summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVivek Goyal <vgoyal@redhat.com>2014-09-03 15:46:01 -0400
committerJosh Boyer <jwboyer@fedoraproject.org>2014-09-04 08:12:26 -0400
commitd5eb8951d21de01921873e100743a52bae060e90 (patch)
treeb51820b29d724f1f7c3512dfceebf9d3f36da1a9
parent0806fade3230fb1c3ec2c2ec17167524b53e68fa (diff)
downloadkernel-d5eb8951d21de01921873e100743a52bae060e90.tar.gz
kernel-d5eb8951d21de01921873e100743a52bae060e90.tar.xz
kernel-d5eb8951d21de01921873e100743a52bae060e90.zip
config: Enable kexec bzImage signature verification
New kexec syscall (kexec_file_load()) can perform bzimage signature verification. This will re-enable kexec/kdump on secureboot systems using new syscall. Currently kexec/kdump is disabled on secureboot systems. User space (kexec-tools) will be modifed to automatically detect that running system has secureboot enabled and use new syscall instead of old one. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
-rw-r--r--config-x86-generic3
-rw-r--r--config-x86_64-generic3
2 files changed, 5 insertions, 1 deletions
diff --git a/config-x86-generic b/config-x86-generic
index 1b1218a2a..17b96c7da 100644
--- a/config-x86-generic
+++ b/config-x86-generic
@@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
CONFIG_XZ_DEC_X86=y
CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=m
+CONFIG_PKCS7_MESSAGE_PARSER=y
# CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_MODULE_SIG=y
diff --git a/config-x86_64-generic b/config-x86_64-generic
index f4177d544..a19011733 100644
--- a/config-x86_64-generic
+++ b/config-x86_64-generic
@@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y
CONFIG_MEM_SOFT_DIRTY=y
CONFIG_KEXEC_JUMP=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_ACPI_HOTPLUG_MEMORY=y