[PATCH 0/4] Add support for kexec_file_load

Samuel Mendoza-Jonas sam at mendozajonas.com
Fri Mar 24 13:17:55 AEDT 2017 

On Thu, 2017-03-23 at 11:46 -0500, Eric Richter wrote:
> Secure and trusted boot on POWER relies on the use of kexec_file_load over
> kexec_load, for uses such as kernel/initrd signature verification and
> measurement[1]. This patch set defines a new configuration option for toggling
> which syscall is used, or more specifically, which parameter is passed to
> kexec-{tools,lite}[2].
> 
> The default state of this option is to use the regular kexec_load, unless
> otherwise enabled. On POWER, the state of this option is preserved via
> the nvram key "petitboot,fileload?", which can be set ahead of time to avoid
> traversing through menus at boot time.
> 
> Thanks,
> Eric Richter

Hi Eric, thanks for the patches!

> 
> 
> [1] The kexec_file_load syscall was included in Linux 4.10

Ah great, I missed this getting merged.

> 
> [2] Kexec-tools uses -s for kexec_file_load. Neither upstream -tools nor -lite
> implement this for POWER, though I have an open pull request for the latter here:
> https://github.com/antonblanchard/kexec-lite/pull/5

This makes more sense for later when more of the security process is
firmed up, but would it be worth adding a configure-time option to
specify if kexec_file_load() is supported by the available kexec-
{tools,lite}? Otherwise as long as we can return a useful error to the UI
if it is chosen but isn't available that should be fine.

> 
> 
> Eric Richter (4):
>   lib: Add system config option to enable kexec_file_load
>   boot/pb-discover: Use kexec_method config option to determine kexec
>     syscall
>   ui/ncurses: Add system config checkbox to enable kexec_file load
>   petitboot-powerpc: persist kexec_method option via nvram
> 
>  discover/boot.c               |  4 +++-
>  discover/boot.h               |  1 +
>  discover/platform-powerpc.c   |  9 +++++++++
>  lib/pb-protocol/pb-protocol.c |  9 +++++++++
>  lib/types/types.h             |  2 ++
>  ui/ncurses/nc-config.c        | 24 +++++++++++++++++++++++-
>  6 files changed, 47 insertions(+), 2 deletions(-)
>

More information about the Petitboot mailing list