On Wed, Sep 4, 2013 at 9:57 PM, Vivek Goyal <vgoyal(a)redhat.com> wrote:
This is the logic to verify bzImage signature. Signature
verification
happens only if secureboot is enabled.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
+/*
+ * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
+ * signature.
+ */
+static bool is_secureboot_enabled(void) {
+ int fd, ret;
+ char value = 0;
+
+ fd = open("/sys/kernel/secureboot_enabled", O_RDONLY);
+ if (fd == -1) {
+ /* For backward compatibility with old kernels */
+ return false;
+ }
+
+ ret = read(fd, &value, sizeof(value));
+ if (ret < 0) {
+ die("Failed to read /sys/kernel/secureboot_enabled");
+ }
+
+ if (value == '1')
+ return true;
+ else
+ return false;
+}
+
+static bool is_secure_modules_enabled(void) {
+ int fd, ret;
+ char value = 0;
+
+ fd = open("/sys/kernel/secure_modules_enabled", O_RDONLY);
+ if (fd == -1) {
+ /* For backward compatibility with old kernels */
+ return false;
+ }
+
+ ret = read(fd, &value, sizeof(value));
+ if (ret < 0) {
+ die("Failed to read /sys/kernel/secure_modules_enabled");
+ }
+
+ if (value == '1')
+ return true;
+ else
+ return false;
+}
Neither one of the secure_modules_enabled or secureboot_enabled files
exist in /sys/kernel/. As far as I know, they never have. Is there a
patch missing in the kernel set that adds these?
I'm curious how you tested this.
josh