On 03/15/18 at 12:44pm, Michal Suchánek wrote: > On Wed, 14 Mar 2018 15:50:31 +0800 > Dave Young <dyoung@xxxxxxxxxx> wrote: > > > On 03/14/18 at 08:25am, Michal Suchánek wrote: > > > On Wed, 14 Mar 2018 11:41:30 +0800 > > > Dave Young <dyoung@xxxxxxxxxx> wrote: > > > > > > > On 03/06/18 at 02:15pm, Michal Suchanek wrote: > > > > > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx> > > > > > --- > > > > > kexec/kexec.8 | 15 +++++++++++++++ > > > > > 1 file changed, 15 insertions(+) > > > > > > > > > > diff --git a/kexec/kexec.8 b/kexec/kexec.8 > > > > > index e0131b4ea827..b3543db3f413 100644 > > > > > --- a/kexec/kexec.8 > > > > > +++ b/kexec/kexec.8 > > > > > @@ -144,6 +144,21 @@ Load the new kernel for use on panic. > > > > > Specify that the new kernel is of this > > > > > .I type. > > > > > .TP > > > > > +.BI \-s\ (\-\-kexec-file-syscall) > > > > > +Specify that the new KEXEC_FILE_LOAD syscall should be used > > > > > exclusively. > > > > > > > > Maybe better to be simple like below: > > > > "Use kexec_file_load syscall to load the new kernel." > > > > > > > > > > > > > +.TP > > > > > +.BI \-c\ (\-\-kexec-syscall) > > > > > +Specify that the old KEXEC_LOAD syscall should be used > > > > > exclusively (the default). > > > > > > > > similarly: > > > > "Use kexec_load syscall to load the new kernel." > > > > > > > > > +.TP > > > > > +.BI \-a\ (\-\-kexec-syscall-auto) > > > > > +Try the new simpler KEXEC_FILE_LOAD syscall first and if it is > > > > > not supported +fall back to the old KEXEC_LOAD interface. > > > > > + > > > > > +There is no one single interface that always works. > > > > > KEXEC_FILE_LOAD is required +on systems that use locked-down > > > > > secure boot to verify the kernel signature. +KEXEC_LOAD is > > > > > required for some kernel image formats and on architectures > > > > > that +do not support KEXEC_FILE_LOAD. > > > > > > > > It seems not good to say kexec_file_load is simpler and newer. > > > > Also it is not a must for Secure Boot and locked down kernel > > > > only. So it would be better to just simplify and use the first > > > > paragraph: > > > > > > > > "Try kexec_file_load syscall first and if it is not supported fall > > > > back to the kexec_load syscall" > > > > > > There was a request for explanation so just the first paragraph will > > > not do. What is it required for other than secure boot? > > > > People can use kexec -s to load a signed kernel but not necessary to > > boot with Secure Boot enabled. > > Is booting signed kernel without -s not supported? If so I would > consider it kexec-tools bug. And it should documented then as well I > guess. I'm not sure I understand the question. In kernel we splitted kexec and kexec_file they can be enabled as kernel config options separately. If one want to a secured kexec (not UEFI Secure Boot, only signed kernel loading) then one can only enable CONFIG_KEXEC_FILE but disable CONFIG_KEXEC. In this case without '-s' load will fail. But if one enabled both CONFIG_KEXEC_FILE and CONFIG_KEXEC then kexec load without '-s' still works. > > > > > There is no Secure Boot in powerpc, arm64 now. > > Is there not yet? Anyway, the intent is to support it which is probably > the reason we have the syscall in the first place. Secure Boot is UEFI only, AFAIK powerpc does not have UEFI, arm64 has UEFI but I do not see Secure Boot. Also powerpc version kexec_file_load does not have signature verification. > > Thanks > > Michal Thanks Dave _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
