From: Pingfan Liu <piliu@xxxxxxxxxx> I hesitate to post this series, since Ard has recommended using an emulated UEFI boot service to resolve the UKI kexec load problem [1]. since on aarch64, vmlinuz.efi has faced the similar issue at present. But anyway, I have a crude outline of it and am sending it out for discussion. For security boot, the vmlinuz.efi will be signed so UEFI boot loader can check against it. But at present, there is no signature for kexec file load, this series makes a signature on the zboot's payload -- Image before it is compressed. As a result, the kexec-tools parses and decompresses the Image.gz to get the Image, which has signature and can be checked against during kexec file load [1]: https://lore.kernel.org/lkml/20230918173607.421d2616@rotkaeppchen/T/#mc60aa591cb7616ceb39e1c98f352383f9ba6e985 Cc: "Ard Biesheuvel <ardb@xxxxxxxxxx>" Cc: "Jan Hendrik Farr" <kernel@xxxxxxxx> Cc: "Baoquan He" <bhe@xxxxxxxxxx> Cc: "Dave Young" <dyoung@xxxxxxxxxx> Cc: "Philipp Rudo" <prudo@xxxxxxxxxx> Cc: Ard Biesheuvel <ardb@xxxxxxxxxx> Cc: Mark Rutland <mark.rutland@xxxxxxx> Cc: Catalin Marinas <catalin.marinas@xxxxxxx> Cc: Will Deacon <will@xxxxxxxxxx> To: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx To: linux-efi@xxxxxxxxxxxxxxx To: kexec@xxxxxxxxxxxxxxxxxxx Pingfan Liu (2): zboot: Signing the payload arm64: Enable signing on the kernel image loaded by kexec file load arch/arm64/Kconfig | 2 + drivers/firmware/efi/libstub/Makefile.zboot | 23 +++++++-- kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++ 3 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 kernel/Kconfig.kexec_sign -- 2.31.1
