On Wed, Jan 10, 2018 at 11:29:40AM +0100, Takashi Iwai wrote:
Ah, it must be specific to Leap 15.0, then.
It's missing CONFIG_KEXEC_VERIFY_SIG=y (while SLE-15 has it).
There is another lock-down patch to disable kexec_load_file() in
secure boot mode unless CONFIG_KEXEC_VERIFY_SIG is set.
right; I find this a PITA, since it prevents you from loading an
unsigned kexec/kdump kernel even when secure boot is off and that
really sucks for testing and compiling own kernels, because it
forces you to sign them for no good reason.
With modules, we have separate MODULE_SIG and MODULE_SIG_FORCE.
The former implements the signing, which is only enforced with
either MODULE_SIG_FORCE, module.sig_enforce boot param or with
We don't compile with MODULE_SIG_FORCE.
I think that KEXEC_VERIFY_SIG should be similarly split to
KEXEC_SIG and KEXEC_SIG_FORCE and we should not compile with
KEXEC_SIG_FORCE. The signing would again be
enforced by kernel_is_locked_down.
Does that make sense?
Jiri Bohac <jbohac(a)suse.cz>
SUSE Labs, Prague, Czechia
To unsubscribe, e-mail: opensuse-kernel+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-kernel+owner(a)opensuse.org