[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
Dave Young
dyoung at redhat.com
Mon Aug 10 11:28:39 UTC 2015
On 08/07/15 at 07:15am, Josh Boyer wrote:
> On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung at redhat.com> wrote:
> > Kexec reboot in case secure boot enabled does not keep the secure boot mode
> > in new kernel, so later one can load unsigned kernel via legacy kexec_load.
>
> Hm. Wasn't there code being written so that one could disable legacy
> kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
> wondering if as a general security measure we want to only have
> kexec_file available in Fedora when that is possible.
>
> I will add this patch regardless of that, but it seems like a good
> question to answer. Thanks!
>
The patches for splitting kexec and kexec_file kconfig is in
akpm tree. kexec_file is only for x86_64, for other arches
we can only use kexec. Even for x86_64 we still need old
kexec for non-secureboot use case especially unsigned
user compiled kernel.
Thanks
Dave
----
I'm on vacation Aug 10 - Aug 14 so apoligize that I can
not reply email in time.
More information about the kernel
mailing list