On Wed, 10 Jan 2018 12:46:30 +0100, Jiri Bohac wrote:
On Wed, Jan 10, 2018 at 11:29:40AM +0100, Takashi Iwai wrote:
Ah, it must be specific to Leap 15.0, then. It's missing CONFIG_KEXEC_VERIFY_SIG=y (while SLE-15 has it). There is another lock-down patch to disable kexec_load_file() in secure boot mode unless CONFIG_KEXEC_VERIFY_SIG is set.
right; I find this a PITA, since it prevents you from loading an unsigned kexec/kdump kernel even when secure boot is off and that really sucks for testing and compiling own kernels, because it forces you to sign them for no good reason.
With modules, we have separate MODULE_SIG and MODULE_SIG_FORCE. The former implements the signing, which is only enforced with either MODULE_SIG_FORCE, module.sig_enforce boot param or with kernel_is_locked_down (secureboot).
We don't compile with MODULE_SIG_FORCE.
I think that KEXEC_VERIFY_SIG should be similarly split to KEXEC_SIG and KEXEC_SIG_FORCE and we should not compile with KEXEC_SIG_FORCE. The signing would again be enforced by kernel_is_locked_down.
Does that make sense?
One difference in the case of kexec is that there are actually two routes, and one could use the old kexec method for unsigned kernels. And, as discussed in bsc#947816, a part of the problem is that user-space doesn't treat it properly without fallback mechanism. Takashi -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org