[PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec

Josh Boyer jwboyer at fedoraproject.org
Mon Jan 6 16:33:52 EST 2014

On Thu, Jan 2, 2014 at 3:56 PM, H. Peter Anvin <hpa at zytor.com> wrote:
> On 01/02/2014 12:39 PM, Vivek Goyal wrote:
>> If secureboot is enabled, it enforces module signature verification. I
>> think similar will happen for kexec too. How would kernel know that on
>> a secureboot platform fd original verification will happen and it is
>> sufficient.
>> I personally want to support bzImage as well (apart from ELF) because
>> distributions has been shipping bzImage for a long time and I don't
>> want to enforce a change there because of secureboot. It is not necessary.
>> Right now I am thinking more about storing detached bzImage signatures
>> and passing those signatures to kexec system call.
> Since the secureboot scenario probably means people will be signing
> those kernels, and those kernels are going to be EFI images, that in
> order to have "one kernel, one signature" there will be a desire to
> support signed PE images.  Yes, PE is ugly but it shouldn't be too bad.
>  However, it is probably one of those things that can be dealt with one
> bit at a time.

David Howells posted patches to support signed PE binaries early last
year.  They were rejected rather quickly.


That was for loading keys via PE binaries, but the parser is needed
either way.  Unless I'm misunderstanding what you're suggesting?


More information about the kexec mailing list