[Fedora kexec-tools 3/7] kexec: Verifiy kernel signature if secureboot/secure modules is enabled

Thu Sep 5 13:19:56 UTC 2013

On Wed, Sep 4, 2013 at 9:57 PM, Vivek Goyal <vgoyal at redhat.com> wrote:
> This is the logic to verify bzImage signature. Signature verification
> happens only if secureboot is enabled.
>
> Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
> ---

> +/*
> + * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
> + * signature.
> + */
> +static bool is_secureboot_enabled(void) {
> +       int fd, ret;
> +       char value = 0;
> +
> +       fd = open("/sys/kernel/secureboot_enabled", O_RDONLY);
> +       if (fd == -1) {
> +               /* For backward compatibility with old kernels */
> +               return false;
> +       }
> +
> +       ret = read(fd, &value, sizeof(value));
> +       if (ret < 0) {
> +               die("Failed to read /sys/kernel/secureboot_enabled");
> +       }
> +
> +       if (value == '1')
> +               return true;
> +       else
> +               return false;
> +}
> +
> +static bool is_secure_modules_enabled(void) {
> +       int fd, ret;
> +       char value = 0;
> +
> +       fd = open("/sys/kernel/secure_modules_enabled", O_RDONLY);
> +       if (fd == -1) {
> +               /* For backward compatibility with old kernels */
> +               return false;
> +       }
> +
> +       ret = read(fd, &value, sizeof(value));
> +       if (ret < 0) {
> +               die("Failed to read /sys/kernel/secure_modules_enabled");
> +       }
> +
> +       if (value == '1')
> +               return true;
> +       else
> +               return false;
> +}

Neither one of the secure_modules_enabled or secureboot_enabled files
exist in /sys/kernel/.  As far as I know, they never have.  Is there a
patch missing in the kernel set that adds these?

I'm curious how you tested this.

josh