Re: [RFC] Second attempt at kernel secure boot support

From: Jiri Kosina
Date: Sat Nov 03 2012 - 19:10:01 EST

Next message: Mladen Mijatov: "[PATCH] Staging: rtl8187se: Fixed coding style issues."
Previous message: Sasha Levin: "Re: [PATCH 21/21] TTY: move tty buffers to tty_port"
In reply to: Vivek Goyal: "Re: [RFC] Second attempt at kernel secure boot support"
Next in thread: Eric W. Biederman: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 Nov 2012, Vivek Goyal wrote:

> > With secure boot enabled, then the kernel should refuse to let an
> > unsigned kexec load new images, and kexec itself should refuse to
> > load unsigned images.
>
> Yep, good in theory. Now that basically means reimplementing kexec-tools
> in kernel.

Why is "when kernel has been securely booted, the in-kernel kexec
mechanism has to verify the signature of the supplied image before
kexecing it" not enough? (basically the same thing we are doing for signed
modules already).

--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mladen Mijatov: "[PATCH] Staging: rtl8187se: Fixed coding style issues."
Previous message: Sasha Levin: "Re: [PATCH 21/21] TTY: move tty buffers to tty_port"
In reply to: Vivek Goyal: "Re: [RFC] Second attempt at kernel secure boot support"
Next in thread: Eric W. Biederman: "Re: [RFC] Second attempt at kernel secure boot support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]