On Wed, Jan 10, 2018 at 11:29:40AM +0100, Takashi Iwai wrote:
Ah, it must be specific to Leap 15.0, then. It's missing CONFIG_KEXEC_VERIFY_SIG=y (while SLE-15 has it). There is another lock-down patch to disable kexec_load_file() in secure boot mode unless CONFIG_KEXEC_VERIFY_SIG is set.
right; I find this a PITA, since it prevents you from loading an unsigned kexec/kdump kernel even when secure boot is off and that really sucks for testing and compiling own kernels, because it forces you to sign them for no good reason. With modules, we have separate MODULE_SIG and MODULE_SIG_FORCE. The former implements the signing, which is only enforced with either MODULE_SIG_FORCE, module.sig_enforce boot param or with kernel_is_locked_down (secureboot). We don't compile with MODULE_SIG_FORCE. I think that KEXEC_VERIFY_SIG should be similarly split to KEXEC_SIG and KEXEC_SIG_FORCE and we should not compile with KEXEC_SIG_FORCE. The signing would again be enforced by kernel_is_locked_down. Does that make sense? -- Jiri Bohac <jbohac@suse.cz> SUSE Labs, Prague, Czechia -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org