On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote: > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > > Kexec reboot in case secure boot enabled does not keep the secure boot mode > > in new kernel, so later one can load unsigned kernel via legacy kexec_load. > > Hm. Wasn't there code being written so that one could disable legacy > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm > wondering if as a general security measure we want to only have > kexec_file available in Fedora when that is possible. The way config options are in fedora, kexec_file() enforces signature verification. So if you disable legacy kexec, then it will not be possible to kexec unsigned kernels. I think we should be able to modify kexec_file() such that it enfornces signature only when secureboot is enabled otherwise acts like a legacy call. Then we should be able to get rid of legacy kexec call. But there is a long way to go before we get there. legacy call is well tested and new call is barely used anywhere. First we need to have confidence that new call can handle most of the use cases. Thanks Vivek > > I will add this patch regardless of that, but it seems like a good > question to answer. Thanks! > > josh > > > Adding a patch to fix this by retain the secure_boot flag in original kernel. > > > > Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > > --- > > kernel.spec | 2 ++ > > ...uefi-copy-secure_boot-flag-in-boot-params.patch | 30 ++++++++++++++++++++++ > > 2 files changed, 32 insertions(+) > > create mode 100644 kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > > > > diff --git a/kernel.spec b/kernel.spec > > index e91ef9d..469a2a2 100644 > > --- a/kernel.spec > > +++ b/kernel.spec > > @@ -587,6 +587,8 @@ Patch505: 0001-dm-fix-dm_merge_bvec-regression-on-32-bit-systems.patch > > #rhbz 1244511 > > Patch507: HID-chicony-Add-support-for-Acer-Aspire-Switch-12.patch > > > > +Patch508: kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > > + > > Patch904: kdbus.patch > > > > # END OF PATCH DEFINITIONS > > diff --git a/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > > new file mode 100644 > > index 0000000..e239ea9 > > --- /dev/null > > +++ b/kexec-uefi-copy-secure_boot-flag-in-boot-params.patch > > @@ -0,0 +1,30 @@ > > +From: Dave Young <dyoung@xxxxxxxxxx> > > + > > +[PATCH] kexec/uefi: copy secure_boot flag in boot params across kexec reboot > > + > > +Kexec reboot in case secure boot being enabled does not keep the secure boot > > +mode in new kernel, so later one can load unsigned kernel via legacy kexec_load. > > +In this state, the system is missing the protections provided by secure boot. > > + > > +Adding a patch to fix this by retain the secure_boot flag in original kernel. > > + > > +secure_boot flag in boot_params is set in EFI stub, but kexec bypasses the stub. > > +Fixing this issue by copying secure_boot flag across kexec reboot. > > + > > +Signed-off-by: Dave Young <dyoung@xxxxxxxxxx> > > +--- > > + arch/x86/kernel/kexec-bzimage64.c | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c > > +index 9642b9b..0539ec7 100644 > > +--- a/arch/x86/kernel/kexec-bzimage64.c > > ++++ b/arch/x86/kernel/kexec-bzimage64.c > > +@@ -178,6 +178,7 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, > > + if (efi_enabled(EFI_OLD_MEMMAP)) > > + return 0; > > + > > ++ params->secure_boot = boot_params.secure_boot; > > + ei->efi_loader_signature = current_ei->efi_loader_signature; > > + ei->efi_systab = current_ei->efi_systab; > > + ei->efi_systab_hi = current_ei->efi_systab_hi; > > -- > > 1.8.3.1 > > > > _______________________________________________ > > kernel mailing list > > kernel@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/kernel _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
