[snip] > Now, going back to the more fundamental issue raised in my first reply, > about the kernel command line. > > On x86, I can see that it _is_ possible for userspace to specify a > command line, and the kernel loading the image provides the command > line to the to-be-kexeced kernel with very little checking. So, if > your kernel is signed, what stops the "insecure userspace" loading > a signed kernel but giving it an insecure rootfs and/or console? The kexec_file_load syscall was introduced for secure boot in the first place. In case UEFI secure boot the signature verification chain only covers kernel mode binaries. I think there is such problem in both normal boot and kexec boot. Thanks Dave
