Only when kexec_file_load checks the signature and Image is packed into EFI-STUB, the internal Image should be signed. Furthermore, it is signed with the module key.
Using the configuration condition to reflect the above dependency. Signed-off-by: Pingfan Liu <[email protected]> Cc: Baoquan He <[email protected]> Cc: Dave Young <[email protected]> Cc: Eric Biederman <[email protected]> To: [email protected] --- kernel/Kconfig.kexec | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/kernel/Kconfig.kexec b/kernel/Kconfig.kexec index 4d111f871951..cb8afe8e17e5 100644 --- a/kernel/Kconfig.kexec +++ b/kernel/Kconfig.kexec @@ -69,6 +69,15 @@ config KEXEC_SIG_FORCE This option makes kernel signature verification mandatory for the kexec_file_load() syscall. +config KEXEC_SIGN_IMAGE + bool "Sign Image before it is packed into EFI stub" + depends on KEXEC_SIG && EFI_STUB && MODULE_SIG + default y + help + This option utilizes the module signing key to sign the kernel + inside EFI stub shell. So the internal kernel can pass through + the signature verification. + config KEXEC_IMAGE_VERIFY_SIG bool "Enable Image signature verification support (ARM)" default ARCH_DEFAULT_KEXEC_IMAGE_VERIFY_SIG -- 2.41.0
