Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

在 2020年06月18日 03:37, Andrew Morton 写道: > On Tue, 2 Jun 2020 12:59:52 +0800 Lianbo Jiang wrote: > >> Signature verification is an important security feature, to protect >> system from being attacked with a kernel of unknown origin. Kexec >> rebooting is a way to replace the running kernel, hence

Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

On Tue, 2 Jun 2020 12:59:52 +0800 Lianbo Jiang wrote: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way to replace the running kernel, hence need be > secured carefully. I'm finding this

Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

I just noticed that I forgot to add Eric Biederman in cc list, so sorry for this. Thanks. Lianbo 在 2020年06月02日 12:59, Lianbo Jiang 写道: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way

Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

On 06/02/20 at 12:59pm, Lianbo Jiang wrote: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way to replace the running kernel, hence need be > secured carefully. > > In the current code of ha

Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

On 06/02/20 at 12:59pm, Lianbo Jiang wrote: > Signature verification is an important security feature, to protect > system from being attacked with a kernel of unknown origin. Kexec > rebooting is a way to replace the running kernel, hence need be > secured carefully. > > In the current code of ha

Re: [PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

On Tue, Jun 02, 2020 at 12:59:52PM +0800, Lianbo Jiang wrote: > So, here, let's simplify the logic to improve code readability. If the > KEXEC_SIG_FORCE enabled or kexec lockdown enabled, signature verification > is mandated. Otherwise, we lift the bar for any kernel image. > > Signed-off-by: Lian

[PATCH v2] kexec: Do not verify the signature without the lockdown or mandatory signature

Signature verification is an important security feature, to protect system from being attacked with a kernel of unknown origin. Kexec rebooting is a way to replace the running kernel, hence need be secured carefully. In the current code of handling signature verification of kexec kernel, the logic