New kexec syscall (kexec_file_load()) can perform bzimage signature
verification.
This will re-enable kexec/kdump on secureboot systems using new syscall.
Currently kexec/kdump is disabled on secureboot systems.
User space (kexec-tools) will be modifed to automatically detect that
running system has secureboot enabled and use new syscall instead of
old one.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
config-x86-generic | 3 ++-
config-x86_64-generic | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
Index: fedora-linux/config-x86-generic
===================================================================
--- fedora-linux.orig/config-x86-generic 2014-09-03 15:14:22.657901263 -0400
+++ fedora-linux/config-x86-generic 2014-09-03 15:14:26.654924830 -0400
@@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=m
+CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_MODULE_SIG=y
Index: fedora-linux/config-x86_64-generic
===================================================================
--- fedora-linux.orig/config-x86_64-generic 2014-09-03 15:14:22.658901268 -0400
+++ fedora-linux/config-x86_64-generic 2014-09-03 15:23:53.655268010 -0400
@@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y
CONFIG_MEM_SOFT_DIRTY=y
CONFIG_KEXEC_JUMP=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_ACPI_HOTPLUG_MEMORY=y