Re: [PATCH] kexec/uefi: copy secure boot flag in boot params across kexec reboot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Aug 07, 2015 at 10:32:57AM -0400, Josh Boyer wrote:
> On Fri, Aug 07, 2015 at 09:09:43AM -0400, Vivek Goyal wrote:
> > On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote:
> > > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote:
> > > > Kexec reboot in case secure boot enabled does not keep the secure boot mode
> > > > in new kernel, so later one can load unsigned kernel via legacy kexec_load.
> > > 
> > > Hm.  Wasn't there code being written so that one could disable legacy
> > > kexec and only have kexec_file?  Perhaps that is queued for 4.3.  I'm
> > > wondering if as a general security measure we want to only have
> > > kexec_file available in Fedora when that is possible.
> > 
> > The way config options are in fedora, kexec_file() enforces signature
> > verification. So if you disable legacy kexec, then it will not be possible
> > to kexec unsigned kernels.
> 
> Yes, which is what I was thinking we would want.  However, I suppose
> people might still wish to build and kexec unsigned kernels on non-SB
> machines so that's probably not the right choice.  Bummer.
> 
> > I think we should be able to modify kexec_file() such that it enfornces
> > signature only when secureboot is enabled otherwise acts like a legacy
> > call. Then we should be able to get rid of legacy kexec call. 
> 
> Right, but then we'd still have to carry Dave's patch because it will
> run into the same issue legacy kexec has today.

Right. I think Dave's patch is required anyway.

> 
> > But there is a long way to go before we get there. legacy call is well
> > tested and new call is barely used anywhere. First we need to have
> > confidence that new call can handle most of the use cases.
> 
> Out of curiosity, does kexec-tools use the new system call by default?
> I suppose that would be one way to get it tested in a broad manner.

Right now kexec-tools switch to new call only if machine is secureboot
enabled. Otherwise they default to old call.

I think first somebody needs to audit kexec-tools code and see if all
major features we suppor there are available in new call or not. And then
one can think of switching default in kexec-tools. 

Thanks
Vivek
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux