On Tue, 29 Nov 2022 14:44:50 +0100 Philipp Rudo <prudo@xxxxxxxxxx> wrote: > An alternative approach and sort of compromise I see is to convert > kexec_load_disabled from a simple on/off switch to a counter on how > often a kexec load can be made (in practice a tristate on/off/one-shot > should be sufficient). Ideally the reboot and panic path will > have separate counters. With that you could for example use > kexec_load_limit.reboot=0 and kexec_load_limit.panic=1 to disable the > load of images for reboot while still allow to load a crash kernel > once. With this you have the flexibility you need while also preventing > a race where an attacker overwrites your crash kernel before you can > toggle the switch. What do you think? I actually like this idea :-) -- Steve
