On Fri, Nov 22, 2013 at 7:33 AM, Vivek Goyal <vgoyal at redhat.com> wrote: > On Fri, Nov 22, 2013 at 02:50:43PM +0100, Jiri Kosina wrote: >> On Fri, 22 Nov 2013, Vivek Goyal wrote: >> >> > > OTOH, does this feature make any sense whatsover on architectures that >> > > don't support secure boot anyway? >> > >> > I guess if signed modules makes sense, then being able to kexec signed >> > kernel images should make sense too, in general. >> >> Well, that's really a grey zone, I'd say. >> >> In a non-secureboot environment, if you are root, you are able to issue >> reboot into a completely different, self-made kernel anyway, independent >> on whether signed modules are used or not. > > That's a good poing. Frankly speaking I don't know if there is a good > use case to allow loading signed kernels only or not. > > Kees mentioned that he would like to know where the kernel came from > and whether it came from trusted disk or not. So he does seem to have > a use case where he wants to launch only trusted kernel or deny execution. Correct. Though to clarify, Chrome OS doesn't use UEFI SecureBoot: we have a different solution that uses dm-verity to give us a trusted read-only root filesystem. As long as things live on that filesystem, we trust them. (This is why finit_module was added, and why I wanted to make sure kexec used fd instead of "just" a memory blob.) -Kees -- Kees Cook Chrome OS Security