summaryrefslogtreecommitdiffstats
path: root/discover/kboot-parser.c
diff options
context:
space:
mode:
authortpearson@raptorengineering.com <tpearson@raptorengineering.com>2016-08-18 04:45:47 -0500
committerSamuel Mendoza-Jonas <sam@mendozajonas.com>2016-08-26 13:23:01 +1000
commit86c9d34380b0074dab1ba89a569a94280d6999c4 (patch)
tree22cf0cccbd4022d150e231adcb360b3bcf528cda /discover/kboot-parser.c
parent5496eee36f70631ae45403f90ed7b4dc143f27c0 (diff)
downloadtalos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.zip
talos-petitboot-86c9d34380b0074dab1ba89a569a94280d6999c4.tar.gz
Add support for GPG signature enforcement on booted
kernels and related blobs This can be used to implement a form of organization-controlled secure boot, whereby kernels may be loaded from a variety of sources but they will only boot if a valid signature file is found for each component, and only if the signature is listed in the /etc/pb-lockdown file. Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> (Minor build fixes and gpgme.m4, comment on secure boot in gpg.c)
Diffstat (limited to 'discover/kboot-parser.c')
-rw-r--r--discover/kboot-parser.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/discover/kboot-parser.c b/discover/kboot-parser.c
index cebe787..f7f75e0 100644
--- a/discover/kboot-parser.c
+++ b/discover/kboot-parser.c
@@ -96,6 +96,12 @@ out_add:
d_opt->boot_image = create_devpath_resource(d_opt,
conf->dc->device, value);
+ char* args_sigfile_default = talloc_asprintf(d_opt,
+ "%s.cmdline.sig", value);
+ d_opt->args_sig_file = create_devpath_resource(d_opt,
+ conf->dc->device, args_sigfile_default);
+ talloc_free(args_sigfile_default);
+
if (root) {
opt->boot_args = talloc_asprintf(opt, "root=%s %s", root, args);
talloc_free(args);
OpenPOWER on IntegriCloud