On Fri, Aug 07, 2015 at 09:09:43AM -0400, Vivek Goyal wrote:
On Fri, Aug 07, 2015 at 07:15:57AM -0400, Josh Boyer wrote:
> On Fri, Aug 7, 2015 at 3:41 AM, Dave Young <dyoung(a)redhat.com> wrote:
> > Kexec reboot in case secure boot enabled does not keep the secure boot mode
> > in new kernel, so later one can load unsigned kernel via legacy kexec_load.
> Hm. Wasn't there code being written so that one could disable legacy
> kexec and only have kexec_file? Perhaps that is queued for 4.3. I'm
> wondering if as a general security measure we want to only have
> kexec_file available in Fedora when that is possible.
The way config options are in fedora, kexec_file() enforces signature
verification. So if you disable legacy kexec, then it will not be possible
to kexec unsigned kernels.
Yes, which is what I was thinking we would want. However, I suppose
people might still wish to build and kexec unsigned kernels on non-SB
machines so that's probably not the right choice. Bummer.
I think we should be able to modify kexec_file() such that it
signature only when secureboot is enabled otherwise acts like a legacy
call. Then we should be able to get rid of legacy kexec call.
Right, but then we'd still have to carry Dave's patch because it will
run into the same issue legacy kexec has today.
But there is a long way to go before we get there. legacy call is
tested and new call is barely used anywhere. First we need to have
confidence that new call can handle most of the use cases.
Out of curiosity, does kexec-tools use the new system call by default?
I suppose that would be one way to get it tested in a broad manner.