vgoyal wrote:
[...]
Have you considered a non-cryptographic solution, like a physical presence check to (temporarily) disable Secure Boot so that the kexec restriction no longer applies? [...]
I think kyle has a patch which will allow disabling secureboot restriction if one is on console. [...]
Considering that kexec/kdump events get triggered asynchronously (whenevery the kernel panics), someone cannot be assumed to be sitting physically at the terminal, ready to press a sysrq to make that secureboot-disabling transition. (One wouldn't want to press sysrq-foo too early, since AIUI it's a one-way transition.)
- FChE