From: Coiby Xu on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_719906578
Oh, I make a mistake. KEXEC_SIG doesn't exist for POWER. So it's indeed an NO-
OP.
Btw, POWER uses IMA appraise to verify the signature appended to the kernel
image. So it doesn't need it.
From: Coiby Xu on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_719459832
It's not a NO-OP for POWER. With KEXEC_SIG enabled, some code in
kernel/kexec_file.c would be invoked. For example, kimage_validate_signature
would be called and this may lead to the failure
From: Coiby Xu on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_719458496
Could you explain how it impacts x86? For CONFIG_KEXEC_SIG, I simply enable it
for both aarch64 RHEL and it has already been enabled for x86 and aarch64
Fedora. For CONFIG_KEXEC_IMAGE_VERIFY
From: pbrobinson on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_719117764
Is there any reason not to unify the configs across all architectures, the
only arch that doesn't currently have this enabled is POWER and it doesn't
actually currently support it (which I
From: Don Zickus on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_718931153
@prarit @darcari apparently this impacts x86 now too.
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to
From: Mark Salter on gitlab.com
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1442#note_717323659
Acked-by: Mark Salter
(via approve button)
___
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-le
From: Coiby Xu
redhat/configs: enable KEXEC_SIG for aarch64 RHEL
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1994858
KEXEC_SIG needs to enabled for aarch64 so the kernel image's signature
can be verified when loading a kernel image via kexec with secureboot
enabled. Note this option h
