[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
Dave Young
dyoung at redhat.com
Mon Aug 10 11:44:59 UTC 2015
On 08/07/15 at 10:57am, Vivek Goyal wrote:
> On Fri, Aug 07, 2015 at 10:32:57AM -0400, Josh Boyer wrote:
> > On Fri, Aug 07, 2015 at 09:09:43AM -0400, Vivek Goyal wrote:
> > > On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote:
> > > > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung at redhat.com> wrote:
> > > > > Kexec reboot in case secure boot enabled does not keep the secure boot mode
> > > > > in new kernel, so later one can load unsigned kernel via legacy kexec_load.
> > > >
> > > > Hm. Wasn't there code being written so that one could disable legacy
> > > > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
> > > > wondering if as a general security measure we want to only have
> > > > kexec_file available in Fedora when that is possible.
> > >
> > > The way config options are in fedora, kexec_file() enforces signature
> > > verification. So if you disable legacy kexec, then it will not be possible
> > > to kexec unsigned kernels.
> >
> > Yes, which is what I was thinking we would want. However, I suppose
> > people might still wish to build and kexec unsigned kernels on non-SB
> > machines so that's probably not the right choice. Bummer.
> >
> > > I think we should be able to modify kexec_file() such that it enfornces
> > > signature only when secureboot is enabled otherwise acts like a legacy
> > > call. Then we should be able to get rid of legacy kexec call.
> >
> > Right, but then we'd still have to carry Dave's patch because it will
> > run into the same issue legacy kexec has today.
>
> Right. I think Dave's patch is required anyway.
>
> >
> > > But there is a long way to go before we get there. legacy call is well
> > > tested and new call is barely used anywhere. First we need to have
> > > confidence that new call can handle most of the use cases.
> >
> > Out of curiosity, does kexec-tools use the new system call by default?
> > I suppose that would be one way to get it tested in a broad manner.
>
> Right now kexec-tools switch to new call only if machine is secureboot
> enabled. Otherwise they default to old call.
>
> I think first somebody needs to audit kexec-tools code and see if all
> major features we suppor there are available in new call or not. And then
> one can think of switching default in kexec-tools.
I think we can not switch to kexec_file only because one
need signature verifying for non secure boot case, we
probably still need another option to disable enforcing
verification. Befor we find a better solution we still need
maintain both kexec and kexec_file.
>
> Thanks
> Vivek
> _______________________________________________
> kernel mailing list
> kernel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/kernel
More information about the kernel
mailing list