[Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation
H. Peter Anvin
hpa at zytor.com
Fri Jan 11 16:14:46 EST 2013
On 01/11/2013 01:08 PM, Vivek Goyal wrote:
>>
>> A signed /sbin/kexec would realistically have to be statically linked,
>> at least in the short term; otherwise the libraries and ld.so would need
>> verification as well.
>
> Yes. That's the expectation. Sign only statically linked exeutables which
> don't do any of dlopen() stuff either.
>
> In fact in the patch, I fail the exec() if signed executable has
> interpreter.
>
As I said, though (and possibly not for kexec, that depends): in the
long term we probably want a way to be able to sign all kinds binaries
in the system.
-hpa
--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.
More information about the kexec
mailing list