[PATCHv7 00/13] kexec: Use BPF lskel to enable kexec to load PE format boot image
Pingfan Liu
piliu at redhat.com
Tue Mar 24 00:09:48 PDT 2026
On Tue, Mar 24, 2026 at 3:02 AM Andrew Morton <akpm at linux-foundation.org> wrote:
>
> On Sun, 22 Mar 2026 09:43:49 +0800 Pingfan Liu <piliu at redhat.com> wrote:
>
> > Nowadays, UEFI PE bootable images are becoming increasingly popular
> > among distributions. Currently, we have several kinds of image format
> > parsers in user space (kexec-tools). However, this approach breaks the
> > integrity protection of the images. To address this integrity protection
> > concern, several approaches have been proposed to resolve this issue,
> > but none of them have been accepted upstream yet.
> >
> > The summary of those approaches:
> > -1. UEFI service emulator for UEFI stub
> > -2. PE format parser in kernel
> > -3. Signing the arm64/boot/Image
> >
> >
> > For the first approach, I tried a purgatory-style emulator [1], but it
> > encounters hardware scaling issues. For the second approach, both
> > zboot-format [2] and UKI-format [3] parsers were rejected due to
> > concerns that variant format parsers would bloat the kernel code.
> > Additionally, for example in arm64, both UKI and zboot format parsers
> > would need to be introduced and chained together to handle image
> > loading. For the third approach, I attempted [4], but since zboot or UKI
> > images already have signatures, upstream maintainers dislike the
> > additional signature on the Image. Moreover, for secure boot UKI, this
> > method cannot use signatures to protect the initramfs.
> >
> >
> > *** The approach in this series ***
> >
> > This series introduces an approach that allows image formats to be
> > parsed by BPF programs.
>
> AI review has a ton of questions:
> https://sashiko.dev/#/patchset/20260322014402.8815-1-piliu@redhat.com
>
> Coverage is partial because some patches didn't apply. Probably some
> of these questions are legitimate, others will be false positives -
> we're still figuring this out.
>
Thank you, I will check them too.
Best Regards,
Pingfan
More information about the kexec
mailing list