Alexander Graf <graf@xxxxxxxxxx> writes: > Hey Ashish, > > On 09.04.24 22:42, Ashish Kalra wrote: >> From: Ashish Kalra <ashish.kalra@xxxxxxx> >> >> The patchset adds bits and pieces to get kexec (and crashkernel) work on >> SNP guest. > > > With this patch set (and similar for the TDX one), you enable the > typical kdump case, which is great! > > However, if a user is running with direct kernel boot - which is very > typical in SEV-SNP setup, especially for Kata Containers and similar - > the initial launch measurement is a natural indicator of the target > environment. Kexec basically allows them to completely bypass that: You > would be able to run a completely different environment than the one you > measure through the launch digest. I'm not sure it's a good idea to even > allow that by default in CoCo environments - at least not if the kernel > is locked down. Isn't it the same when we just allow loading kernel modules? I'm sure you can also achieve a 'completely different environment' with that :-) With SecureBoot / lockdown we normally require modules to pass signature check, I guess we can employ the same mechanism for kexec. I.e. in lockdown, we require signature check on the kexec-ed kernel. Also, it may make sense to check initramfs too (with direct kernel boot it's also part of launch measurements, right?) and there's UKI for that already). Personally, I believe that if we simply forbid kexec for CoCo in lockdown mode, the feature will become mostly useless in 'full stack' (which boot through firmware) production envrironments. -- Vitaly _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
