[PATCH 0/3] KEXEC_SIG with appended signature
Daniel Axtens
dja at axtens.net
Fri Nov 5 21:55:52 AEDT 2021
Michal Suchanek <msuchanek at suse.de> writes:
> S390 uses appended signature for kernel but implements the check
> separately from module loader.
>
> Support for secure boot on powerpc with appended signature is planned -
> grub patches submitted upstream but not yet merged.
Power Non-Virtualised / OpenPower already supports secure boot via kexec
with signature verification via IMA. I think you have now sent a
follow-up series that merges some of the IMA implementation, I just
wanted to make sure it was clear that we actually already have support
for this in the kernel, it's just grub that is getting new support.
> This is an attempt at unified appended signature verification.
I am always in favour of fewer reimplementations of the same feature in
the kernel :)
Regards,
Daniel
>
> Thanks
>
> Michal
>
> Michal Suchanek (3):
> s390/kexec_file: Don't opencode appended signature verification.
> module: strip the signature marker in the verification function.
> powerpc/kexec_file: Add KEXEC_SIG support.
>
> arch/powerpc/Kconfig | 11 +++++++
> arch/powerpc/kexec/elf_64.c | 14 +++++++++
> arch/s390/kernel/machine_kexec_file.c | 42 +++------------------------
> include/linux/verification.h | 3 ++
> kernel/module-internal.h | 2 --
> kernel/module.c | 11 +++----
> kernel/module_signing.c | 32 ++++++++++++++------
> 7 files changed, 59 insertions(+), 56 deletions(-)
>
> --
> 2.31.1
More information about the Linuxppc-dev
mailing list