1 files changed, 21 insertions, 0 deletions
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c
index 623e6c58081f..9642b9b33655 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -19,6 +19,8 @@
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/efi.h>
+#include <linux/verify_pefile.h>
+#include <keys/system_keyring.h>
 #include <asm/bootparam.h>
 #include <asm/setup.h>
@@ -525,8 +527,27 @@ int bzImage64_cleanup(void *loader_data)
        return 0;
 }
+#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
+int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
+{
+        bool trusted;
+        int ret;
+        ret = verify_pefile_signature(kernel, kernel_len,
+                                      system_trusted_keyring, &trusted);
+        if (ret < 0)
+                return ret;
+        if (!trusted)
+                return -EKEYREJECTED;
+        return 0;
+}
+#endif
 struct kexec_file_ops kexec_bzImage64_ops = {
        .probe = bzImage64_probe,
        .load = bzImage64_load,
        .cleanup = bzImage64_cleanup,
+#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
+        .verify_sig = bzImage64_verify_sig,
+#endif
 };

diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 623e6c58081f..9642b9b33655 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -19,6 +19,8 @@
19	#include <linux/kernel.h>	19	#include <linux/kernel.h>
20	#include <linux/mm.h>	20	#include <linux/mm.h>
21	#include <linux/efi.h>	21	#include <linux/efi.h>
		22	#include <linux/verify_pefile.h>
		23	#include <keys/system_keyring.h>
22		24
23	#include <asm/bootparam.h>	25	#include <asm/bootparam.h>
24	#include <asm/setup.h>	26	#include <asm/setup.h>
@@ -525,8 +527,27 @@ int bzImage64_cleanup(void *loader_data)
525	return 0;	527	return 0;
526	}	528	}
527		529
		530	#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
		531	int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
		532	{
		533	bool trusted;
		534	int ret;
		535
		536	ret = verify_pefile_signature(kernel, kernel_len,
		537	system_trusted_keyring, &trusted);
		538	if (ret < 0)
		539	return ret;
		540	if (!trusted)
		541	return -EKEYREJECTED;
		542	return 0;
		543	}
		544	#endif
		545
528	struct kexec_file_ops kexec_bzImage64_ops = {	546	struct kexec_file_ops kexec_bzImage64_ops = {
529	.probe = bzImage64_probe,	547	.probe = bzImage64_probe,
530	.load = bzImage64_load,	548	.load = bzImage64_load,
531	.cleanup = bzImage64_cleanup,	549	.cleanup = bzImage64_cleanup,
		550	#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
		551	.verify_sig = bzImage64_verify_sig,
		552	#endif
532	};	553	};