| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Jun 2014 10:24:19 -0400 From: Vivek Goyal <vgoyal@...hat.com> To: Dave Young <dyoung@...hat.com> Cc: linux-kernel@...r.kernel.org, kexec@...ts.infradead.org, ebiederm@...ssion.com, hpa@...or.com, mjg59@...f.ucam.org, greg@...ah.com, bp@...en8.de, jkosina@...e.cz, chaowang@...hat.com, bhe@...hat.com, akpm@...ux-foundation.org Subject: Re: [RFC PATCH 00/13][V3] kexec: A new system call to allow in kernel loading On Thu, Jun 12, 2014 at 01:42:03PM +0800, Dave Young wrote: > On 06/03/14 at 09:06am, Vivek Goyal wrote: > > Hi, > > > > This is V3 of the patchset. Previous versions were posted here. > > > > V1: https://lkml.org/lkml/2013/11/20/540 > > V2: https://lkml.org/lkml/2014/1/27/331 > > > > Changes since v2: > > > > - Took care of most of the review comments from V2. > > - Added support for kexec/kdump on EFI systems. > > - Dropped support for loading ELF vmlinux. > > > > This patch series is generated on top of 3.15.0-rc8. It also requires a > > two patch cleanup series which is sitting in -tip tree here. > > > > https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/log/?h=x86/boot > > > > This patch series does not do kernel signature verification yet. I plan > > to post another patch series for that. Now bzImage is already signed > > with PKCS7 signature I plan to parse and verify those signatures. > > > > Primary goal of this patchset is to prepare groundwork so that kernel > > image can be signed and signatures be verified during kexec load. This > > should help with two things. > > > > - It should allow kexec/kdump on secureboot enabled machines. > > > > - In general it can help even without secureboot. By being able to verify > > kernel image signature in kexec, it should help with avoiding module > > signing restrictions. Matthew Garret showed how to boot into a custom > > kernel, modify first kernel's memory and then jump back to old kernel and > > bypass any policy one wants to. > > > > Any feedback is welcome. > > Hi, Vivek > > For efi ioremapping case, in 3.15 kernel efi runtime maps will not be saved > if efi=old_map is used. So you need detect this and fail the kexec file load. Dave, Instead of failing kexec load in case of efi=old_map, I think it will be better to just not pass runtime map in bootparams. That way user can pass "noefi" on commandline and kdump should still work. (Like it works with user space implementation). What do you think? Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists