[Fedora kexec-tools 3/7] kexec: Verifiy kernel signature if secureboot/secure modules is enabled
Josh Boyer
jwboyer at gmail.com
Thu Sep 5 13:19:56 UTC 2013
On Wed, Sep 4, 2013 at 9:57 PM, Vivek Goyal <vgoyal at redhat.com> wrote:
> This is the logic to verify bzImage signature. Signature verification
> happens only if secureboot is enabled.
>
> Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
> ---
> +/*
> + * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
> + * signature.
> + */
> +static bool is_secureboot_enabled(void) {
> + int fd, ret;
> + char value = 0;
> +
> + fd = open("/sys/kernel/secureboot_enabled", O_RDONLY);
> + if (fd == -1) {
> + /* For backward compatibility with old kernels */
> + return false;
> + }
> +
> + ret = read(fd, &value, sizeof(value));
> + if (ret < 0) {
> + die("Failed to read /sys/kernel/secureboot_enabled");
> + }
> +
> + if (value == '1')
> + return true;
> + else
> + return false;
> +}
> +
> +static bool is_secure_modules_enabled(void) {
> + int fd, ret;
> + char value = 0;
> +
> + fd = open("/sys/kernel/secure_modules_enabled", O_RDONLY);
> + if (fd == -1) {
> + /* For backward compatibility with old kernels */
> + return false;
> + }
> +
> + ret = read(fd, &value, sizeof(value));
> + if (ret < 0) {
> + die("Failed to read /sys/kernel/secure_modules_enabled");
> + }
> +
> + if (value == '1')
> + return true;
> + else
> + return false;
> +}
Neither one of the secure_modules_enabled or secureboot_enabled files
exist in /sys/kernel/. As far as I know, they never have. Is there a
patch missing in the kernel set that adds these?
I'm curious how you tested this.
josh
More information about the kernel
mailing list