• AKASHI Takahiro's avatar
    arm64: kexec_file: allow for loading Image-format kernel · f3b70e50
    AKASHI Takahiro authored
    This patch provides kexec_file_ops for "Image"-format kernel. In this
    implementation, a binary is always loaded with a fixed offset identified
    in text_offset field of its header.
    
    Regarding signature verification for trusted boot, this patch doesn't
    contains CONFIG_KEXEC_VERIFY_SIG support, which is to be added later
    in this series, but file-attribute-based verification is still a viable
    option by enabling IMA security subsystem.
    
    You can sign(label) a to-be-kexec'ed kernel image on target file system
    with:
        $ evmctl ima_sign --key /path/to/private_key.pem Image
    
    On live system, you must have IMA enforced with, at least, the following
    security policy:
        "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig"
    
    See more details about IMA here:
        https://sourceforge.net/p/linux-ima/wiki/Home/Signed-off-by: default avatarAKASHI Takahiro <takahiro.akashi@linaro.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Reviewed-by: default avatarJames Morse <james.morse@arm.com>
    Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
    f3b70e50
kexec_image.c 2.94 KB