[PATCH v4 5/5] kexec: document -s, -c and -a options.

Michal Suchánek msuchanek at suse.de
Thu Mar 15 04:44:27 PDT 2018


On Wed, 14 Mar 2018 15:50:31 +0800
Dave Young <dyoung at redhat.com> wrote:

> On 03/14/18 at 08:25am, Michal Suchánek wrote:
> > On Wed, 14 Mar 2018 11:41:30 +0800
> > Dave Young <dyoung at redhat.com> wrote:
> >   
> > > On 03/06/18 at 02:15pm, Michal Suchanek wrote:  
> > > > Signed-off-by: Michal Suchanek <msuchanek at suse.de>
> > > > ---
> > > >  kexec/kexec.8 | 15 +++++++++++++++
> > > >  1 file changed, 15 insertions(+)
> > > > 
> > > > diff --git a/kexec/kexec.8 b/kexec/kexec.8
> > > > index e0131b4ea827..b3543db3f413 100644
> > > > --- a/kexec/kexec.8
> > > > +++ b/kexec/kexec.8
> > > > @@ -144,6 +144,21 @@ Load the new kernel for use on panic.
> > > >  Specify that the new kernel is of this
> > > >  .I type.
> > > >  .TP
> > > > +.BI \-s\ (\-\-kexec-file-syscall)
> > > > +Specify that the new KEXEC_FILE_LOAD syscall should be used
> > > > exclusively.    
> > > 
> > > Maybe better to be simple like below:
> > > "Use kexec_file_load syscall to load the new kernel."
> > > 
> > >   
> > > > +.TP
> > > > +.BI \-c\ (\-\-kexec-syscall)
> > > > +Specify that the old KEXEC_LOAD syscall should be used
> > > > exclusively (the default).    
> > > 
> > > similarly:
> > > "Use kexec_load syscall to load the new kernel."
> > >   
> > > > +.TP
> > > > +.BI \-a\ (\-\-kexec-syscall-auto)
> > > > +Try the new simpler KEXEC_FILE_LOAD syscall first and if it is
> > > > not supported +fall back to the old KEXEC_LOAD interface.
> > > > +
> > > > +There is no one single interface that always works.
> > > > KEXEC_FILE_LOAD is required +on systems that use locked-down
> > > > secure boot to verify the kernel signature. +KEXEC_LOAD is
> > > > required for some kernel image formats and on architectures
> > > > that +do not support KEXEC_FILE_LOAD.    
> > > 
> > > It seems not good to say kexec_file_load is simpler and newer.
> > > Also it is not a must for Secure Boot and locked down kernel
> > > only. So it would be better to just simplify and use the first
> > > paragraph:
> > > 
> > > "Try kexec_file_load syscall first and if it is not supported fall
> > > back to the kexec_load syscall"  
> > 
> > There was a request for explanation so just the first paragraph will
> > not do. What is it required for other than secure boot?  
> 
> People can use kexec -s to load a signed kernel but not necessary to
> boot with Secure Boot enabled.

Is booting signed kernel without -s not supported? If so I would
consider it kexec-tools bug. And it should documented then as well I
guess.

> 
> There is no Secure Boot in powerpc, arm64 now.

Is there not yet? Anyway, the intent is to support it which is probably
the reason we have the syscall in the first place.

Thanks

Michal



More information about the kexec mailing list