Hi Jan, On Fri, 22 Sept 2023 at 13:19, Jan Hendrik Farr <kernel@xxxxxxxx> wrote: > > Hi Pingfan! > > On 21 21:37:01, Pingfan Liu wrote: > > From: Pingfan Liu <piliu@xxxxxxxxxx> > > > > > For security boot, the vmlinuz.efi will be signed so UEFI boot loader > > can check against it. But at present, there is no signature for kexec > > file load, this series makes a signature on the zboot's payload -- Image > > before it is compressed. As a result, the kexec-tools parses and > > decompresses the Image.gz to get the Image, which has signature and can > > be checked against during kexec file load > > I missed some of the earlier discussion about this zboot kexec support. > So just let me know if I'm missing something here. You were exploring > these two options in getting this supported: > > 1. Making kexec_file_load do all the work. > > This option makes the signature verification easy. kexec_file_load > checks the signature on the pe file and then extracts it and does the > kexec. > > This is similar to how I'm approaching UKI support in [1]. > > 2. Extract in userspace and pass decompressed kernel to kexec_file_load > > This options requires the decompressed kernel to have a valid signature on > it. That's why this patch adds the ability to add that signature to the > kernel contained inside the zboot image. > > This option would not make sense for UKI support as it would not > validate the signature with respect to the initrd and cmdline that it > contains. Another possibility for the cmdline could be using the bootconfig facility which was introduced for boot time tracking: Documentation/admin-guide/bootconfig.rst So the initrd+cmdline can be signed as well. Has this been discussed before for UKI? Thanks Dave