s390/kexec_file: Signature verification prototype

Add kernel signature verification to kexec_file. The verification is based on module signature verification and works with kernel images signed via scripts/sign-file. Signed-off-by: Philipp Rudo <prudo@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Philipp Rudo <prudo@linux.ibm.com> 2019-02-26 10:50:39 +0100
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> 2019-04-29 10:44:01 +0200
commit: e23a8020ce4e094e10d717d39a8ce799243bf8c1 (patch)
tree: aa5253ea9daa7ccacaa018e72161e773ee4a2ac5 /arch/s390/Kconfig
parent: s390/kexec_file: Load new kernel to absolute 0 (diff)
download: linux-dev-e23a8020ce4e094e10d717d39a8ce799243bf8c1.tar.xz
linux-dev-e23a8020ce4e094e10d717d39a8ce799243bf8c1.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 1c3fcf19c3af..21e851b0a989 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -553,6 +553,17 @@ config ARCH_HAS_KEXEC_PURGATORY
 	def_bool y
 	depends on KEXEC_FILE
 
+config KEXEC_VERIFY_SIG
+	bool "Verify kernel signature during kexec_file_load() syscall"
+	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION
+	help
+	  This option makes kernel signature verification mandatory for
+	  the kexec_file_load() syscall.
+
+	  In addition to that option, you need to enable signature
+	  verification for the corresponding kernel image type being
+	  loaded in order for this to work.
+
 config ARCH_RANDOM
 	def_bool y
 	prompt "s390 architectural random number generation API"
author	Philipp Rudo <prudo@linux.ibm.com>	2019-02-26 10:50:39 +0100
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	2019-04-29 10:44:01 +0200
commit	e23a8020ce4e094e10d717d39a8ce799243bf8c1 (patch)
tree	aa5253ea9daa7ccacaa018e72161e773ee4a2ac5 /arch/s390/Kconfig
parent	s390/kexec_file: Load new kernel to absolute 0 (diff)
download	linux-dev-e23a8020ce4e094e10d717d39a8ce799243bf8c1.tar.xz linux-dev-e23a8020ce4e094e10d717d39a8ce799243bf8c1.zip