On 06/03/14 at 09:06am, Vivek Goyal wrote: > Hi, > > This is V3 of the patchset. Previous versions were posted here. > > V1: https://lkml.org/lkml/2013/11/20/540 > V2: https://lkml.org/lkml/2014/1/27/331 > > Changes since v2: > > - Took care of most of the review comments from V2. > - Added support for kexec/kdump on EFI systems. > - Dropped support for loading ELF vmlinux. > > This patch series is generated on top of 3.15.0-rc8. It also requires a > two patch cleanup series which is sitting in -tip tree here. > > https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/log/?h=x86/boot > > This patch series does not do kernel signature verification yet. I plan > to post another patch series for that. Now bzImage is already signed > with PKCS7 signature I plan to parse and verify those signatures. > > Primary goal of this patchset is to prepare groundwork so that kernel > image can be signed and signatures be verified during kexec load. This > should help with two things. > > - It should allow kexec/kdump on secureboot enabled machines. > > - In general it can help even without secureboot. By being able to verify > kernel image signature in kexec, it should help with avoiding module > signing restrictions. Matthew Garret showed how to boot into a custom > kernel, modify first kernel's memory and then jump back to old kernel and > bypass any policy one wants to. > > Any feedback is welcome. Hi, Vivek For efi ioremapping case, in 3.15 kernel efi runtime maps will not be saved if efi=old_map is used. So you need detect this and fail the kexec file load. Otherwise the patchset works for me. Thanks Dave