On Mon, Jun 15, 2015 at 08:14:19AM -0400, Josh Boyer wrote: > Yes, which is why most of the distro vendors carry an out-of-tree > patch that disables the old kexec in an SB setup. It would be nice if > we could merge said patches. However, they depend on Matthew's > secure_modules/trusted_kernel/<whatever name that works> patchset > which has gotten little movement since we came up with a tentative > agreement at LPC 2013. Signed modules is in, though, right? And the fact that we have CONFIG_SIGNED_PE_FILE_VERIFICATION means we're doing unatural file signatures w/o using ELF, which I thought was the basis of Linus's accusation that Red Hat was performing intimate/physical acts with Microsoft. :-) I would have thought those were the nasty bits to get in; out of curiosity, what's still missing? Regards, - Ted
