On Wed, 2013-03-20 at 17:11 -0400, Mimi Zohar wrote: > On Wed, 2013-03-20 at 20:37 +0000, Matthew Garrett wrote: > > Right, that'd be the rough idea. Any further runtime policy updates > > would presumably need to be signed with a trusted key. > > I'm really sorry to belabor this point, but can kexec rely on an LSM > label to identify a specific file, out of all the files being executed, > in a secure boot environment? The SELinux integrity rule for kexec > would then look something like, > > appraise func=BPRM_CHECK obj_type=kdump_exec_t appraise_type=imasig It would certainly be possible to configure a system such that this was true (assuming support for signed initramfs and restricted policy loading), and anyone wanting to ensure that kexec only loaded trusted binaries would have to ensure that their system was appropriately configured. Having some mechanism to then give the kexec binary CAP_MODIFY_KERNEL would avoid needing an extra kexec entry point. -- Matthew Garrett | mjg59 at srcf.ucam.org