On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote: [..] > Have you considered a non-cryptographic solution, like a physical > presence check to (temporarily) disable Secure Boot so that the > kexec restriction no longer applies? This could be a fallback > option if the original plan turns out to be too brittle/complex.
I think kyle has a patch which will allow disabling secureboot restriction if one is on console. I will have to look into details and see how can I make use of it in kexec code to relax signature restrictions if user is on physical console. [CC kyle] Thanks Vivek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
