From: Pingfan Liu <[email protected]> Emulate the scheme of module signing to sign the zboot's payload i.e. Image before it is compressed.
And overall, the signature on vmlinuz.efi will be used by UEFI boot loader and the signature on Image will be used by kexec file load. Signed-off-by: Pingfan Liu <[email protected]> Cc: "Ard Biesheuvel <[email protected]>" Cc: "Jan Hendrik Farr" <[email protected]> Cc: "Baoquan He" <[email protected]> Cc: "Dave Young" <[email protected]> Cc: "Philipp Rudo" <[email protected]> Cc: Ard Biesheuvel <[email protected]> Cc: Mark Rutland <[email protected]> Cc: Catalin Marinas <[email protected]> Cc: Will Deacon <[email protected]> To: [email protected] To: [email protected] To: [email protected] --- drivers/firmware/efi/libstub/Makefile.zboot | 23 ++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot index 2c489627a807..fd4305a4ebbd 100644 --- a/drivers/firmware/efi/libstub/Makefile.zboot +++ b/drivers/firmware/efi/libstub/Makefile.zboot @@ -4,13 +4,30 @@ # EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and # EFI_ZBOOT_FORWARD_CFI -quiet_cmd_copy_and_pad = PAD $@ - cmd_copy_and_pad = cp $< $@ && \ + +# +# Signing +# +ifeq ($(CONFIG_KEXEC_ZBOOT_SIG),y) +ifeq ($(filter pkcs11:%, $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),) +sig-key := $(if $(wildcard $(CONFIG_KEXEC_ZBOOT_SIG_KEY)),,$(srctree)/)$(CONFIG_KEXEC_ZBOOT_SIG_KEY) +else +sig-key := $(CONFIG_KEXEC_ZBOOT_SIG_KEY) +endif +cmd_sign = scripts/sign-file $(CONFIG_KEXEC_ZBOOT_SIG_HASH) "$(sig-key)" certs/signing_key.x509 $@ +else + cmd_sign := : +endif + +cmd_copy_and_pad = cp $< $@ && \ truncate -s $(shell hexdump -s16 -n4 -e '"%u"' $<) $@ +quiet_cmd_copy_and_pad_sign = PAD and SIGN $@ + cmd_copy_and_pad_sign = $(cmd_copy_and_pad) && $(cmd_sign) + # Pad the file to the size of the uncompressed image in memory, including BSS $(obj)/vmlinux.bin: $(obj)/$(EFI_ZBOOT_PAYLOAD) FORCE - $(call if_changed,copy_and_pad) + $(call if_changed,copy_and_pad_sign) comp-type-$(CONFIG_KERNEL_GZIP) := gzip comp-type-$(CONFIG_KERNEL_LZ4) := lz4 -- 2.31.1 _______________________________________________ kexec mailing list [email protected] http://lists.infradead.org/mailman/listinfo/kexec
