kexec.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
From: Vivek Goyal <vgoyal@redhat.com>
To: Jiri Kosina <jkosina@suse.cz>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>,
	Kees Cook <keescook@chromium.org>,
	Greg Kroah-Hartman <greg@kroah.com>,
	kexec@lists.infradead.org,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Geert Uytterhoeven <geert@linux-m68k.org>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH 0/6] kexec: A new system call to allow in kernel loading
Date: Fri, 22 Nov 2013 10:33:50 -0500	[thread overview]
Message-ID: <20131122153349.GH4046@redhat.com> (raw)
In-Reply-To: <alpine.LNX.2.00.1311221449120.22082@pobox.suse.cz>

On Fri, Nov 22, 2013 at 02:50:43PM +0100, Jiri Kosina wrote:
> On Fri, 22 Nov 2013, Vivek Goyal wrote:
> 
> > > OTOH, does this feature make any sense whatsover on architectures that 
> > > don't support secure boot anyway?
> > 
> > I guess if signed modules makes sense, then being able to kexec signed
> > kernel images should make sense too, in general.
> 
> Well, that's really a grey zone, I'd say.
> 
> In a non-secureboot environment, if you are root, you are able to issue 
> reboot into a completely different, self-made kernel anyway, independent 
> on whether signed modules are used or not.

That's a good poing. Frankly speaking I don't know if there is a good
use case to allow loading signed kernels only or not.

Kees mentioned that he would like to know where the kernel came from
and whether it came from trusted disk or not. So he does seem to have
a use case where he wants to launch only trusted kernel or deny execution.

Thanks
Vivek

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

  reply	other threads:[~2013-11-22 16:27 UTC|newest]

Thread overview: 90+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-20 17:50 [PATCH 0/6] kexec: A new system call to allow in kernel loading Vivek Goyal
2013-11-20 17:50 ` [PATCH 1/6] kexec: Export vmcoreinfo note size properly Vivek Goyal
2013-11-21 18:59   ` Greg KH
2013-11-21 19:08     ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 2/6] kexec: Move segment verification code in a separate function Vivek Goyal
2013-11-20 17:50 ` [PATCH 3/6] resource: Provide new functions to walk through resources Vivek Goyal
2013-11-20 17:50 ` [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec Vivek Goyal
2013-11-21 19:03   ` Greg KH
2013-11-21 19:06     ` Matthew Garrett
2013-11-21 19:13       ` Vivek Goyal
2013-11-21 19:19         ` Matthew Garrett
2013-11-21 19:24           ` Vivek Goyal
2013-11-22 18:57           ` Vivek Goyal
2013-11-23  3:39             ` Eric W. Biederman
2013-11-25 16:39               ` Vivek Goyal
2013-11-26 12:23                 ` Eric W. Biederman
2013-11-26 14:27                   ` Vivek Goyal
2013-12-19 12:54                     ` Torsten Duwe
2013-12-20 14:19                       ` Vivek Goyal
2013-12-20 23:11                         ` Eric W. Biederman
2013-12-20 23:20                           ` Kees Cook
2013-12-21 11:38                             ` Torsten Duwe
2014-01-02 20:39                             ` Vivek Goyal
2014-01-02 20:56                               ` H. Peter Anvin
2014-01-06 21:33                                 ` Josh Boyer
2014-01-07  4:22                                   ` H. Peter Anvin
2013-12-20 23:20                           ` H. Peter Anvin
2013-12-21  1:32                             ` Eric W. Biederman
2013-12-21  3:32                               ` H. Peter Anvin
2013-12-21 12:15                                 ` Torsten Duwe
2013-11-21 19:16     ` Vivek Goyal
2013-11-22  1:03     ` Kees Cook
2013-11-22  2:13       ` Vivek Goyal
2013-11-22 20:42   ` Jiri Kosina
2014-01-17 19:17     ` Vivek Goyal
2013-11-29  3:10   ` Baoquan He
2013-12-02 15:27     ` WANG Chao
2013-12-02 15:44     ` Vivek Goyal
2013-12-04  1:35       ` Baoquan He
2013-12-04 17:19         ` Vivek Goyal
2013-12-04  1:56   ` Baoquan He
2013-12-04  8:19     ` Baoquan He
2013-12-04 17:32     ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 5/6] kexec-bzImage: Support for loading bzImage using 64bit entry Vivek Goyal
2013-11-21 19:07   ` Greg KH
2013-11-21 19:21     ` Vivek Goyal
2013-11-22 15:24       ` H. Peter Anvin
2013-11-28 11:35   ` Baoquan He
2013-12-02 15:36     ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 6/6] kexec: Support for Kexec on panic using new system call Vivek Goyal
2013-11-28 11:28   ` Baoquan He
2013-12-02 15:30     ` Vivek Goyal
2013-12-04  1:51       ` Baoquan He
2013-12-04 17:20         ` Vivek Goyal
2013-12-04  1:41   ` Baoquan He
2013-12-04 17:19     ` Vivek Goyal
2013-11-21 18:58 ` [PATCH 0/6] kexec: A new system call to allow in kernel loading Greg KH
2013-11-21 19:07   ` Vivek Goyal
2013-11-21 19:46     ` Vivek Goyal
2013-11-21 19:06 ` Geert Uytterhoeven
2013-11-21 19:14   ` Vivek Goyal
2013-11-21 23:07 ` Eric W. Biederman
2013-11-22  1:28   ` H. Peter Anvin
2013-11-22  2:35     ` Vivek Goyal
2013-11-22  2:40       ` H. Peter Anvin
2013-11-22  1:55   ` Vivek Goyal
2013-11-22  9:09     ` Geert Uytterhoeven
2013-11-22 13:30       ` Jiri Kosina
2013-11-22 13:46         ` Vivek Goyal
2013-11-22 13:50           ` Jiri Kosina
2013-11-22 15:33             ` Vivek Goyal [this message]
2013-11-22 17:45               ` Kees Cook
2013-11-22 13:43       ` Vivek Goyal
2013-11-22 15:25         ` Geert Uytterhoeven
2013-11-22 15:33           ` Jiri Kosina
2013-11-22 15:57             ` Eric Paris
2013-11-22 16:04               ` Jiri Kosina
2013-11-22 16:08                 ` Vivek Goyal
2013-11-22 13:34     ` Eric W. Biederman
2013-11-22 14:19       ` Vivek Goyal
2013-11-22 19:48         ` Greg KH
2013-11-23  3:23         ` Eric W. Biederman
2013-12-04 19:34           ` Vivek Goyal
2013-12-05  4:10             ` Eric W. Biederman
2013-11-25 10:04       ` Michael Holzheu
2013-11-25 15:36         ` Vivek Goyal
2013-11-25 16:15           ` Michael Holzheu
2013-11-22  0:55 ` HATAYAMA Daisuke
2013-11-22  2:03   ` Vivek Goyal
2013-12-03 13:23 ` Baoquan He

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131122153349.GH4046@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=geert@linux-m68k.org \
    --cc=greg@kroah.com \
    --cc=hpa@zytor.com \
    --cc=jkosina@suse.cz \
    --cc=keescook@chromium.org \
    --cc=kexec@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mjg59@srcf.ucam.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).