Re: [RFCv2 0/9] UEFI emulator for kexec

From: Dave Young
Date: Thu Aug 22 2024 - 08:05:03 EST

On Thu, 22 Aug 2024 at 18:56, Jan Hendrik Farr <kernel@xxxxxxxx> wrote:
> Hi Dave,
> > I forgot why we can not just extract the kernel from UKI and then load
> > it directly, if the embedded kernel is also signed it should be good?
> The problem is that in the basic usecase for UKI you only sign the entire
> UKI PE file and not the included kernel, because you only want that kernel
> to be run with that one initrd and that one kernel cmdline.

Hmm, as replied to Pinfan I thought that both the included kernel and
UKI can be signed, and for kdump case kexec_file_load can be used

> So at a minimum you have to have the signature on the whole UKI checked by
> the kernel and than have the kernel extract UKI into its parts unless you
> somehow want to extent trust into userspace to have a helper program do that.

extend trust into userspace is hard, previously when Vivek created the
kexec_file_load this has been explored and he gave up this option. :(

Pingfan, nice to see you have something done as POC at least, and
good to see this topic is live. I just have some worries about the
complexity of the emulator though.
