kexec_load(2) bypasses signature verification

One Thousand Gnomes gnomes at
Wed Jun 17 03:55:20 PDT 2015

> [1] Yes, it doesn't buy all that much, since if the system is rooted
> the adversary can just replace the kernel in /boot and force a normal,
> slower reboot, but the same could be said for signed modules --- the
> adversary could just replace all of /boot/vmlinux-<kver> and
> /lib/modules/<kver>.  But both measures make it a tad more bit
> difficult, especially for the adversary to do this replacement without
> being noticed (for example linode will send me e-mail if the system
> reboots normally, but not with a kexec-mediated reboot), and for cloud
> systems where we don't have secure boot anyway, it's about the best we
> can do.

It's about the same as the protection offered by the "secure" boot
patches I've seen because they don't block all kernel boot parameters
except a whitelist and because there are a pile of other fairly
fundamental problems that probably require you also sign the root file
system, which is itself a world of pain.


More information about the kexec mailing list