vgoyal wrote: > [...] >> Have you considered a non-cryptographic solution, like a physical >> presence check to (temporarily) disable Secure Boot so that the >> kexec restriction no longer applies? [...] > > I think kyle has a patch which will allow disabling secureboot > restriction if one is on console. [...] Considering that kexec/kdump events get triggered asynchronously (whenevery the kernel panics), someone cannot be assumed to be sitting physically at the terminal, ready to press a sysrq to make that secureboot-disabling transition. (One wouldn't want to press sysrq-foo too early, since AIUI it's a one-way transition.) - FChE -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
