On 08/07/15 at 07:15am, Josh Boyer wrote: > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > > Kexec reboot in case secure boot enabled does not keep the secure boot mode > > in new kernel, so later one can load unsigned kernel via legacy kexec_load. > > Hm. Wasn't there code being written so that one could disable legacy > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm > wondering if as a general security measure we want to only have > kexec_file available in Fedora when that is possible. > > I will add this patch regardless of that, but it seems like a good > question to answer. Thanks! > The patches for splitting kexec and kexec_file kconfig is in akpm tree. kexec_file is only for x86_64, for other arches we can only use kexec. Even for x86_64 we still need old kexec for non-secureboot use case especially unsigned user compiled kernel. Thanks Dave ---- I'm on vacation Aug 10 - Aug 14 so apoligize that I can not reply email in time. _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
