On 06/15/15 at 04:01pm, Theodore Ts'o wrote: > On Mon, Jun 15, 2015 at 09:37:05AM -0400, Josh Boyer wrote: > > The bits that actually read Secure Boot state out of the UEFI > > variables, and apply protections to the machine to avoid compromise > > under the SB threat model. Things like disabling the old kexec... > > I don't have any real interest in using Secure Boot, but I *am* > interested in using CONFIG_KEXEC_VERIFY_SIG[1]. So perhaps we need to > have something similar to what we have with signed modules in terms of > CONFIG_MODULE_SIG_FORCE and module/sig_enforce, but for > KEXEC_VERIFY_SIG. This would mean creating a separate flag > independent of the one Linus suggested for Secure Boot, but since we > have one for signed modules, we do have precedent for this sort of > thing. Agree and vote for this way as I replied in another email about CONFIG_KEXEC_VERIFY_SIG_FORCE. Thanks Dave