On Wed, 20 Sept 2023 at 15:43, Dave Young <dyoung@xxxxxxxxxx> wrote: > > > > In the end the only benefit this series brings is to extend the > > > signature checking on the whole UKI except of just the kernel image. > > > Everything else can also be done in user space. Compared to the > > > problems described above this is a very small gain for me. > > > > Correct. That is the benefit of pulling the UKI apart in the > > kernel. However having to sign the kernel inside the UKI defeats > > the whole point. > > > Pingfan added the zboot load support in kexec-tools, I know that he is > trying to sign the zboot image and the inside kernel twice. So > probably there are some common areas which can be discussed. > Added Ard and Pingfan in cc. > http://lists.infradead.org/pipermail/kexec/2023-August/027674.html > Here is another thread of the initial try in kernel with a few more options eg. some fake efi service helpers. https://lore.kernel.org/linux-arm-kernel/ZBvKSis+dfnqa+Vz@xxxxxxxxxxxxxxxxxxxxxxxxxx/T/#m42abb0ad3c10126b8b3bfae8a596deb707d6f76e > > Thanks > Dave _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
