On Fri, Jan 11, 2013 at 12:26:48PM -0800, H. Peter Anvin wrote: > > > >And there is nothing fancy to be done for EFI and SecureBoot? Or is > >that something that the kernel has to handle on its own (so somehow > >passing some certificates to somewhere). > > > > For EFI, no... other than passing the EFI parameters, which > apparently is *not* currently done (David Woodhouse is working on > it.) Secure boot is still a work in progress. For secureboot, as a first step in that direction, I just wrote some code to sign elf executable and be able to verify it in kernel upon exec(). I am soon planning to post RFC code (most likely next week). Hopefully we will be able to sign statically signed /sbin/kexec, give it extra capability (upon signature verification) to be able to call sys_exec(). Thanks Vivek
