On Fri, Jan 11, 2013 at 01:03:41PM -0800, H. Peter Anvin wrote: > On 01/11/2013 12:52 PM, Vivek Goyal wrote: > > > > Eric, > > > > In a private conversation, David Howells suggested why not pass kernel > > signature in a segment to kernel and kernel can do the verification. > > > > /sbin/kexec signature is verified by kernel at exec() time. Then > > /sbin/kexec just passes one signature segment (after regular segment) for > > each segment being loaded. The segments which don't have signature, > > are passed with section size 0. And signature passing behavior can be > > controlled by one new kexec flag. > > > > That way /sbin/kexec does not have to worry about doing any verification > > by itself. In fact, I am not sure how it can do the verification when > > crypto libraries it will need are not signed (assuming they are not > > statically linked in). > > > > What do you think about this idea? > > > > A signed /sbin/kexec would realistically have to be statically linked, > at least in the short term; otherwise the libraries and ld.so would need > verification as well. Yes. That's the expectation. Sign only statically linked exeutables which don't do any of dlopen() stuff either. In fact in the patch, I fail the exec() if signed executable has interpreter. Thanks Vivek