[PATCH 0/2] Sign the Image which is zboot's payload

[Pingfan Liu <kernelfans@gmail.com>]

From: Pingfan Liu <piliu@redhat.com>

I hesitate to post this series, since Ard has recommended using an
emulated UEFI boot service to resolve the UKI kexec load problem [1].
since on aarch64, vmlinuz.efi has faced the similar issue at present.
But anyway, I have a crude outline of it and am sending it out for
discussion.

For security boot, the vmlinuz.efi will be signed so UEFI boot loader
can check against it. But at present, there is no signature for kexec
file load, this series makes a signature on the zboot's payload -- Image
before it is compressed. As a result, the kexec-tools parses and
decompresses the Image.gz to get the Image, which has signature and can
be checked against during kexec file load

[1]: https://lore.kernel.org/lkml/20230918173607.421d2616@rotkaeppchen/T/#mc60aa591cb7616ceb39e1c98f352383f9ba6e985

Cc: "Ard Biesheuvel <ardb@kernel.org>"
Cc: "Jan Hendrik Farr" <kernel@jfarr.cc>
Cc: "Baoquan He" <bhe@redhat.com>
Cc: "Dave Young" <dyoung@redhat.com>
Cc: "Philipp Rudo" <prudo@redhat.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
To: linux-arm-kernel@lists.infradead.org
To: linux-efi@vger.kernel.org
To: kexec@lists.infradead.org


Pingfan Liu (2):
  zboot: Signing the payload
  arm64: Enable signing on the kernel image loaded by kexec file load

 arch/arm64/Kconfig                          |  2 +
 drivers/firmware/efi/libstub/Makefile.zboot | 23 +++++++--
 kernel/Kconfig.kexec_sign                   | 54 +++++++++++++++++++++
 3 files changed, 76 insertions(+), 3 deletions(-)
 create mode 100644 kernel/Kconfig.kexec_sign

-- 
2.31.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel