On Mon, Dec 9, 2013 at 4:34 PM, H. Peter Anvin <hpa at zytor.com> wrote: > On 12/09/2013 04:16 PM, Kees Cook wrote: >> For general-purpose (i.e. distro) kernel builds it makes sense to build with >> CONFIG_KEXEC to allow end users to choose what kind of things they want to do >> with kexec. However, in the face of trying to lock down a system with such >> a kernel, there needs to be a way to disable kexec (much like module loading >> can be disabled). Without this, it is too easy for the root user to modify >> kernel memory even when CONFIG_STRICT_DEVMEM and modules_disabled are set. >> >> Signed-off-by: Kees Cook <keescook at chromium.org> >> Acked-by: Rik van Riel <riel at redhat.com> > > So the logic is to load a crashkernel and then lock down the machine > before services, networking etc. are enabled? Right, or to just turn it off at boot time if kexec will not be used at all. -Kees -- Kees Cook Chrome OS Security
