On Mon, Aug 10, 2015 at 07:34:48PM +0800, Dave Young wrote:
On 08/07/15 at 09:09am, Vivek Goyal wrote:
> On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote:
> > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung(a)redhat.com> wrote:
> > > Kexec reboot in case secure boot enabled does not keep the secure boot
mode
> > > in new kernel, so later one can load unsigned kernel via legacy
kexec_load.
> >
> > Hm. Wasn't there code being written so that one could disable legacy
> > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
> > wondering if as a general security measure we want to only have
> > kexec_file available in Fedora when that is possible.
>
> The way config options are in fedora, kexec_file() enforces signature
> verification. So if you disable legacy kexec, then it will not be possible
> to kexec unsigned kernels.
>
> I think we should be able to modify kexec_file() such that it enfornces
> signature only when secureboot is enabled otherwise acts like a legacy
> call. Then we should be able to get rid of legacy kexec call.
But there are still use case that one need enforce verifying signature even without
secure boot..
That can be managed with the help of a kernel config options and those who
always need to verify signature will select that option.
Thanks
Vivek