git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	AKASHI Takahiro <takahiro.akashi@linaro.org>
	Thu, 15 Nov 2018 05:52:50 +0000 (14:52 +0900)
committer	Will Deacon <will.deacon@arm.com>
	Thu, 6 Dec 2018 14:38:52 +0000 (14:38 +0000)
commit	f3b70e50942960ecc691367bb937e35cdc5e28d3
tree	5c474339e00762c6dd11ff84b74bc861f58ba5f9	tree \| snapshot
parent	52b2a8af7436044cfcb27e4b0f72c2ce1f3890da	commit \| diff

arm64: kexec_file: allow for loading Image-format kernel

This patch provides kexec_file_ops for "Image"-format kernel. In this
implementation, a binary is always loaded with a fixed offset identified
in text_offset field of its header.

Regarding signature verification for trusted boot, this patch doesn't
contains CONFIG_KEXEC_VERIFY_SIG support, which is to be added later
in this series, but file-attribute-based verification is still a viable
option by enabling IMA security subsystem.

You can sign(label) a to-be-kexec'ed kernel image on target file system
with:
    $ evmctl ima_sign --key /path/to/private_key.pem Image

On live system, you must have IMA enforced with, at least, the following
security policy:
    "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig"

See more details about IMA here:
    https://sourceforge.net/p/linux-ima/wiki/Home/

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>

arch/arm64/include/asm/kexec.h		diff \| blob \| history
arch/arm64/kernel/Makefile		diff \| blob \| history
arch/arm64/kernel/kexec_image.c	[new file with mode: 0644]	blob
arch/arm64/kernel/machine_kexec_file.c		diff \| blob \| history