From 86c9d34380b0074dab1ba89a569a94280d6999c4 Mon Sep 17 00:00:00 2001 From: "tpearson@raptorengineering.com" Date: Thu, 18 Aug 2016 04:45:47 -0500 Subject: Add support for GPG signature enforcement on booted kernels and related blobs This can be used to implement a form of organization-controlled secure boot, whereby kernels may be loaded from a variety of sources but they will only boot if a valid signature file is found for each component, and only if the signature is listed in the /etc/pb-lockdown file. Signed-off-by: Timothy Pearson Signed-off-by: Samuel Mendoza-Jonas (Minor build fixes and gpgme.m4, comment on secure boot in gpg.c) --- discover/kboot-parser.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'discover/kboot-parser.c') diff --git a/discover/kboot-parser.c b/discover/kboot-parser.c index cebe787..f7f75e0 100644 --- a/discover/kboot-parser.c +++ b/discover/kboot-parser.c @@ -96,6 +96,12 @@ out_add: d_opt->boot_image = create_devpath_resource(d_opt, conf->dc->device, value); + char* args_sigfile_default = talloc_asprintf(d_opt, + "%s.cmdline.sig", value); + d_opt->args_sig_file = create_devpath_resource(d_opt, + conf->dc->device, args_sigfile_default); + talloc_free(args_sigfile_default); + if (root) { opt->boot_args = talloc_asprintf(opt, "root=%s %s", root, args); talloc_free(args); -- cgit v1.2.1