projects / linux-2.6-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 702ed5b) | patch
arm64: kexec_file: add kernel signature verification support
authorAKASHI Takahiro <takahiro.akashi@linaro.org>
Thu, 15 Nov 2018 05:52:54 +0000 (14:52 +0900)
committerWill Deacon <will.deacon@arm.com>
Thu, 6 Dec 2018 15:16:52 +0000 (15:16 +0000)
commit732b7b93d849f8a44886ead563dfb6adec7f4419
tree29ec906b45eaec73cae4102a360dd7fea7f9198ctree | snapshot
parent702ed5bb75306c030ab6598b24b56ba8d21a48ddcommit | diff
arm64: kexec_file: add kernel signature verification support

With this patch, kernel verification can be done without IMA security
subsystem enabled. Turn on CONFIG_KEXEC_VERIFY_SIG instead.

On x86, a signature is embedded into a PE file (Microsoft's format) header
of binary. Since arm64's "Image" can also be seen as a PE file as far as
CONFIG_EFI is enabled, we adopt this format for kernel signing.

You can create a signed kernel image with:
    $ sbsign --key ${KEY} --cert ${CERT} Image

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
[will: removed useless pr_debug()]
Signed-off-by: Will Deacon <will.deacon@arm.com>
arch/arm64/Kconfig diff | blob | blame | history
arch/arm64/kernel/kexec_image.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)