On Thu, 19 Oct 2017, David Howells wrote: > From: Matthew Garrett <matthew.garr...@nebula.com> > > kexec permits the loading and execution of arbitrary code in ring 0, which > is something that lock-down is meant to prevent. It makes sense to disable > kexec in this situation. > > This does not affect kexec_file_load() which can check for a signature on the > image to be booted. > > Signed-off-by: Matthew Garrett <matthew.garr...@nebula.com> > Signed-off-by: David Howells <dhowe...@redhat.com> > Acked-by: Dave Young <dyo...@redhat.com> > cc: ke...@lists.infradead.org
Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com>
