git.baikalelectronics.ru Git - kernel.git/commit

author	AKASHI Takahiro <takahiro.akashi@linaro.org>
	Thu, 15 Nov 2018 05:52:54 +0000 (14:52 +0900)
committer	Will Deacon <will.deacon@arm.com>
	Thu, 6 Dec 2018 15:16:52 +0000 (15:16 +0000)
commit	c67902d607417165a438298356e989237d3040a4
tree	29ec906b45eaec73cae4102a360dd7fea7f9198c	tree \| snapshot
parent	720d4a0066b0cf263eed4c8fc175019b0973c846	commit \| diff

arm64: kexec_file: add kernel signature verification support

With this patch, kernel verification can be done without IMA security
subsystem enabled. Turn on CONFIG_KEXEC_VERIFY_SIG instead.

On x86, a signature is embedded into a PE file (Microsoft's format) header
of binary. Since arm64's "Image" can also be seen as a PE file as far as
CONFIG_EFI is enabled, we adopt this format for kernel signing.

You can create a signed kernel image with:
$ sbsign --key ${KEY} --cert ${CERT} Image

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
[will: removed useless pr_debug()]
Signed-off-by: Will Deacon <will.deacon@arm.com>

arch/arm64/Kconfig		diff \| blob \| history
arch/arm64/kernel/kexec_image.c		diff \| blob \| history