CONFIG_KEXEC_SIG: Verify kernel signature during kexec_file_load() syscall

General informations

The Linux kernel configuration item CONFIG_KEXEC_SIG has multiple definitions:

Verify kernel signature during kexec_file_load() syscall found in kernel/Kconfig.kexec

The configuration item CONFIG_KEXEC_SIG:

• prompt: Verify kernel signature during kexec_file_load() syscall
• type: bool
• depends on: ( CONFIG_ARCH_SUPPORTS_KEXEC_SIG ) && ( CONFIG_KEXEC_FILE )
• defined in kernel/Kconfig.kexec
• found in Linux kernels: 6.6–6.12, 6.13-rc+HEAD

Help text

This option makes the kexec_file_load() syscall check for a valid signature of the kernel image. The image can still be loaded without a valid signature unless you also enable KEXEC_SIG_FORCE, though if there's a signature that we can check, then it must be valid.

In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work.

Verify kernel signature during kexec_file_load() syscall found in arch/x86/Kconfig

The configuration item CONFIG_KEXEC_SIG:

• prompt: Verify kernel signature during kexec_file_load() syscall
• type: bool
• depends on: CONFIG_KEXEC_FILE
• defined in arch/x86/Kconfig
• found in Linux kernels: 5.4–5.19, 6.0–6.5

Help text

This option makes the kexec_file_load() syscall check for a valid signature of the kernel image. The image can still be loaded without a valid signature unless you also enable KEXEC_SIG_FORCE, though if there's a signature that we can check, then it must be valid.

In addition to this option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work.

Verify kernel signature during kexec_file_load() syscall found in arch/s390/Kconfig

The configuration item CONFIG_KEXEC_SIG:

• prompt: Verify kernel signature during kexec_file_load() syscall
• type: bool
• depends on: CONFIG_KEXEC_FILE && CONFIG_MODULE_SIG_FORMAT
• defined in arch/s390/Kconfig
• found in Linux kernels: 5.4–5.19, 6.0–6.5

Help text

This option makes kernel signature verification mandatory for the kexec_file_load() syscall.

In addition to that option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work.

Verify kernel signature during kexec_file_load() syscall found in arch/arm64/Kconfig

The configuration item CONFIG_KEXEC_SIG:

• prompt: Verify kernel signature during kexec_file_load() syscall
• type: bool
• depends on: CONFIG_KEXEC_FILE
• defined in arch/arm64/Kconfig
• found in Linux kernels: 5.4–5.19, 6.0–6.5

Help text

Select this option to verify a signature with loaded kernel image. If configured, any attempt of loading a image without valid signature will fail.

In addition to that option, you need to enable signature verification for the corresponding kernel image type being loaded in order for this to work.

Hardware

LKDDb

Raw data from LKDDb:

• (none)

Sources

This page is automaticly generated with free (libre, open) software lkddb(see lkddb-sources).

The data is retrived from:

• Linux kernel
• Linux Kernel Driver DataBase (LKDDb)

Automatic links from Google (and ads)

Custom Search

Popular queries: