On 01/11/2013 12:52 PM, Vivek Goyal wrote: > > Eric, > > In a private conversation, David Howells suggested why not pass kernel > signature in a segment to kernel and kernel can do the verification. > > /sbin/kexec signature is verified by kernel at exec() time. Then > /sbin/kexec just passes one signature segment (after regular segment) for > each segment being loaded. The segments which don't have signature, > are passed with section size 0. And signature passing behavior can be > controlled by one new kexec flag. > > That way /sbin/kexec does not have to worry about doing any verification > by itself. In fact, I am not sure how it can do the verification when > crypto libraries it will need are not signed (assuming they are not > statically linked in). > > What do you think about this idea? > A signed /sbin/kexec would realistically have to be statically linked, at least in the short term; otherwise the libraries and ld.so would need verification as well. Now, that *might* very well have some real value -- there are certainly users out there who would very much want only binaries signed with specific keys to get run on their system. -hpa