Vivek Goyal's signed-kexec patches with my PKCS#7 and PE signature
verification patches merged in.
kexec: Verify the signature of signed PE bzImage
Well all the hard work is done in previous patches. Now bzImage loader
has just call into that code and verify whether bzImage signature are
valid or not.
Also create two config options. First one is CONFIG_KEXEC_VERIFY_SIG.
This option enforces that kernel has to be validly signed otherwise
kernel load will fail. If this option is not set, no signature verification
will be done. Only exception will be when secureboot is enabled. In that
case signature verification should be automatically enforced when secureboot
is enabled. But that will happen when secureboot patches are merged.
Second config option is CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. This option
enables signature verification support on bzImage. If this option is
not set and previous one is set, kernel image loading will fail because
kernel does not have support to verify signature of bzImage.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
5 files changed
