Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down

[David Howells]

Jiri Bohac <jbohac@xxxxxxx> wrote:

> > Having said that, I do see your point, I think.  We should still let through
> > validly signed images, even if signatures aren't mandatory in lockdown mode.
> 
> yes, to be clear, the problem I'm trying to fix is:
> - without CONFIG_KEXEC_VERIFY_SIG kexec in a locked down kernel
>   will not work at all -> every distro that wants to support
>   secureboot will need to enable CONFIG_KEXEC_VERIFY_SIG;
> 
> - once CONFIG_KEXEC_VERIFY_SIG is enabled, kexec images need to
>   be signed even if secureboot is not used
>
> The problem is that CONFIG_KEXEC_VERIFY_SIG enables both the
> implementation and the enforcement of the signature checking.

Yep.  I understand that.

> What I'm proposing are new config options that allow a kernel to
> be compiled in such a way that:
> - kexec works even without signatures if secureboot is off
> - kexec works with secureboot but requires signed images

Agreed to both of those.  I also agree with making it possible to
configurationally require signatures, which your first patch does.

> The semantics should be the same as with signed modules, because
> requiring kexec signatures when you can load unsigned modules is
> futile. But with your original patchset, that's exactly what
> distro kernels will be doing when booted with secureboot off,
> MODULE_SIG_FORCE=n and KEXEC_VERIFY_SIG=y.

I should fix that.

David