[Fedora kexec-tools 3/7] kexec: Verifiy kernel signature if secureboot/secure modules is enabled
Josh Boyer
jwboyer at gmail.com
Thu Sep 5 13:28:32 UTC 2013
On Thu, Sep 5, 2013 at 9:19 AM, Josh Boyer <jwboyer at gmail.com> wrote:
> On Wed, Sep 4, 2013 at 9:57 PM, Vivek Goyal <vgoyal at redhat.com> wrote:
>> This is the logic to verify bzImage signature. Signature verification
>> happens only if secureboot is enabled.
>>
>> Signed-off-by: Vivek Goyal <vgoyal at redhat.com>
>> ---
>
>> +/*
>> + * Ask running kernel to see if it needs /sbin/kexec to verify new kernel's
>> + * signature.
>> + */
>> +static bool is_secureboot_enabled(void) {
>> + int fd, ret;
>> + char value = 0;
>> +
>> + fd = open("/sys/kernel/secureboot_enabled", O_RDONLY);
>> + if (fd == -1) {
>> + /* For backward compatibility with old kernels */
>> + return false;
>> + }
>> +
>> + ret = read(fd, &value, sizeof(value));
>> + if (ret < 0) {
>> + die("Failed to read /sys/kernel/secureboot_enabled");
>> + }
>> +
>> + if (value == '1')
>> + return true;
>> + else
>> + return false;
>> +}
>> +
>> +static bool is_secure_modules_enabled(void) {
>> + int fd, ret;
>> + char value = 0;
>> +
>> + fd = open("/sys/kernel/secure_modules_enabled", O_RDONLY);
>> + if (fd == -1) {
>> + /* For backward compatibility with old kernels */
>> + return false;
>> + }
>> +
>> + ret = read(fd, &value, sizeof(value));
>> + if (ret < 0) {
>> + die("Failed to read /sys/kernel/secure_modules_enabled");
>> + }
>> +
>> + if (value == '1')
>> + return true;
>> + else
>> + return false;
>> +}
>
> Neither one of the secure_modules_enabled or secureboot_enabled files
> exist in /sys/kernel/. As far as I know, they never have. Is there a
> patch missing in the kernel set that adds these?
>
> I'm curious how you tested this.
Nevermind. For some reason I don't have patch 15/19 in my mailbox,
but looking in the archives I see you added them there. My mistake.
josh
More information about the kernel
mailing list