel/Kconfig.kexec_sign @@ -0,0 +1,54 @@ + +menu "Sign the kernel Image" + depends on KEXEC_SIG && EFI_ZBOOT + +config KEXEC_ZBOOT_SIG_KEY + string "File name or PKCS#11 URI of Image signing key" + default "certs/signing_key.pem" + help + Provide the file name of a private key/certificate in PEM format, + or a PKCS#11 URI according to RFC7512. The file should contain, or + the URI should identify, both the certificate and its corresponding + private key. + + If this option is unchanged from its default "certs/signing_key.pem", + then the kernel will automatically generate the private key and + certificate as described in Documentation/admin-guide/module-signing.rst + + +choice + prompt "Which hash algorithm should Image be signed with?" + help + This determines which sort of hashing algorithm will be used during + signature generation. + +config IMAGE_SIG_SHA1 + bool "Sign Image with SHA-1" + select CRYPTO_SHA1 + +config IMAGE_SIG_SHA224 + bool "Sign Image with SHA-224" + select CRYPTO_SHA256 + +config IMAGE_SIG_SHA256 + bool "Sign Image with SHA-256" + select CRYPTO_SHA256 + +config IMAGE_SIG_SHA384 + bool "Sign Image with SHA-384" + select CRYPTO_SHA512 + +config IMAGE_SIG_SHA512 + bool "Sign Image with SHA-512" + select CRYPTO_SHA512 + +endchoice + +config IMAGE_SIG_HASH + string + default "sha1" if IMAGE_SIG_SHA1 + default "sha224" if IMAGE_SIG_SHA224 + default "sha256" if IMAGE_SIG_SHA256 + default "sha384" if IMAGE_SIG_SHA384 + default "sha512" if IMAGE_SIG_SHA512 +endmenu -- 2.31.1
