Re: [PATCH v4 5/5] kexec: document -s, -c and -a options.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/15/18 at 12:44pm, Michal Suchánek wrote:
> On Wed, 14 Mar 2018 15:50:31 +0800
> Dave Young <dyoung@xxxxxxxxxx> wrote:
> 
> > On 03/14/18 at 08:25am, Michal Suchánek wrote:
> > > On Wed, 14 Mar 2018 11:41:30 +0800
> > > Dave Young <dyoung@xxxxxxxxxx> wrote:
> > >   
> > > > On 03/06/18 at 02:15pm, Michal Suchanek wrote:  
> > > > > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
> > > > > ---
> > > > >  kexec/kexec.8 | 15 +++++++++++++++
> > > > >  1 file changed, 15 insertions(+)
> > > > > 
> > > > > diff --git a/kexec/kexec.8 b/kexec/kexec.8
> > > > > index e0131b4ea827..b3543db3f413 100644
> > > > > --- a/kexec/kexec.8
> > > > > +++ b/kexec/kexec.8
> > > > > @@ -144,6 +144,21 @@ Load the new kernel for use on panic.
> > > > >  Specify that the new kernel is of this
> > > > >  .I type.
> > > > >  .TP
> > > > > +.BI \-s\ (\-\-kexec-file-syscall)
> > > > > +Specify that the new KEXEC_FILE_LOAD syscall should be used
> > > > > exclusively.    
> > > > 
> > > > Maybe better to be simple like below:
> > > > "Use kexec_file_load syscall to load the new kernel."
> > > > 
> > > >   
> > > > > +.TP
> > > > > +.BI \-c\ (\-\-kexec-syscall)
> > > > > +Specify that the old KEXEC_LOAD syscall should be used
> > > > > exclusively (the default).    
> > > > 
> > > > similarly:
> > > > "Use kexec_load syscall to load the new kernel."
> > > >   
> > > > > +.TP
> > > > > +.BI \-a\ (\-\-kexec-syscall-auto)
> > > > > +Try the new simpler KEXEC_FILE_LOAD syscall first and if it is
> > > > > not supported +fall back to the old KEXEC_LOAD interface.
> > > > > +
> > > > > +There is no one single interface that always works.
> > > > > KEXEC_FILE_LOAD is required +on systems that use locked-down
> > > > > secure boot to verify the kernel signature. +KEXEC_LOAD is
> > > > > required for some kernel image formats and on architectures
> > > > > that +do not support KEXEC_FILE_LOAD.    
> > > > 
> > > > It seems not good to say kexec_file_load is simpler and newer.
> > > > Also it is not a must for Secure Boot and locked down kernel
> > > > only. So it would be better to just simplify and use the first
> > > > paragraph:
> > > > 
> > > > "Try kexec_file_load syscall first and if it is not supported fall
> > > > back to the kexec_load syscall"  
> > > 
> > > There was a request for explanation so just the first paragraph will
> > > not do. What is it required for other than secure boot?  
> > 
> > People can use kexec -s to load a signed kernel but not necessary to
> > boot with Secure Boot enabled.
> 
> Is booting signed kernel without -s not supported? If so I would
> consider it kexec-tools bug. And it should documented then as well I
> guess.

I'm not sure I understand the question.  In kernel we splitted kexec and
kexec_file they can be enabled as kernel config options separately.  If
one want to a secured kexec (not UEFI Secure Boot, only signed kernel
loading) then one can only enable CONFIG_KEXEC_FILE but disable
CONFIG_KEXEC.  In this case without '-s' load will fail.  But if one
enabled both CONFIG_KEXEC_FILE and CONFIG_KEXEC then kexec load without
'-s' still works.

> 
> > 
> > There is no Secure Boot in powerpc, arm64 now.
> 
> Is there not yet? Anyway, the intent is to support it which is probably
> the reason we have the syscall in the first place.

Secure Boot is UEFI only, AFAIK powerpc does not have UEFI,  arm64 has
UEFI but I do not see Secure Boot.

Also powerpc version kexec_file_load does not have signature
verification.

> 
> Thanks
> 
> Michal

Thanks
Dave

_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec




[Index of Archives]     [LM Sensors]     [Linux Sound]     [ALSA Users]     [ALSA Devel]     [Linux Audio Users]     [Linux Media]     [Kernel]     [Gimp]     [Yosemite News]     [Linux Media]

  Powered by Linux