On Tue, Sep 10, 2013 at 11:02 PM, Dave Young <dyoung(a)redhat.com> wrote:
On 09/04/13 at 09:56pm, Vivek Goyal wrote:
> With secureboot enabled, we don't even trust root. And when kexec is launched
> it might happen that root has already rigged /proc and /sys which kexec
> reads to get important data.
> So create a private mount namespace which is not visible to root, unmount
> old /proc and /sys and remount these to get to actual data kernel exported.
kexec will also use /sys/kernel/debug/boot_params, I want to copy efi_info from
there for efi runtime support. So could you remount debugfs as well?
Hm. That might actually be a bad thing. The debugfs filesystem is
intentionally not something userspace is supposed to rely on. The
files provided and the content within the files can and will change
significantly from kernel to kernel.
it might be better to export boot_params in something that is
considered more stable than debugfs.