Re: [PATCH v4 5/5] kexec: document -s, -c and -a options.

["Michal Suchánek" <msuchanek@suse.de>]

On Fri, 16 Mar 2018 14:51:14 +0800
Dave Young <dyoung@redhat.com> wrote:

> On 03/15/18 at 12:44pm, Michal Suchánek wrote:
> > On Wed, 14 Mar 2018 15:50:31 +0800
> > Dave Young <dyoung@redhat.com> wrote:
> >   
> > > On 03/14/18 at 08:25am, Michal Suchánek wrote:  
> > > > On Wed, 14 Mar 2018 11:41:30 +0800
> > > > Dave Young <dyoung@redhat.com> wrote:
> > > >     
> > > > > On 03/06/18 at 02:15pm, Michal Suchanek wrote:    
> > > > > > Signed-off-by: Michal Suchanek <msuchanek@suse.de>
> > > > > > ---
> > > > > >  kexec/kexec.8 | 15 +++++++++++++++
> > > > > >  1 file changed, 15 insertions(+)
> > > > > > 
> > > > > > diff --git a/kexec/kexec.8 b/kexec/kexec.8
> > > > > > index e0131b4ea827..b3543db3f413 100644
> > > > > > --- a/kexec/kexec.8
> > > > > > +++ b/kexec/kexec.8
> > > > > > @@ -144,6 +144,21 @@ Load the new kernel for use on panic.
> > > > > >  Specify that the new kernel is of this
> > > > > >  .I type.
> > > > > >  .TP
> > > > > > +.BI \-s\ (\-\-kexec-file-syscall)
> > > > > > +Specify that the new KEXEC_FILE_LOAD syscall should be used
> > > > > > exclusively.      
> > > > > 
> > > > > Maybe better to be simple like below:
> > > > > "Use kexec_file_load syscall to load the new kernel."
> > > > > 
> > > > >     
> > > > > > +.TP
> > > > > > +.BI \-c\ (\-\-kexec-syscall)
> > > > > > +Specify that the old KEXEC_LOAD syscall should be used
> > > > > > exclusively (the default).      
> > > > > 
> > > > > similarly:
> > > > > "Use kexec_load syscall to load the new kernel."
> > > > >     
> > > > > > +.TP
> > > > > > +.BI \-a\ (\-\-kexec-syscall-auto)
> > > > > > +Try the new simpler KEXEC_FILE_LOAD syscall first and if
> > > > > > it is not supported +fall back to the old KEXEC_LOAD
> > > > > > interface. +
> > > > > > +There is no one single interface that always works.
> > > > > > KEXEC_FILE_LOAD is required +on systems that use locked-down
> > > > > > secure boot to verify the kernel signature. +KEXEC_LOAD is
> > > > > > required for some kernel image formats and on architectures
> > > > > > that +do not support KEXEC_FILE_LOAD.      
> > > > > 
> > > > > It seems not good to say kexec_file_load is simpler and newer.
> > > > > Also it is not a must for Secure Boot and locked down kernel
> > > > > only. So it would be better to just simplify and use the first
> > > > > paragraph:
> > > > > 
> > > > > "Try kexec_file_load syscall first and if it is not supported
> > > > > fall back to the kexec_load syscall"    
> > > > 
> > > > There was a request for explanation so just the first paragraph
> > > > will not do. What is it required for other than secure boot?    
> > > 
> > > People can use kexec -s to load a signed kernel but not necessary
> > > to boot with Secure Boot enabled.  
> > 
> > Is booting signed kernel without -s not supported? If so I would
> > consider it kexec-tools bug. And it should documented then as well I
> > guess.  
> 
> I'm not sure I understand the question.  In kernel we splitted kexec
> and kexec_file they can be enabled as kernel config options
> separately.  If one want to a secured kexec (not UEFI Secure Boot,
> only signed kernel loading) then one can only enable
> CONFIG_KEXEC_FILE but disable CONFIG_KEXEC.  In this case without
> '-s' load will fail.  But if one enabled both CONFIG_KEXEC_FILE and
> CONFIG_KEXEC then kexec load without '-s' still works.

This is currently not supported by kexec-tools. Status does not use
KEXEC_FILE

Thanks

Michal

_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec