[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87390ok0zy.fsf@xmission.com>
Date: Sun, 04 Nov 2012 22:38:41 -0800
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Jiri Kosina <jkosina@...e.cz>
Cc: Vivek Goyal <vgoyal@...hat.com>,
Chris Friesen <chris.friesen@...band.com>,
Pavel Machek <pavel@....cz>,
Eric Paris <eparis@...isplace.org>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Oliver Neukum <oneukum@...e.de>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Matthew Garrett <mjg59@...f.ucam.org>,
Josh Boyer <jwboyer@...il.com>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Jiri Kosina <jkosina@...e.cz> writes:
> On Fri, 2 Nov 2012, Vivek Goyal wrote:
>
>> > With secure boot enabled, then the kernel should refuse to let an
>> > unsigned kexec load new images, and kexec itself should refuse to
>> > load unsigned images.
>>
>> Yep, good in theory. Now that basically means reimplementing kexec-tools
>> in kernel.
>
> Why is "when kernel has been securely booted, the in-kernel kexec
> mechanism has to verify the signature of the supplied image before
> kexecing it" not enough? (basically the same thing we are doing for signed
> modules already).
For modules the only untrusted part of their environment are the command
line parameters, and several of those have already been noted for
needing to be ignored in a non-trusted root scenario.
For kexec there is a bunch of glue code and data that takes care of
transitioning from the environment provided by kexec and the environment
that the linux kernel or memtest86 or whatever we are booting is
expecting.
Figuring out what glue code and data we need and supplying that glue
code and data is what kexec-tools does. The situation is a bit like
dealing with the modules before most of the work of insmod was moved
into the kernel.
For kexec-tools it is desirable to have glue layers outside of the
kernel because every boot system in existence has a different set of
parameter passing rules.
So signing in the kernel gets us into how do we sign the glue code and
how dow we verify the glue code will jump to our signed and verified
kernel image.
I will be happy to review patches for that don't through the baby out
with the bath water.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists