F20 System Wide Change: Enable kdump on secureboot machines
Frank Ch. Eigler
fche at redhat.com
Mon Jul 22 21:26:52 UTC 2013
vgoyal wrote:
> [...]
>> Have you considered a non-cryptographic solution, like a physical
>> presence check to (temporarily) disable Secure Boot so that the
>> kexec restriction no longer applies? [...]
>
> I think kyle has a patch which will allow disabling secureboot
> restriction if one is on console. [...]
Considering that kexec/kdump events get triggered asynchronously
(whenevery the kernel panics), someone cannot be assumed to be sitting
physically at the terminal, ready to press a sysrq to make that
secureboot-disabling transition. (One wouldn't want to press
sysrq-foo too early, since AIUI it's a one-way transition.)
- FChE
More information about the devel
mailing list