On Mon, Aug 10, 2015 at 07:34:48PM +0800, Dave Young wrote: > On 08/07/15 at 09:09am, Vivek Goyal wrote: > > On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote: > > > On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung@xxxxxxxxxx> wrote: > > > > Kexec reboot in case secure boot enabled does not keep the secure boot mode > > > > in new kernel, so later one can load unsigned kernel via legacy kexec_load. > > > > > > Hm. Wasn't there code being written so that one could disable legacy > > > kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm > > > wondering if as a general security measure we want to only have > > > kexec_file available in Fedora when that is possible. > > > > The way config options are in fedora, kexec_file() enforces signature > > verification. So if you disable legacy kexec, then it will not be possible > > to kexec unsigned kernels. > > > > I think we should be able to modify kexec_file() such that it enfornces > > signature only when secureboot is enabled otherwise acts like a legacy > > call. Then we should be able to get rid of legacy kexec call. > > But there are still use case that one need enforce verifying signature even without secure boot.. That can be managed with the help of a kernel config options and those who always need to verify signature will select that option. Thanks Vivek _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
