On Tue, 21 Jun 2016 16:48:32 -0300 Thiago Jung Bauermann <bauerman at linux.vnet.ibm.com> wrote: > Hello, > > This patch series implements the kexec_file_load system call on > PowerPC. > > This system call moves the reading of the kernel, initrd and the > device tree from the userspace kexec tool to the kernel. This is > needed if you want to do one or both of the following: > > 1. only allow loading of signed kernels. > 2. "measure" (i.e., record the hashes of) the kernel, initrd, kernel > command line and other boot inputs for the Integrity Measurement > Architecture subsystem. > > The above are the functions kexec already has built into > kexec_file_load. Yesterday I posted a set of patches which allows a > third feature: > > 3. have IMA pass-on its event log (where integrity measurements are > registered) accross kexec to the second kernel, so that the event > history is preserved. OK.. and this is safe? Do both the kernels need to be signed by the same certificate? Balbir Singh
