On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote:
[..]
Have you considered a non-cryptographic solution, like a physical presence check to (temporarily) disable Secure Boot so that the kexec restriction no longer applies? This could be a fallback option if the original plan turns out to be too brittle/complex.
I think kyle has a patch which will allow disabling secureboot restriction if one is on console. I will have to look into details and see how can I make use of it in kexec code to relax signature restrictions if user is on physical console.
[CC kyle]
Thanks Vivek