On Wed, 2019-02-27 at 14:22 -0800, James Bottomley wrote: > On Wed, 2019-02-27 at 22:02 +0000, Jordan Hand wrote: > Um, this is already upstream. The slight problem is that kernel > bzImages are arch specific, so the file you're looking for is > > arch/x86/kernel/kexec-bzimage64.c > > You'll find the signature verifier for x86 bzImages is the PE one. The > current problem is more that the kernel keyring doesn't trust the > secure boot keys, so the issue isn't with the signature format its with > keyring trust. With CONFIG_INTEGRITY_PLATFORM_KEYRING enabled, the pre-boot keys are loaded onto the new "platform" keyring. Queued for v5.1 are two patches which allow verifying the PE signed kernel image based on keys in the platform keyring. Mimi
