[Fedora kexec-tools 5/7] kexec: Provide option to enable signature checking logic

On secureboot platforms kexec will check signature of bzImage being loaded. It does so with the help of keyctl() ioctl. This functionality is rather new in kernel so linux/keyctl.h might not have right definitions to build kexec. This patch provides two things. - An option --enable-sigcheck to enable/disable signature verification logic. - It disables signature check automatically (even if user specified --enable-sigcheck), if keyctl.h does not have needed structure definitions. Signed-off-by: Vivek Goyal <vgoyal(a)redhat.com&gt; --- configure.ac | 12 ++++++++++++ kexec/kexec.c | 9 +++++++++ 2 files changed, 21 insertions(+) diff --git a/configure.ac b/configure.ac index 90b4c75..576b460 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,8 @@ fi AC_ARG_ENABLE([static], AC_HELP_STRING([--enable-static],[Produce statically linked executables]), [ enable_static="$enableval"], [ enable_static=no]) +AC_ARG_ENABLE([sigcheck], AC_HELP_STRING([--enable-sigcheck],[Enable kernel signature checking]), [ enable_sigcheck="$enableval"], [ enable_sigcheck=yes]) + AC_ARG_WITH([objdir], AC_HELP_STRING([--with-objdir=<dir>],[select directory for object files]), [ OBJDIR="$withval" ], [ OBJDIR="$OBJDIR" ]) @@ -150,6 +152,16 @@ if test "$enable_static" = yes ; then CFLAGS="$CFLAGS -static" fi +if test "$enable_sigcheck" = yes ; then + AC_CHECK_HEADER(linux/keyctl.h,,AC_MSG_NOTICE([Signature checking support disabled])) + if test "$ac_cv_header_linux_keyctl_h" = yes ; then + AC_CHECK_TYPES([struct keyctl_sig_data], , + AC_MSG_NOTICE([Signature checking support disabled]), + [AC_INCLUDES_DEFAULT +#include <linux/keyctl.h>]) + fi +fi + dnl See if I have a usable copy of zlib available if test "$with_zlib" = yes ; then AC_CHECK_HEADER(zlib.h, diff --git a/kexec/kexec.c b/kexec/kexec.c index 14c5d16..7ebfa0b 100644 --- a/kexec/kexec.c +++ b/kexec/kexec.c @@ -686,6 +686,7 @@ out_close_fd: return buf; } +#ifdef HAVE_STRUCT_KEYCTL_SIG_DATA /* * It is assumed signatures are stored in security.ima xattr. buf and size * contain the contents of file whose signature need to be verified @@ -713,6 +714,14 @@ static int verify_signature(unsigned long keyring_id, char *data, off_t dlen, return ret; } +#else +static int verify_signature(unsigned long keyring_id, char *data, off_t dlen, + char *sig, off_t slen) +{ + die("Signature verification is disabled. Trying building kexec with --enable-sigcheck."); + return 0; +} +#endif /* HAVE_STRUCT_KEYCTL_SIG_DATA */ /* * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's -- 1.8.3.1