From: Pingfan Liu <kernelfans@gmail.com>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org
Cc: Pingfan Liu <piliu@redhat.com>,
"Jan Hendrik Farr" <kernel@jfarr.cc>,
"Baoquan He" <bhe@redhat.com>, "Dave Young" <dyoung@redhat.com>,
"Philipp Rudo" <prudo@redhat.com>,
Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>
Subject: [PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load
Date: Thu, 21 Sep 2023 21:37:03 +0800 [thread overview]
Message-ID: <20230921133703.39042-3-kernelfans@gmail.com> (raw)
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
From: Pingfan Liu <piliu@redhat.com>
Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
arch/arm64/Kconfig | 2 ++
kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 kernel/Kconfig.kexec_sign
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
verification for the corresponding kernel image type being
loaded in order for this to work.
+source "kernel/Kconfig.kexec_sign"
+
config KEXEC_IMAGE_VERIFY_SIG
bool "Enable Image signature verification support"
default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+ depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+ string "File name or PKCS#11 URI of Image signing key"
+ default "certs/signing_key.pem"
+ help
+ Provide the file name of a private key/certificate in PEM format,
+ or a PKCS#11 URI according to RFC7512. The file should contain, or
+ the URI should identify, both the certificate and its corresponding
+ private key.
+
+ If this option is unchanged from its default "certs/signing_key.pem",
+ then the kernel will automatically generate the private key and
+ certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+ prompt "Which hash algorithm should Image be signed with?"
+ help
+ This determines which sort of hashing algorithm will be used during
+ signature generation.
+
+config IMAGE_SIG_SHA1
+ bool "Sign Image with SHA-1"
+ select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+ bool "Sign Image with SHA-224"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+ bool "Sign Image with SHA-256"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+ bool "Sign Image with SHA-384"
+ select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+ bool "Sign Image with SHA-512"
+ select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+ string
+ default "sha1" if IMAGE_SIG_SHA1
+ default "sha224" if IMAGE_SIG_SHA224
+ default "sha256" if IMAGE_SIG_SHA256
+ default "sha384" if IMAGE_SIG_SHA384
+ default "sha512" if IMAGE_SIG_SHA512
+endmenu
--
2.31.1
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Pingfan Liu <kernelfans@gmail.com>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org
Cc: Pingfan Liu <piliu@redhat.com>,
"Jan Hendrik Farr" <kernel@jfarr.cc>,
"Baoquan He" <bhe@redhat.com>, "Dave Young" <dyoung@redhat.com>,
"Philipp Rudo" <prudo@redhat.com>,
Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>
Subject: [PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load
Date: Thu, 21 Sep 2023 21:37:03 +0800 [thread overview]
Message-ID: <20230921133703.39042-3-kernelfans@gmail.com> (raw)
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
From: Pingfan Liu <piliu@redhat.com>
Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
arch/arm64/Kconfig | 2 ++
kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 kernel/Kconfig.kexec_sign
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
verification for the corresponding kernel image type being
loaded in order for this to work.
+source "kernel/Kconfig.kexec_sign"
+
config KEXEC_IMAGE_VERIFY_SIG
bool "Enable Image signature verification support"
default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+ depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+ string "File name or PKCS#11 URI of Image signing key"
+ default "certs/signing_key.pem"
+ help
+ Provide the file name of a private key/certificate in PEM format,
+ or a PKCS#11 URI according to RFC7512. The file should contain, or
+ the URI should identify, both the certificate and its corresponding
+ private key.
+
+ If this option is unchanged from its default "certs/signing_key.pem",
+ then the kernel will automatically generate the private key and
+ certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+ prompt "Which hash algorithm should Image be signed with?"
+ help
+ This determines which sort of hashing algorithm will be used during
+ signature generation.
+
+config IMAGE_SIG_SHA1
+ bool "Sign Image with SHA-1"
+ select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+ bool "Sign Image with SHA-224"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+ bool "Sign Image with SHA-256"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+ bool "Sign Image with SHA-384"
+ select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+ bool "Sign Image with SHA-512"
+ select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+ string
+ default "sha1" if IMAGE_SIG_SHA1
+ default "sha224" if IMAGE_SIG_SHA224
+ default "sha256" if IMAGE_SIG_SHA256
+ default "sha384" if IMAGE_SIG_SHA384
+ default "sha512" if IMAGE_SIG_SHA512
+endmenu
--
2.31.1
WARNING: multiple messages have this Message-ID (diff)
From: Pingfan Liu <kernelfans@gmail.com>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org
Cc: Pingfan Liu <piliu@redhat.com>,
"Jan Hendrik Farr" <kernel@jfarr.cc>,
"Baoquan He" <bhe@redhat.com>, "Dave Young" <dyoung@redhat.com>,
"Philipp Rudo" <prudo@redhat.com>,
Ard Biesheuvel <ardb@kernel.org>,
Mark Rutland <mark.rutland@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>
Subject: [PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load
Date: Thu, 21 Sep 2023 21:37:03 +0800 [thread overview]
Message-ID: <20230921133703.39042-3-kernelfans@gmail.com> (raw)
In-Reply-To: <20230921133703.39042-1-kernelfans@gmail.com>
From: Pingfan Liu <piliu@redhat.com>
Enable the signing on the kernel image if both KEXEC_SIG and EFI_ZBOOT
are configured.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org
---
arch/arm64/Kconfig | 2 ++
kernel/Kconfig.kexec_sign | 54 +++++++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 kernel/Kconfig.kexec_sign
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index a2511b30d0f6..e067864d7ea1 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1493,6 +1493,8 @@ config KEXEC_SIG
verification for the corresponding kernel image type being
loaded in order for this to work.
