From: Vivek Goyal <vgoyal@redhat.com>
To: Kees Cook <keescook@chromium.org>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>, Greg KH <greg@kroah.com>,
kexec@lists.infradead.org, LKML <linux-kernel@vger.kernel.org>,
Peter Jones <pjones@redhat.com>, Torsten Duwe <duwe@lst.de>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec
Date: Thu, 2 Jan 2014 15:39:12 -0500 [thread overview]
Message-ID: <20140102203912.GB22822@redhat.com> (raw)
In-Reply-To: <CAGXu5jKJ88J-++nvkPVvghkXbN+_mB=T1siSDF7yoXQ-d-ONxg@mail.gmail.com>
On Fri, Dec 20, 2013 at 03:20:16PM -0800, Kees Cook wrote:
> On Fri, Dec 20, 2013 at 3:11 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
> > Vivek Goyal <vgoyal@redhat.com> writes:
> >
> >> On Thu, Dec 19, 2013 at 01:54:39PM +0100, Torsten Duwe wrote:
> >>> On Tue, Nov 26, 2013 at 09:27:59AM -0500, Vivek Goyal wrote:
> >
> >>> IMO it's up to user land to search lists of certificates, and present
> >>> only the final chain of trust to the kernel for checking.
> >>>
> >>> ELF is the preferred format for most sane OSes and firmware, and a detached
> >>> signature would probably be simplest to check. If we have the choice,
> >>> without restrictions from braindead boot loaders, ELF should be first.
> >>> And if the pesigning isn't usable and another sig is needed anyway,
> >>> why not apply that to vmlinux(.gz) ?
> >>
> >> I have yet to look deeper into it that if we can sign elf images and
> >> just use elf loader. And can use space extract the elf image out of
> >> a bzImage and pass it to kernel.
> >>
> >> Even if it is doable, one disadvantage seemed to be that extracted
> >> elf images will have to be written to a file so thta it's file descriptor
> >> can be passed to kernel. And that assumed writable root and we chrome
> >> folks seems to have setups where root is not writable.
> >
> > In that case the chrome folks would simply have to use an ELF format
> > kernel and not a bzImage.
>
> If we're doing fd origin verification (not signatures), can't we
> continue to use a regular bzImage?
If secureboot is enabled, it enforces module signature verification. I
think similar will happen for kexec too. How would kernel know that on
a secureboot platform fd original verification will happen and it is
sufficient.
I personally want to support bzImage as well (apart from ELF) because
distributions has been shipping bzImage for a long time and I don't
want to enforce a change there because of secureboot. It is not necessary.
Right now I am thinking more about storing detached bzImage signatures
and passing those signatures to kexec system call.
Thanks
Vivek
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2014-01-02 20:39 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-20 17:50 [PATCH 0/6] kexec: A new system call to allow in kernel loading Vivek Goyal
2013-11-20 17:50 ` [PATCH 1/6] kexec: Export vmcoreinfo note size properly Vivek Goyal
2013-11-21 18:59 ` Greg KH
2013-11-21 19:08 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 2/6] kexec: Move segment verification code in a separate function Vivek Goyal
2013-11-20 17:50 ` [PATCH 3/6] resource: Provide new functions to walk through resources Vivek Goyal
