On Thu, 22 Aug 2024 at 18:56, Jan Hendrik Farr <kernel@xxxxxxxx> wrote: > > Hi Dave, > > > I forgot why we can not just extract the kernel from UKI and then load > > it directly, if the embedded kernel is also signed it should be good? > > The problem is that in the basic usecase for UKI you only sign the entire > UKI PE file and not the included kernel, because you only want that kernel > to be run with that one initrd and that one kernel cmdline. Hmm, as replied to Pinfan I thought that both the included kernel and UKI can be signed, and for kdump case kexec_file_load can be used simply. > > So at a minimum you have to have the signature on the whole UKI checked by > the kernel and than have the kernel extract UKI into its parts unless you > somehow want to extent trust into userspace to have a helper program do that. extend trust into userspace is hard, previously when Vivek created the kexec_file_load this has been explored and he gave up this option. :( Pingfan, nice to see you have something done as POC at least, and good to see this topic is live. I just have some worries about the complexity of the emulator though. Thanks Dave
