Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation

From: H. Peter Anvin
Date: Fri Jan 11 2013 - 16:15:06 EST

Next message: Rafael J. Wysocki: "Re: [RFC PATCH v2 01/12] Add sys_hotplug.h for system device hotplug framework"
Previous message: Yinghai Lu: "Re: [PATCH] x86 e820: only void usable memory areas inmemmap=exactmap case"
In reply to: Vivek Goyal: "Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdumpimplementation"
Next in thread: H. Peter Anvin: "Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/11/2013 01:08 PM, Vivek Goyal wrote:

A signed /sbin/kexec would realistically have to be statically linked,
at least in the short term; otherwise the libraries and ld.so would need
verification as well.

Yes. That's the expectation. Sign only statically linked exeutables which
don't do any of dlopen() stuff either.

In fact in the patch, I fail the exec() if signed executable has
interpreter.

As I said, though (and possibly not for kexec, that depends): in the long term we probably want a way to be able to sign all kinds binaries in the system.

-hpa

--
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "Re: [RFC PATCH v2 01/12] Add sys_hotplug.h for system device hotplug framework"
Previous message: Yinghai Lu: "Re: [PATCH] x86 e820: only void usable memory areas inmemmap=exactmap case"
In reply to: Vivek Goyal: "Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdumpimplementation"
Next in thread: H. Peter Anvin: "Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]