[Fedora kexec-tools 5/7] kexec: Provide option to enable signature checking logic

Vivek Goyal vgoyal at redhat.com
Thu Sep 5 01:57:02 UTC 2013 

On secureboot platforms kexec will check signature of bzImage being
loaded. It does so with the help of keyctl() ioctl. This functionality
is rather new in kernel so linux/keyctl.h might not have right definitions
to build kexec.

This patch provides two things.

- An option --enable-sigcheck to enable/disable signature verification
  logic.
- It disables signature check automatically (even if user specified
  --enable-sigcheck), if keyctl.h does not have needed structure
 definitions.

Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
---
 configure.ac  | 12 ++++++++++++
 kexec/kexec.c |  9 +++++++++
 2 files changed, 21 insertions(+)

diff --git a/configure.ac b/configure.ac
index 90b4c75..576b460 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,6 +70,8 @@ fi
 
 AC_ARG_ENABLE([static], AC_HELP_STRING([--enable-static],[Produce statically linked executables]), [ enable_static="$enableval"], [ enable_static=no])
 
+AC_ARG_ENABLE([sigcheck], AC_HELP_STRING([--enable-sigcheck],[Enable kernel signature checking]), [ enable_sigcheck="$enableval"], [ enable_sigcheck=yes])
+
 AC_ARG_WITH([objdir], AC_HELP_STRING([--with-objdir=<dir>],[select directory for object files]),
 	[ OBJDIR="$withval" ], [ OBJDIR="$OBJDIR" ])
 
@@ -150,6 +152,16 @@ if test "$enable_static" = yes ; then
 	CFLAGS="$CFLAGS -static"
 fi
 
+if test "$enable_sigcheck" = yes ; then
+	AC_CHECK_HEADER(linux/keyctl.h,,AC_MSG_NOTICE([Signature checking support disabled]))
+	if test "$ac_cv_header_linux_keyctl_h" = yes ; then
+		AC_CHECK_TYPES([struct keyctl_sig_data], ,
+			AC_MSG_NOTICE([Signature checking support disabled]),
+			[AC_INCLUDES_DEFAULT
+#include <linux/keyctl.h>])
+	fi
+fi
+
 dnl See if I have a usable copy of zlib available
 if test "$with_zlib" = yes ; then
 	AC_CHECK_HEADER(zlib.h,
diff --git a/kexec/kexec.c b/kexec/kexec.c
index 14c5d16..7ebfa0b 100644
--- a/kexec/kexec.c
+++ b/kexec/kexec.c
@@ -686,6 +686,7 @@ out_close_fd:
 	return buf;
 }
 
+#ifdef HAVE_STRUCT_KEYCTL_SIG_DATA
 /*
  * It is assumed signatures are stored in security.ima xattr. buf and size
  * contain the contents of file whose signature need to be verified
@@ -713,6 +714,14 @@ static int verify_signature(unsigned long keyring_id, char *data, off_t dlen,
 
 	return ret;
 }
+#else
+static int verify_signature(unsigned long keyring_id, char *data, off_t dlen,
+				char *sig, off_t slen)
+{
+	die("Signature verification is disabled. Trying building kexec with --enable-sigcheck.");
+	return 0;
+}
+#endif /* HAVE_STRUCT_KEYCTL_SIG_DATA */
 
 /*
  * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
-- 
1.8.3.1

More information about the kernel mailing list