On Wed, 2019-08-28 at 20:38 -0300, Thiago Jung Bauermann wrote:

Hello Mimi,

Mimi Zohar [off-list ref] writes:

quoted

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.

This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Thanks for doing this!

You're welcome.  This isn't in lieu of a proper regression test that
verifies the IMA measurement list template modsig and d-modsig data
fields.  That still needs to be written.

thanks,

Mimi