On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > Kexec reboot in case secure boot enabled does not keep the secure boot mode > in new kernel, so later one can load unsigned kernel via legacy kexec_load. Hm. Wasn't there code being written so that one could disable legacy kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm wondering if as a general security measure we want to only have kexec_file available in Fedora when that is possible. I will add this patch regardless of that, but it seems like a good question to answer. Thanks! josh > Adding a patch to fix this by retain the secure_boot flag in original kernel. > > Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > --- > kernel.spec | 2 ++ > ...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++ > 2 files changed, 32 insertions(+) > create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > > diff --git a/kernel.spec b/kernel.spec > index e91ef9d..469a2a2 100644 > --- a/kernel.spec > +++ b/kernel.spec > @@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch > #rhbz 1244511 > Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch > > +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > + > Patch904: kdbus.patch > > # END OF PATCH DEFINITIONS > diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > new file mode 100644 > index 0000000..e239ea9 > --- /dev/null > +++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > @@ -0,0 +1,30 @@ > +From: Dave Young <dyoung@xxxxxxxxxx> > + > +[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot > + > +Kexec reboot in case secure boot being enabled does not keep the secure boot > +mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. > +In this state, the system is missing the protections provided by secure boot. > + > +Adding a patch to fix this by retain the secure_boot flag in original kernel. > + > +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. > +Fixing this issue by copying secure_boot flag across kexec reboot. > + > +Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > +--- > + arch/x86/kernel/kexec-bzimage64.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c > +index 9642b9b..0539ec7 100644 > +--- a/arch/x86/kernel/kexec-bzimage64.c > ++++ b/arch/x86/kernel/kexec-bzimage64.c > +@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, > + if (efi_enabled(EFI_OLD_MEMMAP)) > + return 0; > + > ++ params->secure_boot = boot_params.secure_boot; > + ei->efi_loader_signature = current_ei->efi_loader_signature; > + ei->efi_systab = current_ei->efi_systab; > + ei->efi_systab_hi = current_ei->efi_systab_hi; > -- > 1.8.3.1 > > _______________________________________________ > kernel mailing list > kernel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/kernel _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
