[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20131122010311.GZ5274@outflux.net>
Date: Thu, 21 Nov 2013 17:03:11 -0800
From: Kees Cook <keescook@...omium.org>
To: Greg KH <greg@...ah.com>
Cc: Vivek Goyal <vgoyal@...hat.com>, linux-kernel@...r.kernel.org,
kexec@...ts.infradead.org, ebiederm@...ssion.com, hpa@...or.com,
mjg59@...f.ucam.org
Subject: Re: [PATCH 4/6] kexec: A new system call, kexec_file_load, for in
kernel kexec
Hi,
On Thu, Nov 21, 2013 at 11:03:50AM -0800, Greg KH wrote:
> On Wed, Nov 20, 2013 at 12:50:49PM -0500, Vivek Goyal wrote:
> > This patch implements the in kernel kexec functionality. It implements a
> > new system call kexec_file_load. I think parameter list of this system
> > call will change as I have not done the kernel image signature handling
> > yet. I have been told that I might have to pass the detached signature
> > and size as part of system call.
>
> This could be done as we do with modules, and just tack the signature
> onto the end of the 'blob' of the image. That way we could use the same
> tool to sign the binary as we do for modules, and save the need for
> extra parameters in the syscall.
As long as the system call passing in an fd, I'm all good. For those
of us that run from verified filesystems, we don't need the additional
signing overhead, but we do need the file descriptor to validate the
origin of the kernel.
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists