The Secure IPL configuration/state does no appear to persist across reboots.
Consider a guest provisioned with two bootable images, one is signed,
one is not.
The stage3.bin is properly signed.
With secure_boot=on, boot the signed image, then try to load the
unsigned image using kexec.
[root@localhost ~]# kexec -ld unsigned --initrd=fake.img --reuse-cmdline
Try gzip decompression.
Try zstd decompression.
Not zstd compressed
Try LZMA decompression.
lzma_decompress_file: read on unsigned of 65536 bytes failed
[ 339.375817] kexec_file: kernel: 000000000915b573 kernel_size: 0xf85130
[ 339.383018] Lockdown: kexec: kexec of unsigned images is restricted;
see man kernel_lockdown.7
kexec_file_load failed: Operation not permitted
Initially kexec correctly rejects loading the unsigned image.
Reboot, then re-try loading the unsigned image.
[root@localhost ~]# kexec -ld unsigned --initrd=fake.img --reuse-cmdline
Try gzip decompression.
Try zstd decompression.
Not zstd compressed
Try LZMA decompression.
lzma_decompress_file: read on unsigned of 65536 bytes failed
[ 44.654152] kexec_file: kernel: 000000009fc3b80c kernel_size: 0xf85130
[ 44.774975] kexec_file: nr_segments = 4
[ 44.774978] kexec_file: segment[0]: buf=0x000000009fc3b80c
bufsz=0xf85130 mem=0x0 memsz=0xf86000
[ 44.780416] kexec_file: segment[1]: buf=0x00000000f9e1120b
bufsz=0x2dd2c52 mem=0xf86000 memsz=0x2dd3000
[ 44.818676] kexec_file: segment[2]: buf=0x000000004f695d01
bufsz=0x2f60 mem=0x3d59000 memsz=0x3000
[ 44.818680] kexec_file: segment[3]: buf=0x000000008a75eb84
bufsz=0x138 mem=0x3d5c000 memsz=0x1000
[ 44.818682] kexec_file: kexec_file_load: type:0, start:0x0
head:0x9c2a002 flags:0x8
[root@localhost ~]#
After reboot the unsigned image loads, kexec -e can be used to bypass
Secure IPL settings.
Regards,
Jared Rossi
