s390/kexec_file: Signature verification prototype Add kernel signature verification to kexec_file. The verification is based on module signature verification and works with kernel images signed via scripts/sign-file. Signed-off-by: Philipp Rudo <prudo@linux.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>

commit: e23a8020ce4e094e10d717d39a8ce799243bf8c1 [log] [tgz]
author: Philipp Rudo <prudo@linux.ibm.com> Tue Feb 26 10:50:39 2019 +0100
committer: Martin Schwidefsky <schwidefsky@de.ibm.com> Mon Apr 29 10:44:01 2019 +0200
tree: aa5253ea9daa7ccacaa018e72161e773ee4a2ac5
parent: 653beba24d4cd281b078eab48c9bce956939061c [diff] [blame]
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 1c3fcf1..21e851b 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig

@@ -553,6 +553,17 @@
 	def_bool y
 	depends on KEXEC_FILE
 
+config KEXEC_VERIFY_SIG
+	bool "Verify kernel signature during kexec_file_load() syscall"
+	depends on KEXEC_FILE && SYSTEM_DATA_VERIFICATION
+	help
+	  This option makes kernel signature verification mandatory for
+	  the kexec_file_load() syscall.
+
+	  In addition to that option, you need to enable signature
+	  verification for the corresponding kernel image type being
+	  loaded in order for this to work.
+
 config ARCH_RANDOM
 	def_bool y
 	prompt "s390 architectural random number generation API"
commit	e23a8020ce4e094e10d717d39a8ce799243bf8c1	[log] [tgz]
author	Philipp Rudo <prudo@linux.ibm.com>	Tue Feb 26 10:50:39 2019 +0100
committer	Martin Schwidefsky <schwidefsky@de.ibm.com>	Mon Apr 29 10:44:01 2019 +0200
tree	aa5253ea9daa7ccacaa018e72161e773ee4a2ac5
parent	653beba24d4cd281b078eab48c9bce956939061c [diff] [blame]