On Fri, Dec 20, 2013 at 03:20:16PM -0800, Kees Cook wrote: > > If we're doing fd origin verification (not signatures), can't we > continue to use a regular bzImage? I imagine the verification function is separated from the new kexec. It gets passed the proposed new kernel file*, an optional signature file*, and maybe hints about the kernel format and system security state. With that function, you can do whatever you want. If you want to take an early positive exit due to the location of the new kernel, you're fine. Torsten