Michal Suchanek <msuchanek@xxxxxxx> writes: > S390 uses appended signature for kernel but implements the check > separately from module loader. > > Support for secure boot on powerpc with appended signature is planned - > grub patches submitted upstream but not yet merged. Power Non-Virtualised / OpenPower already supports secure boot via kexec with signature verification via IMA. I think you have now sent a follow-up series that merges some of the IMA implementation, I just wanted to make sure it was clear that we actually already have support for this in the kernel, it's just grub that is getting new support. > This is an attempt at unified appended signature verification. I am always in favour of fewer reimplementations of the same feature in the kernel :) Regards, Daniel > > Thanks > > Michal > > Michal Suchanek (3): > s390/kexec_file: Don't opencode appended signature verification. > module: strip the signature marker in the verification function. > powerpc/kexec_file: Add KEXEC_SIG support. > > arch/powerpc/Kconfig | 11 +++++++ > arch/powerpc/kexec/elf_64.c | 14 +++++++++ > arch/s390/kernel/machine_kexec_file.c | 42 +++------------------------ > include/linux/verification.h | 3 ++ > kernel/module-internal.h | 2 -- > kernel/module.c | 11 +++---- > kernel/module_signing.c | 32 ++++++++++++++------ > 7 files changed, 59 insertions(+), 56 deletions(-) > > -- > 2.31.1
