On Wed, 10 Jan 2018 10:12:39 +0100, Steffen Winterfeldt wrote:
On Tuesday 2018-01-09 15:10, Takashi Iwai wrote:
On Tue, 09 Jan 2018 15:00:39 +0100, Ludwig Nussel wrote:
Hi,
In bug https://bugzilla.opensuse.org/show_bug.cgi?id=1075051#c3 Steffen suspects different settings for kexec with secure boot enabled in Leap 15 vs TW. Is that that case? If so, intentional?
SLE and Leap contain more secure boot patches than TW. It's because the lock-down patches are still not accepted by upstream. And, one of them is indeed to disable kexec_load syscall in secure boot.
But note that the kexec_load_file syscall is still allowed in secure boot mode. So if kexec loads the kernel with -s option, it should work on SLE/Leap, too.
Seems not to work:
# exec -s -l /download/file_0000 --initrd=/download/file_0001 kexec_file_load failed: Operation not permitted
Ah, it must be specific to Leap 15.0, then. It's missing CONFIG_KEXEC_VERIFY_SIG=y (while SLE-15 has it). There is another lock-down patch to disable kexec_load_file() in secure boot mode unless CONFIG_KEXEC_VERIFY_SIG is set. But a slight concern is whether enabling this would cause another problem. I remember vaguely that we had to disable this option for openSUSE intentionally by some reason. In anyway, care to open a bugzilla entry and put Joey and me to Cc? thanks, Takashi -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org