Enabling secureboot or secure modules disable loading kexec kernel. This also disables kdump feature. These kernel patches add infrastructure which should allow signing /sbin/kexec and extend trust chain to user space and allowing loading kernel securly. I have put some details of problems and solution here. http://people.redhat.com/vgoyal/kdump-secureboot/kdump-secureboot-summary.txt https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot There are other changes for kexec-tools and ima-evm-utils. Those will be posted separately little later. Please review. Thanks Vivek Vivek Goyal (19): system_keyring: Make keyring searchable for root mm: vm_brk(), align the length to page boundary integrity: Add a function to determine digital signature length ima: Allow adding more memory locking metadata after digital signature v2 integrity: Allow digital signature verification with a given keyring ptr integrity-export-a-function-to-retrieve-hash-alog-from-digsig export-ima-function-to-verify-integrity mm: Define a task flag MMF_VM_LOCKED for memlocked tasks and don't allow munlock binfmt_elf: Elf executable signature verification ima: define functions to appraise memory buffer contents keyctl: Introduce a new operation KEYCTL_VERIFY_SIGNATURE ptrace: Do not allow ptrace() from unsigned process to signed one binfmt_elf: Do not mark process signed if binary has elf interpreter kexec: Allow only signed processes to call sys_kexec() in secureboot mode kexec: Export sysfs attributes for secureboot and secure modules to user space kexec: Remove the loading restrictions of secure_modules() now bootparam: Pass acpi_rsdp pointer in bootparam modsign_uefi: Do not load uefi certs in kdump kernel keys: Chagne default lookup method for key type asymmetric arch/x86/include/uapi/asm/bootparam.h | 3 +- arch/x86/kernel/acpi/boot.c | 5 + crypto/asymmetric_keys/asymmetric_type.c | 1 + drivers/acpi/osl.c | 10 ++ fs/Kconfig.binfmt | 13 +++ fs/binfmt_elf.c | 103 +++++++++++++++++- include/linux/acpi.h | 1 + include/linux/compat.h | 4 +- include/linux/cred.h | 2 + include/linux/ima.h | 27 +++++ include/linux/integrity.h | 19 ++++ include/linux/sched.h | 2 + include/linux/syscalls.h | 3 +- include/uapi/linux/keyctl.h | 16 +++ kernel/cred.c | 2 + kernel/kexec.c | 32 ++++-- kernel/ksysfs.c | 20 ++++ kernel/modsign_uefi.c | 9 ++ kernel/system_keyring.c | 2 +- mm/mlock.c | 6 ++ mm/mmap.c | 8 +- security/commoncap.c | 11 ++ security/integrity/digsig.c | 180 +++++++++++++++++++++++++++++-- security/integrity/digsig_asymmetric.c | 18 +--- security/integrity/ima/ima_api.c | 51 +++++++++ security/integrity/ima/ima_appraise.c | 131 +++++++++++++++++++++- security/integrity/integrity.h | 35 ++++-- security/keys/compat.c | 31 +++++- security/keys/internal.h | 2 + security/keys/keyctl.c | 83 +++++++++++++- 30 files changed, 779 insertions(+), 51 deletions(-) -- 1.8.3.1 _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
