[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
Steven Rostedt
rostedt at goodmis.org
Wed Jun 27 17:14:13 UTC 2012
On Sat, 2012-06-23 at 15:47 +0100, Matthew Garrett wrote:
> On Sat, Jun 23, 2012 at 05:15:19PM +0800, Cong Wang wrote:
> > On Fri, Jun 22, 2012 at 1:48 PM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> > > Kexec kernels are going to have to be signed in the same way that
> > > modules are, but I suspect there's also some subtleties in the handover
> > > protocol.
> > >
> >
> > At least /sbin/kexec needs to be patched to verify the sign key?
>
> We can't trust userspace verification. The kernel needs to verify it as
> well.
>
I'm curious, on a crash, will the verification take place just before it
boots the new kernel? Or is there going to be verification a head of
time, and we just trust that nothing can touch that memory?
-- Steve
More information about the Ksummit-2012-discuss
mailing list