diff mbox series

[2/2] arm64: Enable signing on the kernel image loaded by kexec file load

Message ID 20230921133703.39042-3-kernelfans@gmail.com (mailing list archive)
State New, archived
Headers show
Series Sign the Image which is zboot's payload | expand

Commit Message

Pingfan Liu Sept. 21, 2023, 1:37 p.m. UTC
From: Pingfan Liu <piliu@redhat.com>

Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.

Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
 arch/arm64/Kconfig        |  2 ++
 kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 kernel/Kconfig.kexec_sign
diff mbox series

Patch

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@  config KEXEC_SIG
 	  verification for the corresponding kernel image type being
 	  loaded in order for this to work.
 
+source "kernel/Kconfig.kexec_sign"
+
 config KEXEC_IMAGE_VERIFY_SIG
 	bool "Enable Image signature verification support"
 	default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@ 
+
+menu "Sign the kernel Image"
+	depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+	string "File name or PKCS#11 URI of Image signing key"
+	default "certs/signing_key.pem"
+	help
+         Provide the file name of a private key/certificate in PEM format,
+         or a PKCS#11 URI according to RFC7512. The file should contain, or
+         the URI should identify, both the certificate and its corresponding
+         private key.
+
+         If this option is unchanged from its default "certs/signing_key.pem",
+         then the kernel will automatically generate the private key and
+         certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+	prompt "Which hash algorithm should Image be signed with?"
+	help
+	  This determines which sort of hashing algorithm will be used during
+	  signature generation.
+
+config IMAGE_SIG_SHA1
+	bool "Sign Image with SHA-1"
+	select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+	bool "Sign Image with SHA-224"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+	bool "Sign Image with SHA-256"
+	select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+	bool "Sign Image with SHA-384"
+	select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+	bool "Sign Image with SHA-512"
+	select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+	string
+	default "sha1" if IMAGE_SIG_SHA1
+	default "sha224" if IMAGE_SIG_SHA224
+	default "sha256" if IMAGE_SIG_SHA256
+	default "sha384" if IMAGE_SIG_SHA384
+	default "sha512" if IMAGE_SIG_SHA512
+endmenu