F20 System Wide Change: Enable kdump on secureboot machines
Matthew Garrett
mjg59 at srcf.ucam.org
Thu Jul 18 18:57:44 UTC 2013
On Thu, Jul 18, 2013 at 08:51:36PM +0200, Miloslav Trmač wrote:
> On Thu, Jul 11, 2013 at 1:40 PM, Jaroslav Reznik <jreznik at redhat.com> wrote:
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
>
> > == Detailed description ==
> > /sbin/kexec prepares a binary blob, called purgatory. This code runs at
> > priviliged level between kernel transition. With secureboot enabled, no
> > unsigned code should run at privilige level 0, hence kexec/kdump is currently
> > disabled if secureboot is enabled.
> >
> > One proposed way to solve the problem is that sign /sbin/kexec utility. And
> > upon successful signature verification, allow it to load kernel, initramfs, and
> > binary blob. /sbin/kexec will verify signatures of kernel being loaded before
> > it asks running kernel to load it.
>
> For someone like me unfamiliar with kdump architecture, wouldn't it be
> possible to generate all relevant blobs (kdump kernel/initrd, ...) at
> kernel build time and sign them using essentially the existing module
> signing mechanism, and let the _kernel_ do all signature verification?
> Then /sbin/kexec wouldn't have to be trusted at all.
The short version of that is no, because kdump needs to build some code
at runtime. Upstream have refused to revisit that design decision.
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel
mailing list