[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
Cong Wang
xiyou.wangcong at gmail.com
Sat Jun 23 09:15:19 UTC 2012
On Fri, Jun 22, 2012 at 1:48 PM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> On Fri, Jun 22, 2012 at 10:23:03AM +0800, Cong Wang wrote:
>> On 06/22/2012 04:45 AM, Matthew Garrett wrote:
>> >Discussion:
>> >
>> >We need to talk about what the kernel needs to provide for UEFI secure
>> >boot to be possible, since the alternative is miserable failure and
>> >Linux no longer working on x86 unless people play with the firmware.
>> >That's going to involve at the very least locking down module loading
>> >and various kernel interfaces, but figuring out what else needs to be
>> >covered is fairly important.
>> >
>>
>> Hi, Matthew,
>>
>> I would like to see how this affects kexec reboot.
>
> Kexec kernels are going to have to be signed in the same way that
> modules are, but I suspect there's also some subtleties in the handover
> protocol.
>
At least /sbin/kexec needs to be patched to verify the sign key?
More information about the Ksummit-2012-discuss
mailing list