[RFC PATCH 00/13][V3] kexec: A new system call to allow in kernel loading
Dave Young
dyoung at redhat.com
Wed Jun 11 22:42:03 PDT 2014
On 06/03/14 at 09:06am, Vivek Goyal wrote:
> Hi,
>
> This is V3 of the patchset. Previous versions were posted here.
>
> V1: https://lkml.org/lkml/2013/11/20/540
> V2: https://lkml.org/lkml/2014/1/27/331
>
> Changes since v2:
>
> - Took care of most of the review comments from V2.
> - Added support for kexec/kdump on EFI systems.
> - Dropped support for loading ELF vmlinux.
>
> This patch series is generated on top of 3.15.0-rc8. It also requires a
> two patch cleanup series which is sitting in -tip tree here.
>
> https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/log/?h=x86/boot
>
> This patch series does not do kernel signature verification yet. I plan
> to post another patch series for that. Now bzImage is already signed
> with PKCS7 signature I plan to parse and verify those signatures.
>
> Primary goal of this patchset is to prepare groundwork so that kernel
> image can be signed and signatures be verified during kexec load. This
> should help with two things.
>
> - It should allow kexec/kdump on secureboot enabled machines.
>
> - In general it can help even without secureboot. By being able to verify
> kernel image signature in kexec, it should help with avoiding module
> signing restrictions. Matthew Garret showed how to boot into a custom
> kernel, modify first kernel's memory and then jump back to old kernel and
> bypass any policy one wants to.
>
> Any feedback is welcome.
Hi, Vivek
For efi ioremapping case, in 3.15 kernel efi runtime maps will not be saved
if efi=old_map is used. So you need detect this and fail the kexec file load.
Otherwise the patchset works for me.
Thanks
Dave
More information about the kexec
mailing list