Hi Jan,

On Fri, 22 Sept 2023 at 13:19, Jan Hendrik Farr [off-list ref] wrote:

Hi Pingfan!

On 21 21:37:01, Pingfan Liu wrote:

quoted

From: Pingfan Liu <redacted>

quoted

For security boot, the vmlinuz.efi will be signed so UEFI boot loader
can check against it. But at present, there is no signature for kexec
file load, this series makes a signature on the zboot's payload -- Image
before it is compressed. As a result, the kexec-tools parses and
decompresses the Image.gz to get the Image, which has signature and can
be checked against during kexec file load

I missed some of the earlier discussion about this zboot kexec support.
So just let me know if I'm missing something here. You were exploring
these two options in getting this supported:

1. Making kexec_file_load do all the work.

This option makes the signature verification easy. kexec_file_load
checks the signature on the pe file and then extracts it and does the
kexec.

This is similar to how I'm approaching UKI support in [1].

2. Extract in userspace and pass decompressed kernel to kexec_file_load

This options requires the decompressed kernel to have a valid signature on
it. That's why this patch adds the ability to add that signature to the
kernel contained inside the zboot image.

This option would not make sense for UKI support as it would not
validate the signature with respect to the initrd and cmdline that it
contains.

Another possibility for the cmdline could be using the bootconfig
facility which was
introduced for boot time tracking:
Documentation/admin-guide/bootconfig.rst

So the initrd+cmdline can be signed as well.  Has this been discussed
before for UKI?

Thanks
Dave