2013-11-20 17:50 ` [PATCH 4/6] kexec: A new system call, kexec_file_load, for in kernel kexec Vivek Goyal
2013-11-21 19:03 ` Greg KH
2013-11-21 19:06 ` Matthew Garrett
2013-11-21 19:13 ` Vivek Goyal
2013-11-21 19:19 ` Matthew Garrett
2013-11-21 19:24 ` Vivek Goyal
2013-11-22 18:57 ` Vivek Goyal
2013-11-23 3:39 ` Eric W. Biederman
2013-11-25 16:39 ` Vivek Goyal
2013-11-26 12:23 ` Eric W. Biederman
2013-11-26 14:27 ` Vivek Goyal
2013-12-19 12:54 ` Torsten Duwe
2013-12-20 14:19 ` Vivek Goyal
2013-12-20 23:11 ` Eric W. Biederman
2013-12-20 23:20 ` Kees Cook
2013-12-21 11:38 ` Torsten Duwe
2014-01-02 20:39 ` Vivek Goyal [this message]
2014-01-02 20:56 ` H. Peter Anvin
2014-01-06 21:33 ` Josh Boyer
2014-01-07 4:22 ` H. Peter Anvin
2013-12-20 23:20 ` H. Peter Anvin
2013-12-21 1:32 ` Eric W. Biederman
2013-12-21 3:32 ` H. Peter Anvin
2013-12-21 12:15 ` Torsten Duwe
2013-11-21 19:16 ` Vivek Goyal
2013-11-22 1:03 ` Kees Cook
2013-11-22 2:13 ` Vivek Goyal
2013-11-22 20:42 ` Jiri Kosina
2014-01-17 19:17 ` Vivek Goyal
2013-11-29 3:10 ` Baoquan He
2013-12-02 15:27 ` WANG Chao
2013-12-02 15:44 ` Vivek Goyal
2013-12-04 1:35 ` Baoquan He
2013-12-04 17:19 ` Vivek Goyal
2013-12-04 1:56 ` Baoquan He
2013-12-04 8:19 ` Baoquan He
2013-12-04 17:32 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 5/6] kexec-bzImage: Support for loading bzImage using 64bit entry Vivek Goyal
2013-11-21 19:07 ` Greg KH
2013-11-21 19:21 ` Vivek Goyal
2013-11-22 15:24 ` H. Peter Anvin
2013-11-28 11:35 ` Baoquan He
2013-12-02 15:36 ` Vivek Goyal
2013-11-20 17:50 ` [PATCH 6/6] kexec: Support for Kexec on panic using new system call Vivek Goyal
2013-11-28 11:28 ` Baoquan He
2013-12-02 15:30 ` Vivek Goyal
2013-12-04 1:51 ` Baoquan He
2013-12-04 17:20 ` Vivek Goyal
2013-12-04 1:41 ` Baoquan He
2013-12-04 17:19 ` Vivek Goyal
2013-11-21 18:58 ` [PATCH 0/6] kexec: A new system call to allow in kernel loading Greg KH
2013-11-21 19:07 ` Vivek Goyal
2013-11-21 19:46 ` Vivek Goyal
2013-11-21 19:06 ` Geert Uytterhoeven
2013-11-21 19:14 ` Vivek Goyal
2013-11-21 23:07 ` Eric W. Biederman
2013-11-22 1:28 ` H. Peter Anvin
2013-11-22 2:35 ` Vivek Goyal
2013-11-22 2:40 ` H. Peter Anvin
2013-11-22 1:55 ` Vivek Goyal
2013-11-22 9:09 ` Geert Uytterhoeven
2013-11-22 13:30 ` Jiri Kosina
2013-11-22 13:46 ` Vivek Goyal
2013-11-22 13:50 ` Jiri Kosina
2013-11-22 15:33 ` Vivek Goyal
2013-11-22 17:45 ` Kees Cook
2013-11-22 13:43 ` Vivek Goyal
2013-11-22 15:25 ` Geert Uytterhoeven
2013-11-22 15:33 ` Jiri Kosina
2013-11-22 15:57 ` Eric Paris
2013-11-22 16:04 ` Jiri Kosina
2013-11-22 16:08 ` Vivek Goyal
2013-11-22 13:34 ` Eric W. Biederman
2013-11-22 14:19 ` Vivek Goyal
2013-11-22 19:48 ` Greg KH
2013-11-23 3:23 ` Eric W. Biederman
2013-12-04 19:34 ` Vivek Goyal
2013-12-05 4:10 ` Eric W. Biederman
2013-11-25 10:04 ` Michael Holzheu
2013-11-25 15:36 ` Vivek Goyal
2013-11-25 16:15 ` Michael Holzheu
2013-11-22 0:55 ` HATAYAMA Daisuke
2013-11-22 2:03 ` Vivek Goyal
2013-12-03 13:23 ` Baoquan He
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140102203912.GB22822@redhat.com \
--to=vgoyal@redhat.com \
--cc=duwe@lst.de \
--cc=ebiederm@xmission.com \
--cc=greg@kroah.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=kexec@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).