[PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec
H. Peter Anvin
hpa at zytor.com
Thu Jan 2 15:56:47 EST 2014
On 01/02/2014 12:39 PM, Vivek Goyal wrote:
>
> If secureboot is enabled, it enforces module signature verification. I
> think similar will happen for kexec too. How would kernel know that on
> a secureboot platform fd original verification will happen and it is
> sufficient.
>
> I personally want to support bzImage as well (apart from ELF) because
> distributions has been shipping bzImage for a long time and I don't
> want to enforce a change there because of secureboot. It is not necessary.
> Right now I am thinking more about storing detached bzImage signatures
> and passing those signatures to kexec system call.
>
Since the secureboot scenario probably means people will be signing
those kernels, and those kernels are going to be EFI images, that in
order to have "one kernel, one signature" there will be a desire to
support signed PE images. Yes, PE is ugly but it shouldn't be too bad.
However, it is probably one of those things that can be dealt with one
bit at a time.
-hpa
More information about the kexec
mailing list