[PATCH 1/2] Makefile.zboot: Sign Image before packing into EFI-STUB shell

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At present, the kexec_file_load of either zboot or UKI kernel relies on
the user space to parse and extract the Image, and then pass the Image
through that syscall. During this process, the outmost signature on
zboot or UKI kernel is stripped and discarded.

On the other hand, a secure boot platform enforces the signature
verfiication on the kernel image passed through the kexec_file_load
syscall. To cater to this requirement, this patch applies signature on
the PE format 'Image' before padding.

The key used to sign is the same as module sign key, and the signing
tool is sbsign. And the configure macro KEXEC_SIGN_IMAGE will be
introduced in the next patch. (Hence actually this patch does not take
effect)

Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx>
Cc: Ard Biesheuvel <ardb@xxxxxxxxxx>
Cc: Will Deacon <will@xxxxxxxxxx>
Cc: Masahiro Yamada <masahiroy@xxxxxxxxxx>
To: linux-efi@xxxxxxxxxxxxxxx
---
 drivers/firmware/efi/libstub/Makefile.zboot | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 65ffd0b760b2..8852289f80e8 100644
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -4,9 +4,22 @@
 # EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
 # EFI_ZBOOT_FORWARD_CFI
 
+ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
+sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
+else
+sig-key := $(CONFIG_MODULE_SIG_KEY)
+endif
+
 quiet_cmd_copy_and_pad = PAD     $@
+ifeq ($(CONFIG_KEXEC_SIGN_IMAGE),y)
+      cmd_copy_and_pad = openssl x509 -in certs/signing_key.x509 -inform DER -outform PEM -out certs/signing_key_cert.pem; \
+			 sbsign  --key "$(sig-key)" --cert certs/signing_key_cert.pem --output $<.signed $<; \
+			 cp $<.signed $@; \
+			 truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
+else
       cmd_copy_and_pad = cp $< $@; \
 			 truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
+endif
 
 # Pad the file to the size of the uncompressed image in memory, including BSS
 $(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE
-- 
2.41.0
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux