Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933076AbeAKMC7 (ORCPT + 1 other); Thu, 11 Jan 2018 07:02:59 -0500 Received: from mx2.suse.de ([195.135.220.15]:41747 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932483AbeAKMC6 (ORCPT ); Thu, 11 Jan 2018 07:02:58 -0500 Date: Thu, 11 Jan 2018 13:02:56 +0100 From: Jiri Bohac To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, jforbes@redhat.com, Chun-Yi Lee Subject: [PATCH 08b/30] kexec_file: Restrict at runtime if the kernel is locked down Message-ID: <20180111120256.oymjgfbndbofasp5@dwarf.suse.cz> References: <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk> <151024869793.28329.4817577607302613028.stgit@warthog.procyon.org.uk> <20180111115915.dejachty3l7fwpmf@dwarf.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180111115915.dejachty3l7fwpmf@dwarf.suse.cz> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through kexec_file systemcall if the kernel is locked down unless IMA can be used to validate the image. Signed-off-by: Jiri Bohac diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -144,7 +144,13 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, pr_debug("kernel signature verification successful.\n"); #endif - if (sig_err && IS_ENABLED(CONFIG_KEXEC_SIG_FORCE)) { + /* Don't permit images to be loaded into trusted kernels without + * a valid signature on them + */ + if (sig_err && + (IS_ENABLED(CONFIG_KEXEC_SIG_FORCE) || + (!is_ima_appraise_enabled() && + kernel_is_locked_down("kexec of unsigned images")))) { ret = sig_err; goto out; } -- Jiri Bohac SUSE Labs, Prague, Czechia