+source "kernel/Kconfig.kexec_sign"
+
config KEXEC_IMAGE_VERIFY_SIG
bool "Enable Image signature verification support"
default y
diff --git a/kernel/Kconfig.kexec_sign b/kernel/Kconfig.kexec_sign
new file mode 100644
index 000000000000..880aa9aed9a8
--- /dev/null
+++ b/kernel/Kconfig.kexec_sign
@@ -0,0 +1,54 @@
+
+menu "Sign the kernel Image"
+ depends on KEXEC_SIG && EFI_ZBOOT
+
+config KEXEC_ZBOOT_SIG_KEY
+ string "File name or PKCS#11 URI of Image signing key"
+ default "certs/signing_key.pem"
+ help
+ Provide the file name of a private key/certificate in PEM format,
+ or a PKCS#11 URI according to RFC7512. The file should contain, or
+ the URI should identify, both the certificate and its corresponding
+ private key.
+
+ If this option is unchanged from its default "certs/signing_key.pem",
+ then the kernel will automatically generate the private key and
+ certificate as described in Documentation/admin-guide/module-signing.rst
+
+
+choice
+ prompt "Which hash algorithm should Image be signed with?"
+ help
+ This determines which sort of hashing algorithm will be used during
+ signature generation.
+
+config IMAGE_SIG_SHA1
+ bool "Sign Image with SHA-1"
+ select CRYPTO_SHA1
+
+config IMAGE_SIG_SHA224
+ bool "Sign Image with SHA-224"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA256
+ bool "Sign Image with SHA-256"
+ select CRYPTO_SHA256
+
+config IMAGE_SIG_SHA384
+ bool "Sign Image with SHA-384"
+ select CRYPTO_SHA512
+
+config IMAGE_SIG_SHA512
+ bool "Sign Image with SHA-512"
+ select CRYPTO_SHA512
+
+endchoice
+
+config IMAGE_SIG_HASH
+ string
+ default "sha1" if IMAGE_SIG_SHA1
+ default "sha224" if IMAGE_SIG_SHA224
+ default "sha256" if IMAGE_SIG_SHA256
+ default "sha384" if IMAGE_SIG_SHA384
+ default "sha512" if IMAGE_SIG_SHA512
+endmenu
--
2.31.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2023-09-21 13:37 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-21 13:37 [PATCH 0/2] Sign the Image which is zboot's payload Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu
2023-09-21 13:37 ` [PATCH 1/2] zboot: Signing the payload Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu [this message]
2023-09-21 13:37 ` [PATCH 2/2] arm64: Enable signing on the kernel image loaded by kexec file load Pingfan Liu
2023-09-21 13:37 ` Pingfan Liu
2023-09-22 5:19 ` [PATCH 0/2] Sign the Image which is zboot's payload Jan Hendrik Farr
2023-09-22 5:19 ` Jan Hendrik Farr
2023-09-22 5:19 ` Jan Hendrik Farr
2023-09-22 5:41 ` Dave Young
2023-09-22 5:41 ` Dave Young
2023-09-22 5:41 ` Dave Young
2023-09-25 15:24 ` Philipp Rudo
2023-09-25 15:24 ` Philipp Rudo
2023-09-25 15:24 ` Philipp Rudo
2023-09-25 3:01 ` Pingfan Liu
2023-09-25 3:01 ` Pingfan Liu
2023-09-25 3:01 ` Pingfan Liu
2023-09-25 8:55 ` Ard Biesheuvel
2023-09-25 8:55 ` Ard Biesheuvel
2023-09-25 8:55 ` Ard Biesheuvel
2023-09-27 23:46 ` Jan Hendrik Farr
2023-09-27 23:46 ` Jan Hendrik Farr
2023-09-27 23:46 ` Jan Hendrik Farr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230921133703.39042-3-kernelfans@gmail.com \
--to=kernelfans@gmail.com \
--cc=ardb@kernel.org \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=dyoung@redhat.com \
--cc=kernel@jfarr.cc \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=piliu@redhat.com \
--cc=prudo@redhat.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.