On secureboot platforms kexec will check signature of bzImage being
loaded. It does so with the help of keyctl() ioctl. This functionality
is rather new in kernel so linux/keyctl.h might not have right definitions
to build kexec.
This patch provides two things.
- An option --enable-sigcheck to enable/disable signature verification
logic.
- It disables signature check automatically (even if user specified
--enable-sigcheck), if keyctl.h does not have needed structure
definitions.
Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com>
---
configure.ac | 12 ++++++++++++
kexec/kexec.c | 9 +++++++++
2 files changed, 21 insertions(+)
diff --git a/configure.ac b/configure.ac
index 90b4c75..576b460 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,6 +70,8 @@ fi
AC_ARG_ENABLE([static], AC_HELP_STRING([--enable-static],[Produce statically linked
executables]), [ enable_static="$enableval"], [ enable_static=no])
+AC_ARG_ENABLE([sigcheck], AC_HELP_STRING([--enable-sigcheck],[Enable kernel signature
checking]), [ enable_sigcheck="$enableval"], [ enable_sigcheck=yes])
+
AC_ARG_WITH([objdir], AC_HELP_STRING([--with-objdir=<dir>],[select directory for
object files]),
[ OBJDIR="$withval" ], [ OBJDIR="$OBJDIR" ])
@@ -150,6 +152,16 @@ if test "$enable_static" = yes ; then
CFLAGS="$CFLAGS -static"
fi
+if test "$enable_sigcheck" = yes ; then
+ AC_CHECK_HEADER(linux/keyctl.h,,AC_MSG_NOTICE([Signature checking support disabled]))
+ if test "$ac_cv_header_linux_keyctl_h" = yes ; then
+ AC_CHECK_TYPES([struct keyctl_sig_data], ,
+ AC_MSG_NOTICE([Signature checking support disabled]),
+ [AC_INCLUDES_DEFAULT
+#include <linux/keyctl.h>])
+ fi
+fi
+
dnl See if I have a usable copy of zlib available
if test "$with_zlib" = yes ; then
AC_CHECK_HEADER(zlib.h,
diff --git a/kexec/kexec.c b/kexec/kexec.c
index 14c5d16..7ebfa0b 100644
--- a/kexec/kexec.c
+++ b/kexec/kexec.c
@@ -686,6 +686,7 @@ out_close_fd:
return buf;
}
+#ifdef HAVE_STRUCT_KEYCTL_SIG_DATA
/*
* It is assumed signatures are stored in security.ima xattr. buf and size
* contain the contents of file whose signature need to be verified
@@ -713,6 +714,14 @@ static int verify_signature(unsigned long keyring_id, char *data,
off_t dlen,
return ret;
}
+#else
+static int verify_signature(unsigned long keyring_id, char *data, off_t dlen,
+ char *sig, off_t slen)
+{
+ die("Signature verification is disabled. Trying building kexec with
--enable-sigcheck.");
+ return 0;
+}
+#endif /* HAVE_STRUCT_KEYCTL_SIG_DATA */
/*
* Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
--
1.8.3.1