[PATCH 3/4] ui/ncurses: Add system config checkbox to enable kexec_file load

Eric Richter erichte at linux.vnet.ibm.com
Sat May 6 06:56:22 AEST 2017


On 05/04/2017 09:58 PM, Jeremy Kerr wrote:
> Hi Eric,
> 
>> This patch adds an option to the system configuration menu that if
>> checked, enables the use of kexec_file_load.
> 
> If possible, I'd like to avoid adding a config option for this. It's
> pretty opaque to the user, and should really be specified by the system
> integrator, not the end user.
I think it is fair to avoid having the user worry about this. In most 
cases, this option should never be touched anyway.

> That is, unless I'm missing something about why one would be chosen over
> the other. Shouldn't we always use kexec_file_load if the kernel (and
> kexec) has support for it?

There are a few differences between the two I can think of, where having 
both might be useful:

1. kexec_file_load does not support passing a device tree as an argument

2. Currently on x86, kexec_file_load always verifies the signature for 
kernels if the option is enabled in kconfig, regardless of secure boot 
mode. In other words, if secure mode is disabled (for debug, 
development, etc), the target kernel will still need to pass signature 
checks.

Note: Signature verification is currently unimplemented on Power, so 
this could change.


Now that I got the devil's advocate argument out of the way, I don't 
think either case is actually a problem. I am not sure what #1 is used 
for, and if whatever uses it couldn't be implemented elsewhere. 
Secondly, #2 is fairly edge case, where the user would probably need to 
reflash anyway.

So, I think it makes sense for it to be a compile-time option. I'll 
write up a patch for that shortly.

Thanks,
Eric Richter

> Cheers,
> 
> 
> Jeremy
> 



More information about the Petitboot mailing list