[Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation
Vivek Goyal
vgoyal at redhat.com
Fri Jan 11 16:08:01 EST 2013
On Fri, Jan 11, 2013 at 01:03:41PM -0800, H. Peter Anvin wrote:
> On 01/11/2013 12:52 PM, Vivek Goyal wrote:
> >
> > Eric,
> >
> > In a private conversation, David Howells suggested why not pass kernel
> > signature in a segment to kernel and kernel can do the verification.
> >
> > /sbin/kexec signature is verified by kernel at exec() time. Then
> > /sbin/kexec just passes one signature segment (after regular segment) for
> > each segment being loaded. The segments which don't have signature,
> > are passed with section size 0. And signature passing behavior can be
> > controlled by one new kexec flag.
> >
> > That way /sbin/kexec does not have to worry about doing any verification
> > by itself. In fact, I am not sure how it can do the verification when
> > crypto libraries it will need are not signed (assuming they are not
> > statically linked in).
> >
> > What do you think about this idea?
> >
>
> A signed /sbin/kexec would realistically have to be statically linked,
> at least in the short term; otherwise the libraries and ld.so would need
> verification as well.
Yes. That's the expectation. Sign only statically linked exeutables which
don't do any of dlopen() stuff either.
In fact in the patch, I fail the exec() if signed executable has
interpreter.
Thanks
Vivek
More information about the kexec
mailing list