[PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec

Josh Boyer jwboyer at fedoraproject.org
Mon Jan 6 16:33:52 EST 2014


On Thu, Jan 2, 2014 at 3:56 PM, H. Peter Anvin <hpa at zytor.com> wrote:
> On 01/02/2014 12:39 PM, Vivek Goyal wrote:
>>
>> If secureboot is enabled, it enforces module signature verification. I
>> think similar will happen for kexec too. How would kernel know that on
>> a secureboot platform fd original verification will happen and it is
>> sufficient.
>>
>> I personally want to support bzImage as well (apart from ELF) because
>> distributions has been shipping bzImage for a long time and I don't
>> want to enforce a change there because of secureboot. It is not necessary.
>> Right now I am thinking more about storing detached bzImage signatures
>> and passing those signatures to kexec system call.
>>
>
> Since the secureboot scenario probably means people will be signing
> those kernels, and those kernels are going to be EFI images, that in
> order to have "one kernel, one signature" there will be a desire to
> support signed PE images.  Yes, PE is ugly but it shouldn't be too bad.
>  However, it is probably one of those things that can be dealt with one
> bit at a time.

David Howells posted patches to support signed PE binaries early last
year.  They were rejected rather quickly.

https://lkml.org/lkml/2013/2/21/196

That was for loading keys via PE binaries, but the parser is needed
either way.  Unless I'm misunderstanding what you're suggesting?

josh



More information about the kexec mailing list