On Mon, Jul 22, 2013 at 02:54:41PM -0400, Vivek Goyal wrote: > On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote: > > [..] > > Have you considered a non-cryptographic solution, like a physical > > presence check to (temporarily) disable Secure Boot so that the > > kexec restriction no longer applies? This could be a fallback > > option if the original plan turns out to be too brittle/complex. > > I think kyle has a patch which will allow disabling secureboot > restriction if one is on console. I will have to look into details > and see how can I make use of it in kexec code to relax signature > restrictions if user is on physical console. > http://pkgs.fedoraproject.org/cgit/kernel.git/tree/devel-sysrq-secure-boot-20130717.patch It still needs a bit of work for edge cases, but seems to work ok in some simple VM testing. --Kyle -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
