On Thu, Jun 12, 2014 at 01:42:03PM +0800, Dave Young wrote: > On 06/03/14 at 09:06am, Vivek Goyal wrote: > > Hi, > > > > This is V3 of the patchset. Previous versions were posted here. > > > > V1: https://lkml.org/lkml/2013/11/20/540 > > V2: https://lkml.org/lkml/2014/1/27/331 > > > > Changes since v2: > > > > - Took care of most of the review comments from V2. > > - Added support for kexec/kdump on EFI systems. > > - Dropped support for loading ELF vmlinux. > > > > This patch series is generated on top of 3.15.0-rc8. It also requires a > > two patch cleanup series which is sitting in -tip tree here. > > > > https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/log/?h=x86/boot > > > > This patch series does not do kernel signature verification yet. I plan > > to post another patch series for that. Now bzImage is already signed > > with PKCS7 signature I plan to parse and verify those signatures. > > > > Primary goal of this patchset is to prepare groundwork so that kernel > > image can be signed and signatures be verified during kexec load. This > > should help with two things. > > > > - It should allow kexec/kdump on secureboot enabled machines. > > > > - In general it can help even without secureboot. By being able to verify > > kernel image signature in kexec, it should help with avoiding module > > signing restrictions. Matthew Garret showed how to boot into a custom > > kernel, modify first kernel's memory and then jump back to old kernel and > > bypass any policy one wants to. > > > > Any feedback is welcome. > > Hi, Vivek > > For efi ioremapping case, in 3.15 kernel efi runtime maps will not be saved > if efi=old_map is used. So you need detect this and fail the kexec file load. > > Otherwise the patchset works for me. Thanks Dave. I will make sure that in case of old mapping, kexec loading fails. I don't want to be supporting that old "noefi" mode in this new system call. Even SGI is planning to fix their firmware to support 1:1 mapping. Thanks Vivek
