On Fri, 2023-10-27 at 11:18 -0400, Mimi Zohar wrote:
> On Thu, 2023-10-05 at 11:25 -0700, Tushar Sugandhi wrote:
> > The current Kernel behavior is IMA measurements snapshot is taken at
> > kexec 'load' and not at kexec 'execute'. IMA log is then carried
> > over to the new Kernel after kexec
On Thu, 2023-10-05 at 11:25 -0700, Tushar Sugandhi wrote:
> The current Kernel behavior is IMA measurements snapshot is taken at
> kexec 'load' and not at kexec 'execute'. IMA log is then carried
> over to the new Kernel after kexec 'execute'.
>
> Some systems can be configured to call kexec
Hi Tushar,
On Thu, 2023-10-05 at 11:26 -0700, Tushar Sugandhi wrote:
> The window between kexec 'load' and 'execute' could be arbitrarily long.
> Even with the large chunk of memory allocated at kexec 'load', it may
> run out which would result in missing events in IMA log after the system
> soft
Hi Tushar,
On Thu, 2023-10-05 at 11:25 -0700, Tushar Sugandhi wrote:
> In the current IMA implementation, ima_dump_measurement_list() is called
> during the kexec 'load' operation. This can result in loss of IMA
> measurements taken between the 'load' and 'execute' phases when the
> system goes
On Tue, Oct 24, 2023 at 06:59:58AM -0700, Kuppuswamy Sathyanarayanan wrote:
>
>
> On 10/20/2023 8:12 AM, Kirill A. Shutemov wrote:
> > ACPI MADT doesn't allow to offline CPU after it got woke up. It limits
> > kexec: the second kernel won't be able to use more than one CPU.
> >
> > Now
On Tue, Oct 24, 2023 at 10:11:58AM +, Huang, Kai wrote:
>
> > --- /dev/null
> > +++ b/arch/x86/kernel/acpi/madt.S
>
> I think the name 'madt.S' is too generic. How about something be more
> specific
> such as madt_reset.S, or madt_playdead.S, etc?
Okay, madt_playdead.S sounds good.
> >
Hi,
I already use signed modules and do wonder if the same cert can be used
to sign the kernel, and verified by kexec when loading such a kernel.
Failing to verify a signed kernel, kexec shall not load it.
Is that doable with current kexec-tools?
If not, is there a real chance this could be