From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vivek Goyal Subject: Re: [Xen-devel] [PATCH v3 00/11] xen: Initial kexec/kdump implementation Date: Fri, 11 Jan 2013 16:08:01 -0500 Message-ID: <20130111210801.GC12019@redhat.com> References: <50E6F81D02000078000B3245@nat28.tlf.novell.com> <20130104170751.GB3472@host-192-168-1-59.local.net-space.pl> <20130104191146.GC6721@phenom.dumpdata.com> <20130107123404.GA2927@host-192-168-1-59.local.net-space.pl> <20130107162018.GJ3219@phenom.dumpdata.com> <87ehhsqrpr.fsf@xmission.com> <20130111165506.GD25620@phenom.dumpdata.com> <87k3rjtqi7.fsf@xmission.com> <20130111205232.GC17126@redhat.com> <50F07E2D.6010602@zytor.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <50F07E2D.6010602-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kexec-bounces-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org Errors-To: kexec-bounces+glkk-kexec=m.gmane.org-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org To: "H. Peter Anvin" Cc: "xen-devel-GuqFBffKawuULHF6PoxzQEEOCMrvLtNR@public.gmane.org" , Konrad Rzeszutek Wilk , Andrew Cooper , Daniel Kiper , "x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org" , "kexec-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org" , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org" , David Howells , "mingo-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org" , "Eric W. Biederman" , Jan Beulich , "maxim.uvarov-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org" , "tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org" List-Id: xen-devel@lists.xenproject.org On Fri, Jan 11, 2013 at 01:03:41PM -0800, H. Peter Anvin wrote: > On 01/11/2013 12:52 PM, Vivek Goyal wrote: > > > > Eric, > > > > In a private conversation, David Howells suggested why not pass kernel > > signature in a segment to kernel and kernel can do the verification. > > > > /sbin/kexec signature is verified by kernel at exec() time. Then > > /sbin/kexec just passes one signature segment (after regular segment) for > > each segment being loaded. The segments which don't have signature, > > are passed with section size 0. And signature passing behavior can be > > controlled by one new kexec flag. > > > > That way /sbin/kexec does not have to worry about doing any verification > > by itself. In fact, I am not sure how it can do the verification when > > crypto libraries it will need are not signed (assuming they are not > > statically linked in). > > > > What do you think about this idea? > > > > A signed /sbin/kexec would realistically have to be statically linked, > at least in the short term; otherwise the libraries and ld.so would need > verification as well. Yes. That's the expectation. Sign only statically linked exeutables which don't do any of dlopen() stuff either. In fact in the patch, I fail the exec() if signed executable has interpreter. Thanks Vivek