[PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot
Vivek Goyal
vgoyal at redhat.com
Mon Aug 10 12:09:56 UTC 2015
On Mon, Aug 10, 2015 at 07:34:48PM +0800, Dave Young wrote:
> On 08/07/15 at 09:09am, Vivek Goyal wrote:
> > On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote:
> > > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung at redhat.com> wrote:
> > > > Kexec reboot in case secure boot enabled does not keep the secure boot mode
> > > > in new kernel, so later one can load unsigned kernel via legacy kexec_load.
> > >
> > > Hm. Wasn't there code being written so that one could disable legacy
> > > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
> > > wondering if as a general security measure we want to only have
> > > kexec_file available in Fedora when that is possible.
> >
> > The way config options are in fedora, kexec_file() enforces signature
> > verification. So if you disable legacy kexec, then it will not be possible
> > to kexec unsigned kernels.
> >
> > I think we should be able to modify kexec_file() such that it enfornces
> > signature only when secureboot is enabled otherwise acts like a legacy
> > call. Then we should be able to get rid of legacy kexec call.
>
> But there are still use case that one need enforce verifying signature even without secure boot..
That can be managed with the help of a kernel config options and those who
always need to verify signature will select that option.
Thanks
Vivek
More information about the kernel
mailing list