[PATCH 0/6] kexec: A new system call to allow in kernel loading
Eric W. Biederman
ebiederm at xmission.com
Thu Nov 21 18:07:04 EST 2013
Vivek Goyal <vgoyal at redhat.com> writes:
> Current proposed secureboot implementation disables kexec/kdump because
> it can allow unsigned kernel to run on a secureboot platform. Intial
> idea was to sign /sbin/kexec binary and let that binary do the kernel
> signature verification. I had posted RFC patches for this apparoach
> Later we had discussion at Plumbers and most of the people thought
> that signing and trusting /sbin/kexec is becoming complex. So a
> better idea might be let kernel do the signature verification of
> new kernel being loaded. This calls for implementing a new system call
> and moving lot of user space code in kernel.
> kexec_load() system call allows loading a kexec/kdump kernel and jump
> to that kernel at right time. Though a lot of processing is done in
> user space which prepares a list of segments/buffers to be loaded and
> kexec_load() works on that list of segments. It does not know what's
> contained in those segments.
> Now a new system call kexec_file_load() is implemented which takes
> kernel fd and initrd fd as parameters. Now kernel should be able
> to verify signature of newly loaded kernel.
> This is an early RFC patchset. I have not done signature handling
> part yet. This is more of a minimal patch to show how new system
> call and functionality will look like. Right now it can only handle
> bzImage with 64bit entry point on x86_64. No EFI, no x86_32 or any
> other architecture. Rest of the things can be added slowly as need
> arises. In first iteration, I have tried to address most common use case
> for us.
> Any feedback is welcome.
Before you are done we need an ELF loader. bzImage really is very
uninteresting. To the point I am not at all convinced that an in kernel
loader should support it.
There is also a huge missing piece of this in that your purgatory is not
checking a hash of the loaded image before jumping too it. Without that
this is a huge regression at least for the kexec on panic case. We
absolutely need to check that the kernel sitting around in memory has
not been corrupted before we let it run very far.
More information about the kexec