Jiri Bohac <jbohac@xxxxxxx> wrote: > > Having said that, I do see your point, I think. We should still let through > > validly signed images, even if signatures aren't mandatory in lockdown mode. > > yes, to be clear, the problem I'm trying to fix is: > - without CONFIG_KEXEC_VERIFY_SIG kexec in a locked down kernel > will not work at all -> every distro that wants to support > secureboot will need to enable CONFIG_KEXEC_VERIFY_SIG; > > - once CONFIG_KEXEC_VERIFY_SIG is enabled, kexec images need to > be signed even if secureboot is not used > > The problem is that CONFIG_KEXEC_VERIFY_SIG enables both the > implementation and the enforcement of the signature checking. Yep. I understand that. > What I'm proposing are new config options that allow a kernel to > be compiled in such a way that: > - kexec works even without signatures if secureboot is off > - kexec works with secureboot but requires signed images Agreed to both of those. I also agree with making it possible to configurationally require signatures, which your first patch does. > The semantics should be the same as with signed modules, because > requiring kexec signatures when you can load unsigned modules is > futile. But with your original patchset, that's exactly what > distro kernels will be doing when booted with secureboot off, > MODULE_SIG_FORCE=n and KEXEC_VERIFY_SIG=y. I should fix that. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
