[PATCHv7 00/13] kexec: Use BPF lskel to enable kexec to load PE format boot image
Andrew Morton
akpm at linux-foundation.org
Mon Mar 23 12:02:02 PDT 2026
On Sun, 22 Mar 2026 09:43:49 +0800 Pingfan Liu <piliu at redhat.com> wrote:
> Nowadays, UEFI PE bootable images are becoming increasingly popular
> among distributions. Currently, we have several kinds of image format
> parsers in user space (kexec-tools). However, this approach breaks the
> integrity protection of the images. To address this integrity protection
> concern, several approaches have been proposed to resolve this issue,
> but none of them have been accepted upstream yet.
>
> The summary of those approaches:
> -1. UEFI service emulator for UEFI stub
> -2. PE format parser in kernel
> -3. Signing the arm64/boot/Image
>
>
> For the first approach, I tried a purgatory-style emulator [1], but it
> encounters hardware scaling issues. For the second approach, both
> zboot-format [2] and UKI-format [3] parsers were rejected due to
> concerns that variant format parsers would bloat the kernel code.
> Additionally, for example in arm64, both UKI and zboot format parsers
> would need to be introduced and chained together to handle image
> loading. For the third approach, I attempted [4], but since zboot or UKI
> images already have signatures, upstream maintainers dislike the
> additional signature on the Image. Moreover, for secure boot UKI, this
> method cannot use signatures to protect the initramfs.
>
>
> *** The approach in this series ***
>
> This series introduces an approach that allows image formats to be
> parsed by BPF programs.
AI review has a ton of questions:
https://sashiko.dev/#/patchset/20260322014402.8815-1-piliu@redhat.com
Coverage is partial because some patches didn't apply. Probably some
of these questions are legitimate, others will be false positives -
we're still figuring this out.
More information about the kexec
mailing list