Re: [RFC 0/3] extend kexec_file_load system call

From: Dave Young
Date: Wed Jul 13 2016 - 04:37:03 EST


[snip]
> Now, going back to the more fundamental issue raised in my first reply,
> about the kernel command line.
>
> On x86, I can see that it _is_ possible for userspace to specify a
> command line, and the kernel loading the image provides the command
> line to the to-be-kexeced kernel with very little checking. So, if
> your kernel is signed, what stops the "insecure userspace" loading
> a signed kernel but giving it an insecure rootfs and/or console?

The kexec_file_load syscall was introduced for secure boot in the first
place. In case UEFI secure boot the signature verification chain only
covers kernel mode binaries. I think there is such problem in both normal
boot and kexec boot.

Thanks
Dave