F20 System Wide Change: Enable kdump on secureboot machines
Kyle McMartin
kyle at redhat.com
Mon Jul 22 18:57:53 UTC 2013
On Mon, Jul 22, 2013 at 02:54:41PM -0400, Vivek Goyal wrote:
> On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote:
>
> [..]
> > Have you considered a non-cryptographic solution, like a physical
> > presence check to (temporarily) disable Secure Boot so that the
> > kexec restriction no longer applies? This could be a fallback
> > option if the original plan turns out to be too brittle/complex.
>
> I think kyle has a patch which will allow disabling secureboot
> restriction if one is on console. I will have to look into details
> and see how can I make use of it in kexec code to relax signature
> restrictions if user is on physical console.
>
http://pkgs.fedoraproject.org/cgit/kernel.git/tree/devel-sysrq-secure-boot-20130717.patch
It still needs a bit of work for edge cases, but seems to work ok
in some simple VM testing.
--Kyle
More information about the devel
mailing list