On Wed, Sep 11, 2013 at 08:37:36AM -0400, Josh Boyer wrote: > On Tue, Sep 10, 2013 at 11:02 PM, Dave Young <[email protected]> wrote: > > On 09/04/13 at 09:56pm, Vivek Goyal wrote: > >> With secureboot enabled, we don't even trust root. And when kexec is > >> launched > >> it might happen that root has already rigged /proc and /sys which kexec > >> reads to get important data. > >> > >> So create a private mount namespace which is not visible to root, unmount > >> old /proc and /sys and remount these to get to actual data kernel exported. > > > > Hello Vivek > > > > kexec will also use /sys/kernel/debug/boot_params, I want to copy efi_info > > from > > there for efi runtime support. So could you remount debugfs as well? > > Hm. That might actually be a bad thing. The debugfs filesystem is > intentionally not something userspace is supposed to rely on. The > files provided and the content within the files can and will change > significantly from kernel to kernel. > > it might be better to export boot_params in something that is > considered more stable than debugfs.
That can be an improvement. Any info kexec-tools relies on, move out of debugfs. This is more of an improvement so will leave it as TODO item for future. Thanks Vivek _______________________________________________ kernel mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/kernel
