[RFC] Kdump with signed images.

Eric W. Biederman ebiederm at xmission.com
Tue Oct 23 12:26:32 EDT 2012


Vivek Goyal <vgoyal at redhat.com> writes:

> On Tue, Oct 23, 2012 at 11:04:29AM +0900, Simon Horman wrote:
>> On Mon, Oct 22, 2012 at 04:43:39PM -0400, Vivek Goyal wrote:
>> > On Fri, Oct 19, 2012 at 10:31:12AM -0400, Vivek Goyal wrote:
>> > 
>> > [..]
>> > > - What happens to purgatory code. It is unsigned piece of code which
>> > >   runs in kernel?
>> > 
>> > Thinking more about it, another not so clean proposal.
>> 
>> I have always assumed that purgatory can't be removed
>> as doing so would break backwards compatibility.
>
> Hi Simon,
>
> I think this will be a new parallel path and this new path should be taken
> only on kernel booted with secure boot enabled. (Either automatically or
> by using some kexec command line option). So nothing should be broken
> because we never supported anything on secure boot enabled system.

Rubbish.  Kexec works just fine today on a secure boot enabled system.
Ignoring the nonsense that there is no such thing as a secure boot
enabled linux system.

Whatever we implement must work on all linux systems.

If we implement an extension we also must write the code in /sbin/kexec
so that it works on older systems that do not implement that extension.

Eric



More information about the kexec mailing list