[PATCH v2 0/3] Add support for kexec_file_load

Eric Richter erichte at linux.vnet.ibm.com
Fri Mar 31 05:56:21 AEDT 2017


Secure and trusted boot on POWER relies on the use of kexec_file_load over
kexec_load, for uses such as kernel/initrd signature verification and
measurement[1]. This patch set defines a new configuration option for toggling
which syscall is used, or more specifically, which parameter is passed to
kexec-{tools,lite}[2].

The default state of this option is to use the regular kexec_load, unless
otherwise enabled. On POWER, the state of this option is preserved via
the nvram key "petitboot,fileload?", which can be set ahead of time to avoid
traversing through menus at boot time.

Thanks,
Eric Richter

v2:
 - Squashed patch #4 (persist kexec_option via nvram)
    into #1 (Add system config option)
 - Renamed the 'kexec_method' variable to the more descriptive 'kexec_file'
 - Changed the config menu checkbox label from 'Use file_load' to 'Secure kexec'


[1] The kexec_file_load syscall was included in Linux 4.10

[2] Kexec-tools uses -s for kexec_file_load. Neither upstream -tools nor -lite
implement this for POWER, though I have an open pull request for the latter here:
https://github.com/antonblanchard/kexec-lite/pull/5

Eric Richter (3):
  lib: Add system config option to enable kexec_file_load
  boot/pb-discover: Use kexec_file config option to determine kexec
    syscall
  ui/ncurses: Add system config checkbox to enable kexec_file load

 discover/boot.c               |  4 +++-
 discover/boot.h               |  1 +
 discover/platform-powerpc.c   |  9 +++++++++
 lib/pb-protocol/pb-protocol.c |  9 +++++++++
 lib/types/types.h             |  2 ++
 ui/ncurses/nc-config.c        | 22 +++++++++++++++++++++-
 6 files changed, 45 insertions(+), 2 deletions(-)

-- 
2.7.4



More information about the Petitboot mailing list