config: Enable kexec bzImage signature verification

New kexec syscall (kexec_file_load()) can perform bzimage signature
verification.

This will re-enable kexec/kdump on secureboot systems using new syscall.
Currently kexec/kdump is disabled on secureboot systems.

User space (kexec-tools) will be modifed to automatically detect that
running system has secureboot enabled and use new syscall instead of
old one.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

config-x86-generic

@@ -499,8 +499,9 @@ CONFIG_VMWARE_VMCI_VSOCKETS=m
 CONFIG_XZ_DEC_X86=y
 
 CONFIG_MPILIB=y
-CONFIG_PKCS7_MESSAGE_PARSER=m
+CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
+CONFIG_SIGNED_PE_FILE_VERIFICATION=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULE_SIG=y

config-x86_64-generic

@@ -42,6 +42,9 @@ CONFIG_CGROUP_HUGETLB=y
 CONFIG_MEM_SOFT_DIRTY=y
 
 CONFIG_KEXEC_JUMP=y
+CONFIG_KEXEC_FILE=y
+CONFIG_KEXEC_VERIFY_SIG=y
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
 
 CONFIG_ACPI_HOTPLUG_MEMORY=y