[PATCH 0/4] Add support for kexec_file_load
Samuel Mendoza-Jonas
sam at mendozajonas.com
Fri Mar 24 13:17:55 AEDT 2017
On Thu, 2017-03-23 at 11:46 -0500, Eric Richter wrote:
> Secure and trusted boot on POWER relies on the use of kexec_file_load over
> kexec_load, for uses such as kernel/initrd signature verification and
> measurement[1]. This patch set defines a new configuration option for toggling
> which syscall is used, or more specifically, which parameter is passed to
> kexec-{tools,lite}[2].
>
> The default state of this option is to use the regular kexec_load, unless
> otherwise enabled. On POWER, the state of this option is preserved via
> the nvram key "petitboot,fileload?", which can be set ahead of time to avoid
> traversing through menus at boot time.
>
> Thanks,
> Eric Richter
Hi Eric, thanks for the patches!
>
>
> [1] The kexec_file_load syscall was included in Linux 4.10
Ah great, I missed this getting merged.
>
> [2] Kexec-tools uses -s for kexec_file_load. Neither upstream -tools nor -lite
> implement this for POWER, though I have an open pull request for the latter here:
> https://github.com/antonblanchard/kexec-lite/pull/5
This makes more sense for later when more of the security process is
firmed up, but would it be worth adding a configure-time option to
specify if kexec_file_load() is supported by the available kexec-
{tools,lite}? Otherwise as long as we can return a useful error to the UI
if it is chosen but isn't available that should be fine.
>
>
> Eric Richter (4):
> lib: Add system config option to enable kexec_file_load
> boot/pb-discover: Use kexec_method config option to determine kexec
> syscall
> ui/ncurses: Add system config checkbox to enable kexec_file load
> petitboot-powerpc: persist kexec_method option via nvram
>
> discover/boot.c | 4 +++-
> discover/boot.h | 1 +
> discover/platform-powerpc.c | 9 +++++++++
> lib/pb-protocol/pb-protocol.c | 9 +++++++++
> lib/types/types.h | 2 ++
> ui/ncurses/nc-config.c | 24 +++++++++++++++++++++++-
> 6 files changed, 47 insertions(+), 2 deletions(-)
>
More information about the Petitboot
mailing list