On Mon, Jul 22, 2013 at 02:54:41PM -0400, Vivek Goyal wrote:
On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote:
[..]
Have you considered a non-cryptographic solution, like a physical presence check to (temporarily) disable Secure Boot so that the kexec restriction no longer applies? This could be a fallback option if the original plan turns out to be too brittle/complex.
I think kyle has a patch which will allow disabling secureboot restriction if one is on console. I will have to look into details and see how can I make use of it in kexec code to relax signature restrictions if user is on physical console.
http://pkgs.fedoraproject.org/cgit/kernel.git/tree/devel-sysrq-secure-boot-2...
It still needs a bit of work for edge cases, but seems to work ok in some simple VM testing.
--Kyle