Re: [PATCH 00/15][V4] kexec: A new system call to allow in kernel loading

From: Vivek Goyal
Date: Fri Jun 27 2014 - 07:34:04 EST


On Thu, Jun 26, 2014 at 01:58:11PM -0700, Andrew Morton wrote:
> On Thu, 26 Jun 2014 16:33:29 -0400 Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>
> > This patch series does not do kernel signature verification yet. I plan
> > to post another patch series for that. Now distributions are already signing
> > PE/COFF bzImage with PKCS7 signature I plan to parse and verify those
> > signatures.
> >
> > Primary goal of this patchset is to prepare groundwork so that kernel
> > image can be signed and signatures be verified during kexec load. This
> > should help with two things.
> >
> > - It should allow kexec/kdump on secureboot enabled machines.
> >
> > - In general it can help even without secureboot. By being able to verify
> > kernel image signature in kexec, it should help with avoiding module
> > signing restrictions. Matthew Garret showed how to boot into a custom
> > kernel, modify first kernel's memory and then jump back to old kernel and
> > bypass any policy one wants to.
> >
> > I hope these patches can be queued up for 3.17. Even without signature
> > verification support, they provide new syscall functionality. But I
> > wil leave it to maintainers to decide if they want signature verification
> > support also be ready to merge before they merge this patchset.
>
> Well, this is an absolute ton of new code, much of it pretty complex.
> And I believe the entire point of this work is to enable image
> signature checking, but that hasn't been implemented yet?

I have a patchset which works. But it requires more work. I will do
remaining work and clean it up and post for review.

>
> In which case I'm thinking it would be unwise to merge these parts into
> mainline - if signature checking doesn't work or fails review or if you
> get hit by a bus then we'd be left with a large lump of rather useless
> code?
>
> In which case I'm inclined to put this series into -next and keep it
> there pending completion of the signature checking part.

Agreed. Primary purpose of this patch series is to be able to do signature
verification of kernel during kexec. So it will make sense to first have
some sort of consensus on signature verification patches. Otherwise we
might be stuck with this 3.5K lines of code if things go south w.r.t
signature verification.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/