On 08/07/15 at 09:09am, Vivek Goyal wrote: > On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote: > > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > > > Kexec reboot in case secure boot enabled does not keep the secure boot mode > > > in new kernel, so later one can load unsigned kernel via legacy kexec_load. > > > > Hm. Wasn't there code being written so that one could disable legacy > > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm > > wondering if as a general security measure we want to only have > > kexec_file available in Fedora when that is possible. > > The way config options are in fedora, kexec_file() enforces signature > verification. So if you disable legacy kexec, then it will not be possible > to kexec unsigned kernels. > > I think we should be able to modify kexec_file() such that it enfornces > signature only when secureboot is enabled otherwise acts like a legacy > call. Then we should be able to get rid of legacy kexec call. But there are still use case that one need enforce verifying signature even without secure boot.. > > But there is a long way to go before we get there. legacy call is well > tested and new call is barely used anywhere. First we need to have > confidence that new call can handle most of the use cases. > > Thanks > Vivek Thanks Dave _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
